search cancel

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP)

book

Article ID: 151528

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You are affected by a threat that uses AutoRun (also called AutoPlay) to spread. You want to stop the threat from spreading.

Symptoms
You can see a file called "autorun.inf" in the root of your drives.

  • When you insert a USB drive, your AntiVirus product detects a threat.
  • Computers connected to the network drives continually receive threat detection dialogs.

 

Cause

The threat that is attacking your system is using the "Windows AutoRun" feature to spread in your environment.

Resolution

Option 1:


Warning: This policy file is provided as a convenience tool and is not supported by Symantec. Use at your own risk.


You can create an "Application and Device Control" policy to block this type of vectors of infection. The attached policy will allow you to block "autorun.inf" in all devices except CDs and DVDs.

In order to import the policy:

  1. Download the attached policy file
  2. Go to the "Policies" page.
  3. Select Application and Device Control.
  4. Click Import an Application and Device Control policy.
  5. In the "Import Policy" dialog box, browse to locate the ".dat" file that you have downloaded.
  6. Click Import.

  7. Apply the new imported policy to your clients.



If you need further details on how to do this, refer to: About Application and Device Control policies in Endpoint Protection

https://knowledge.broadcom.com/external/article/152992/about-application-and-device-control-pol.html https://knowledge.broadcom.com/external/article/152992/about-application-and-device-control-pol.html


Option 2:


WARNING: Symantec strongly recommends that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in system instability, permanent data loss or corrupted files. Be sure to modify the specified keys only.


You can disable the AutoRun/AutoPlay feature in Windows using the following registry settings:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000024

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000

The registry change can be pushed out to agents using a Custom Host Integrity rule:

  • In the Host Integrity policy add a new "custom requirement."
  • Select Add> Function - "Registry: Set registry value"
  • Type in the <key>, <value name> and <DWORD value> from the setting listed above.


The second method will work also if the "SysPlant" device driver is now loaded. However, changes to the registry setting will take affect only after Windows Explorer is restarted.


References
It is also possible to remediate this threat using tools provided by the operating system. For more information, read the following article:


"Preventing a virus from using the AutoRun feature to spread itself" at:
https://knowledge.broadcom.com/external/article?legacyId=TECH104447 



Technical Information
For Option 2 the DWORD value of 24 in the registry means to disable the feature on removable drives and CD-ROM's:

http://msdn.microsoft.com/en-us/library/bb776825.aspx

Bit Number Bitmask Constant Description
0x04 DRIVE_REMOVEABLE Disk can be removed from drive (such as a floppy disk).
0x08 DRIVE_FIXED Disk cannot be removed from drive (a hard disk).
0x10 DRIVE_REMOTE Network drive.
0x20 DRIVE_CDROM CD-ROM drive.
0x40 DRIVE_RAMDISK RAM disk.

 

 

Attachments

block_access_to_autorun.inf.dat get_app