Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| reply to mysec
Re: NoDriveTypeAutoRun and NoDriveAutoRun
said by mysec  :... Conclusions1) Scott Dunn's statement that both keys can be overridden is not correct. 2) While Nick Brown is correct with regard to the NoDriveTypeAutoRun key being overridden, it would seem that a device plugged in for the first time would not be vulnerable to this. Also, he omitted mentioning the NoDriveAutoRun tweak which effectively blocks the AutoRun.inf file from running in any case. ... Thank you for your tests - excellent documentation and careful reasoning! While there are probably unknowns and untested issues, it is encouraging to see Mountpoints2's Autorun Status value changing when you do the NoDriveAutoRun setting in TweakUI... at least something is communicating between TweakUI and that key, and your test results indicate the "something" has to do with blocking autorun.
I agree that the NoDriveAutoRun key isn't mentioned in Brown's blog... possibly the similarity between the two key names (NoDriveAutoRun and NoDriveTypeAutoRun) has created confusion for people.
Regarding your #2 Conclusion... sneaker-net situations (like my friend's, in the 3rd World country) do exist all too often. And in those situations, frequently a given flashdrive will move back and forth as a simple transport device for collaboration/review of documents. So if computer A is 'clean' and places a document on a freshly-"installed" flashdrive, if that flashdrive moves into an infected computer B for editing the document, the flashdrive will become infected. Then when that flashdrive moves back into computer A, an autorun.inf infection would do an end-run around the NoDriveTypeAutoRun reg setting via the MountPoints2 over-ride behavior. While initial protection would be afforded by the NoDriveTypeAutoRun key setting, subsequent exposures to the later-infected flashdrive's autorun would occur. This is the exact usage situation my friend is having to deal with: a flashdrive is moving back and forth between them and government ministry computers.
The IniFileMapping key fix will evidently block all autoruns from occurring. Now I'm increasingly confident that your TweakUI approach will work effectively as well on specific drives, based on your tests and your pointing out the 2-key error Dunn made about Brown's work in his (Dunn's) writeup. Particularly, your TweakUI NoDriveAutoRun approach offers the clear advantage of ease-of-use and re-setability. And certainly, white-listing (as I'm coming to understand it) will totally block this and a lot of other problems.
This has been a very enlightening thread thus far, and it's begun to dispel a lot of confusion I'd retained from earlier threads. My appreciation goes out to Shriyash as well for his original post!
--
If God wanted us to work with electrons, He'd make them big enough to see... |
