Carbon Black Cloud: Is autorun.inf automatically blocked from execution on removable media?
book
Article ID: 289702
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Is autorun.inf automatically blocked from execution on removable media?
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Windows Sensor: All Supported Versions
Microsoft Windows: All Supported Versions
Resolution
We do not block any file from running by default unless it has a malicious reputation and the applicable policies are in place. However you can create the following Blocking and Isolation policy rule to block files of this type by default:
Application(s) at path: **\autorun.inf Runs or is running → Terminate
Once the rule has been saved, please allow time for the device to check-in and download the updated policy rules before testing.
Additional Information
Starting in Sensor version 3.5, a new feature has been added which will find all malicious services associated with Known Malware hashes and puts them in a disabled state.