Why Symantec Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections

Article:TECH158359  |  Created: 2011-04-19  |  Updated: 2014-01-17  |  Article URL http://www.symantec.com/docs/TECH158359
Article Type
Technical Solution


Issue



A machine, drive or USB drive is scanned by a third party antivirus solution, which then detects autorun.inf files, scheduled tasks (AT tasks), or registry keys as malicious.


Environment



We are aware that some security vendors report autorun.inf files as malware, and consequently they will remove them. Symantec chooses to not remove files that do not contain viral code due to the potential for causing system instability or breaking the normal functionality of good applications. However, Symantec does recognize that in remediating malware, orphaned autorun.inf files can be left behind. While harmless, they can cause customer concern. The Eraser functionality to identify and remove the majority of these orphaned autorun.inf files that have been left behind after the removal of the linked malware has been implemented in the latest Eraser Engine, released at the start of June 2011. However, this should not be interpreted to imply that we will delete all autorun.inf files, nor even that we will always agree with other antivirus vendors when they render a malicious verdict against a specific file.


Cause



It can be difficult to differentiate a legitimate task from a task that launches a threat; therefore, we do not remove tasks as part of our threat remediation. The same applies to .LNK shortcut files.

Symantec Endpoint Protection has the ability to prevent autorun.inf from being read and from launching threats. Because AutoRun is a legitimate function of the operating system, we leave the blocking and/or deletion of these files in the hands of the Administrator.

Application and Device Control also has the ability to prevent files from executed on removable drives, thereby preventing the threat from installing. We are not able to, as a rule, restore some registry keys as we have no way of knowing what values they held before the threat infected a machine.

By themselves, autorun.inf files are harmless. They contain no malicious code and cannot cause harm to a system. Our detection engines are focused on actual malicious files. Malicious files using an autorun.inf file to launch itself are detected by Symantec. From a security standpoint there are no protection gaps for customers based on our policies towards autorun.inf.


Solution



Customers who want to prevent all use of autorun.inf files are advised to turn off AutoPlay/AutoRun functionality and/or use Application and Device Control to lock down this functionality. Symantec has created Application and Device Control Policies to lock down the creation of certain files as well as prevent the propagation of threats via USB drives.

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
http://www.symantec.com/docs/TECH145973


Supplemental Materials

ValueSecurityRisk.OrphanInf is a detection for autorun.inf files that no longer refer to a valid file on the computer
Description

http://www.symantec.com/security_response/writeup.jsp?docid=2011-040403-3248-99




Article URL http://www.symantec.com/docs/TECH158359


Terms of use for this information are found in Legal Notices