How to protect systems with SEP from an autorun.inf that links to malware.

Article:TECH201440  |  Created: 2013-01-08  |  Updated: 2013-01-08  |  Article URL http://www.symantec.com/docs/TECH201440
Article Type
Technical Solution

Product(s)

Issue



 How to protect systems with Symantec Endpoint Protection (SEP) clients from an autorun.inf that links to malware.


Solution



To protect systems from an autorun.inf that links to malware than only block explorer.exe from reading autorun.inf.  Only explorer.exe will run processes listed in the autorun.inf.  Software installers should still function correctly because only explorer.exe is blocked from accessing these files not the installers.

To stop the autorun.inf files from writing to network drives then create a Symantec Endpoint Protection Manager (SEPM) Application and Device Control (ADC) policy rule to block all programs from writing autorun.inf files to network drives.  This should still allow installers to run correctly since they should be reading the autorun.inf file from the network, not writing it to the network.

To do both, protect your systems from autorun.inf files that link to malware and stop programs from writing autorun.inf files to network then create two rules. 

One rule that blocks explorer.exe from reading autorun.inf and another rule that stops any application from writing autorun.inf to a network drive. 

Attached is a sample Application and Device Control policy that does this.  Here, Rule [AC9] has been modified from the default SEP 12.1 RU2 ruleset.




Article URL http://www.symantec.com/docs/TECH201440


Terms of use for this information are found in Legal Notices