Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

Article:TECH104909  |  Created: 2008-01-09  |  Updated: 2011-12-14  |  Article URL http://www.symantec.com/docs/TECH104909
Article Type
Technical Solution


Issue



You are affected by a threat that uses AutoRun (also called AutoPlay) to spread. You want to stop the threat from spreading.

Symptoms
You can see a file called "autorun.inf" in the root of your drives.

  • When you insert a USB drive, your AntiVirus product detects a threat.
  • Computers connected to the network drives continually receive threat detection dialogs.

 


Cause



The threat that is attacking your system is using the "Windows AutoRun" feature to spread in your environment.


Solution



Option 1:


Warning: This policy file is provided as a convenience tool and is not supported by Symantec. Use at your own risk.


You can create an "Application and Device Control" policy to block this type of vectors of infection. The attached policy will allow you to block "autorun.inf" in all devices except CDs and DVDs.

In order to import the policy:

  1. Download the attached policy file
  2. Go to the "Policies" page.
  3. Select Application and Device Control.
  4. Click Import an Application and Device Control policy.
  5. In the "Import Policy" dialog box, browse to locate the ".dat" file that you have downloaded.
  6. Click Import.

    block access to autorun.inf.dat
  7. Apply the new imported policy to your clients.



If you need further details on how to do this, refer to the administration guide for Symantec Endpoint Protection included in the Symantec Endpoint Protection CD.
This document is also available via the Symantec FTP site:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/administration_guide.pdf for SEP 11

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/12.1/manuals/rtm/Implementation_Guide_SEP12.1.pdf for 12.1


Option 2:


WARNING: Symantec strongly recommends that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in system instability, permanent data loss or corrupted files. Be sure to modify the specified keys only.


You can disable the AutoRun/AutoPlay feature in Windows using the following registry settings:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000024

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"Autorun"=dword:00000000

The registry change can be pushed out to agents using a Custom Host Integrity rule:

  • In the Host Integrity policy add a new "custom requirement."
  • Select Add> Function - "Registry: Set registry value"
  • Type in the <key>, <value name> and <DWORD value> from the setting listed above.


The second method will work also if the "SysPlant" device driver is now loaded. However, changes to the registry setting will take affect only after Windows Explorer is restarted.


References
If you do not have Symantec Endpoint Protection 11 or 12.1 you can still block threats using tools provided by the operating system. For more information, read the following article:


"Preventing a virus from using the AutoRun feature to spread itself" at:
http://www.symantec.com/docs/TECH104447

Technical Information
For Option 2 the DWORD value of 24 in the registry means to disable the feature on removable drives and CD-ROM's:

http://msdn.microsoft.com/en-us/library/bb776825.aspx

Bit Number Bitmask Constant Description
0x04 DRIVE_REMOVEABLE Disk can be removed from drive (such as a floppy disk).
0x08 DRIVE_FIXED Disk cannot be removed from drive (a hard disk).
0x10 DRIVE_REMOTE Network drive.
0x20 DRIVE_CDROM CD-ROM drive.
0x40 DRIVE_RAMDISK RAM disk.


Attachments

block_access_to_autorun.inf.dat (2 kBytes)

Legacy ID



2008050910464348


Article URL http://www.symantec.com/docs/TECH104909


Terms of use for this information are found in Legal Notices