Video Screencast Help

How to Disable AutoPlay feature to prevent Virus spreading using this feature.

Created: 17 Jun 2009 • Updated: 17 Jun 2009 | 23 comments
Language Translations
Saeed's picture
+8 10 Votes
Login to vote

Title : How to Disable AutoPlay feature to prevent Virus spreading using this feature.

Cause : Most of the Malware and worm uses autorun feature of windows to Spread & launch to your machine.

Solution :

- Go to Start and Run
- Type gpedit.msc
- Click Ok
- This will open a new group policy window.
- In the group policy window click on the plus sign next to Administrative Templates under Computer configuration.
- Then Click on system & then you will find turn off Autoplay on the right-hand side.
- Double click on the Turn off Autoplay. It will open a new window
- By default it will set to Not configured.
- Select Enable & select it for All drive then click Apply and OK.
- Close the Group Policy Window.

Comments 23 CommentsJump to latest comment

Sheetu's picture

This is what i was looking thanks Saeed.......

+1
Login to vote
Maximilian's picture

You can get the same function by enabling "Device and access control" in SEP and creating a customised policy.
This if of course way more work and needs a lot of testing before launching to production.

You can also disable AutoPlay with the microsoft tool Tweak UI from the Power Toys web site
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

+1
Login to vote
Int3rn3t's picture

Since this can be also done Application and Device Control.I don't think it was neccesary here.

0
Login to vote
Maximilian's picture

 I think both options are good. The windows autorun feature should always be disabled. It is good for clients that are newly installed and have not yet got SEP installed.

+2
Login to vote
Nel Ramos's picture

Max has a point there..
It would not hurt doing both ways...
the only reason I would prefer it in SEP is that it would admin autoplay and the others centrally..
thanks..

Nel Ramos

0
Login to vote
Acretian's picture

Create a Folder named Autorun.inf on all the Drives root location, so that when a virus tries to create it will not be able to do so. :)

0
Login to vote
Maximilian's picture

 It is easy to disable autorun from a central GPO (group policy object) that resides on the Domain Controller and thus making the rule apply to all clients in the organisation. To do that is I made an article that continues where this one left off.

https://www-secure.symantec.com/connect/articles/more-how-disable-autoplay-feature-prevent-virus-spreading-way 

+2
Login to vote
andrew_ferguson's picture

One more reason to disable autorun (this has actually been around for a while)

http://wiki.hak5.org/wiki/USB_Switchblade

"The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc... Several methods for silent activation exist including the original MaxDamage technique of using a special autorun loader on the virtual CD-ROM partition of a U3 compatible USB key, and the original Amish technique of using social engineering to trick a user into running the autorun when choosing "Open folder to display files" upon insertion."

Using a USB with payload installed the possibilities are endless, including AVKillers

Example:
Step 1) Plug in (No input is required to initiate autorun)
Step 2) Wait about 30 seconds
Step 3) Unplug and review stolen data later

Let's just hope our military relizes this issue and disabled it long ago!

--
Andrew Ferguson
Principal Software Quality Assurance Engineer
Solutions Sustainability Engineering
Symantec Corporation 
(801) 995-7831 Office
(972) 977-7036

+1
Login to vote
andrew_ferguson's picture

If you have VMWare installed, autorun is disabled by default btw :)

--
Andrew Ferguson
Principal Software Quality Assurance Engineer
Solutions Sustainability Engineering
Symantec Corporation 
(801) 995-7831 Office
(972) 977-7036

0
Login to vote
Maximilian's picture

 Someone said that autorun is disabled by default with some of the most recent updates for Windows. I cannot confirm that this is the case. Anyone that has some links to provide?

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 https://www-secure.symantec.com/connect/blogs/kb-971029-good-step-towards-malware-propagation-prevention

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Kharen_22's picture

Thanks for the info. It is my first time to log in this site and I find it interesting ...

0
Login to vote
deepak.vasudevan's picture

Just thought of sharing this URL from my bookmarks http://www.howtogeek.com/howto/windows/disable-aut... It illustrates this author's objectives through visual pictures.

+1
Login to vote
Angelique28's picture

 @ deepak

I used the link you shared and did it. It helped a lot. Nice one!

Angel

0
Login to vote
UFO's picture

Angie, if you did like deepak's comment - do not forget to vote yes

STS: DLP

0
Login to vote
Angelique28's picture

Hi Volo,

I am unable to vote, not sure why, there is no any action when i point the Vote button  =(.

Angel

0
Login to vote
Bicester's picture

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Change 0x91 (145) to 0x95 (149)
Was 0x91 (+0x4 should disable on removable drives)

-------------------------------

Fuller details:

"For example, let's say you want to disable AutoRun for everything but CD-ROMs. To block the other media types, according to Microsoft's cryptic documentation, you'd add 1 for unknown media, 4 for removable drives (such as USB drives), 8 for fixed drives, 16 for network drives, 64 for RAM drives, and 128 for other drives of unknown types. Add all of those decimal values together and enter the result — 221 — in the Decimal box of the NoDriveTypeAutorun Registry key."

32 = disable autoplay on CD-Rom drives ( = 0x20 = DRIVE_CD_ROM)

The values in the bitfield correspond to return values of the Get­Drive­Type function:

#define DRIVE_UNKNOWN     0
#define DRIVE_NO_ROOT_DIR 1
#define DRIVE_REMOVABLE   2
#define DRIVE_FIXED       3
#define DRIVE_REMOTE      4
#define DRIVE_CDROM       5
#define DRIVE_RAMDISK     6
7 = future use

+1
Login to vote
Milos's picture

I tried everything, and still didn't find way how to disable autoplay. Gpedit, editing registry, but nothing worked for me! Friend suggested me Autoplay disabler Pro, and I really suggest it to all of you. It's so simple to use, and still, it really works :) you can find it at http://www.autoplaydisabler.us 

+1
Login to vote
Sanjay IBM's picture

Hi all,

Above solutions are good but i want a solution opposite to it,

I want to enable this autorun function.

I have a data card and when i connected it the Dialer application was running automatically but after upgrading Symantec client secuirty  to SEP 11.0, this autorun option has blocked. now it can be connect only manually.

So guide on this 

 

0
Login to vote