You are affected by a threat that uses AutoRun (also called AutoPlay) to spread. You want to stop the threat from spreading.
You can see a file called "autorun.inf" in the root of your drives.
The threat that is attacking your system is using the "Windows AutoRun" feature to spread in your environment.
Warning: This policy file is provided as a convenience tool and is not supported by Symantec. Use at your own risk.
You can create an "Application and Device Control" policy to block this type of vectors of infection. The attached policy will allow you to block "autorun.inf" in all devices except CDs and DVDs.
In order to import the policy:
If you need further details on how to do this, refer to the administration guide for Symantec Endpoint Protection included in the Symantec Endpoint Protection CD.
This document is also available via the Symantec FTP site:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/administration_guide.pdf for SEP 11
WARNING: Symantec strongly recommends that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in system instability, permanent data loss or corrupted files. Be sure to modify the specified keys only.
You can disable the AutoRun/AutoPlay feature in Windows using the following registry settings:
The registry change can be pushed out to agents using a Custom Host Integrity rule:
The second method will work also if the "SysPlant" device driver is now loaded. However, changes to the registry setting will take affect only after Windows Explorer is restarted.
If you do not have Symantec Endpoint Protection 11 or 12.1 you can still block threats using tools provided by the operating system. For more information, read the following article:
"Preventing a virus from using the AutoRun feature to spread itself" at:
For Option 2 the DWORD value of 24 in the registry means to disable the feature on removable drives and CD-ROM's:
Bit Number Bitmask Constant Description
0x04 DRIVE_REMOVEABLE Disk can be removed from drive (such as a floppy disk).
0x08 DRIVE_FIXED Disk cannot be removed from drive (a hard disk).
0x10 DRIVE_REMOTE Network drive.
0x20 DRIVE_CDROM CD-ROM drive.
0x40 DRIVE_RAMDISK RAM disk.