Video Screencast Help

Deleting Autorun inf

Created: 09 Oct 2012 • Updated: 14 Oct 2012 | 10 comments
This issue has been solved. See solution.

How to delete autorun.inf file using symantec endpoint protection ?

Comments 10 CommentsJump to latest comment

pete_4u2002's picture

use ADC policy

check these threads

How to prevent Autorun.inf files being copied 
 
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041910473748
 
 
Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x  :
 
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008050910464348

 

pete_4u2002's picture

By default, SEP 12.1 has an Application and Device Control rule enabled which will block the access to and creation of autorun.inf files. check if the application rule is disabled, if yes enable to give more protection on clients.

Fariduzzaman's picture

ADC will control autorun inf. I want to know that if there is any way to permently delete autorun inf using SEP ?

pete_4u2002's picture

this is the information file which calls the malicious files (sometimes) hence its not threat to be deleted by SEP.

if the file is malicious you can delete using the action for the detections.

Ashish-Sharma's picture

By default, SEP 12.1 has an Application and Device Control rule enabled which will block the access to and creation of autorun.inf files. This is likely the cause of your issue. You could try disabling the rule as a quick test to confirm.

Disabling the Autorun.inf Rule in the SEPM

  1. Login to the SEPM
  2. Click Clients
  3. Select the group your SEP client is in
  4. Click the Policies tab (at the top)
  5. Open your Application and Device Control Policy
  6. Click Application Control
  7. Remove the checkmark from Block access to Autorun.inf [AC9]
  8. Click OK
  9. Once the SEP client picks up the new policy, test it out.

.

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

http://www.symantec.com/business/support/index?page=content&id=TECH104909

How do I Block access to Autorun.inf using Symantec Endpoint Protection (SEP) Application and Device Control policy?

https://www-secure.symantec.com/connect/downloads/how-do-i-block-access-autoruninf-using-symantec-endpoint-protection-sep-application-and-de

 http://www.symantec.com/business/support/index?page=content&id=TECH132337

Microsoft KB articles to disable Autorun

http://support.microsoft.com/kb/967715

http://technet.microsoft.com/en-us/magazine/cc137730.aspx

From SEP 12.1 onwards, SEPM will block autorun.inf by default. It's a part of Application & device control policy.

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

I don't see any need to delete autorun.inf while SEP is taking necessary action.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

.Brian's picture

SEP won't delete the autorun.inf. It can block it using ADC but you will need to physically delete it.

You can try this:

How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

You question  - "How to delete autorun.inf file using symantec endpoint protection ?"

Any particular reason for you to delete the autorun.inf ? Are these files detected by Symantec as a risk ?

Deleting a file which is not a Risk could not be done via Symantec Endpoint Protection. However, you could surely block files via Application and Device Control of Symantec Endpoint Protection.

Check this Article:

Why Symantec Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections

http://www.symantec.com/docs/TECH158359

Autorun.inf files are not in itself a Virus, however it may assist the a virus to spread.

Check these Articles:

How to prevent Autorun.inf files being copied or written to network file shares

http://www.symantec.com/docs/TECH131807

Preventing a virus from using the AutoRun feature to spread itself

http://www.symantec.com/docs/TECH104447

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

http://www.symantec.com/docs/TECH104909

How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file

http://www.symantec.com/docs/TECH98330

Disable the Autorun from all the drives with the help of GPO

http://support.microsoft.com/kb/967715

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
hj1979's picture

From where you required to delete autorun.inf file?

A lot of application and s/w is depend on same, so please clear this point.

Riya31's picture

Hi ,

 

Autorun.inf itself is not a infected file.it contains some file/component to autorun or autoplay.

SEP doesn't delete the autorun.inf  if its genuine file.

Yes you can block access to autorun.inf file using ADC policy.