You are affected by a threat that uses AutoRun (also called AutoPlay) to spread. You want to stop the threat from spreading.
Symptoms
You can see a file called "autorun.inf" in the root of your drives.
The threat that is attacking your system is using the "Windows AutoRun" feature to spread in your environment.
Option 1:
Warning: This policy file is provided as a convenience tool and is not supported by Symantec. Use at your own risk.
You can create an "Application and Device Control" policy to block this type of vectors of infection. The attached policy will allow you to block "autorun.inf" in all devices except CDs and DVDs.
In order to import the policy:
If you need further details on how to do this, refer to: About Application and Device Control policies in Endpoint Protection
https://knowledge.broadcom.com/external/article/152992/about-application-and-device-control-pol.html https://knowledge.broadcom.com/external/article/152992/about-application-and-device-control-pol.html
Option 2:
WARNING: Symantec strongly recommends that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in system instability, permanent data loss or corrupted files. Be sure to modify the specified keys only.
You can disable the AutoRun/AutoPlay feature in Windows using the following registry settings:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000024
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000
The registry change can be pushed out to agents using a Custom Host Integrity rule:
The second method will work also if the "SysPlant" device driver is now loaded. However, changes to the registry setting will take affect only after Windows Explorer is restarted.
References
It is also possible to remediate this threat using tools provided by the operating system. For more information, read the following article:
"Preventing a virus from using the AutoRun feature to spread itself" at:
https://knowledge.broadcom.com/external/article?legacyId=TECH104447
Technical Information
For Option 2 the DWORD value of 24 in the registry means to disable the feature on removable drives and CD-ROM's:
http://msdn.microsoft.com/en-us/library/bb776825.aspx
Bit Number Bitmask Constant Description
0x04 DRIVE_REMOVEABLE Disk can be removed from drive (such as a floppy disk).
0x08 DRIVE_FIXED Disk cannot be removed from drive (a hard disk).
0x10 DRIVE_REMOTE Network drive.
0x20 DRIVE_CDROM CD-ROM drive.
0x40 DRIVE_RAMDISK RAM disk.