Endpoint Protection

 View Only
  • 1.  Disable Autorun

    Posted Mar 19, 2018 02:11 AM

    Block Autorun is enabled in Application and Device Control  in Symantec.

    This policy blocks Autorun for all drives or only USB?

    How can we make the policy block autorun on all Drives including CD+Dvd+USB
     



  • 2.  RE: Disable Autorun

    Posted Mar 19, 2018 02:40 AM

    enable the CD drive in the policy, default is this one it blocks drives and USB



  • 3.  RE: Disable Autorun

    Posted Mar 19, 2018 03:23 AM
      |   view attached

    Imported Autorun Policy from Symantec shows two built -in

    1. \\\\.*\\Autorun\.inf

    2. [^\\]*\\Autorun\.inf

     

    What does these mean?  do I have to update both to reflect all the drives?????

    Attached is my screenshot

     

    The tech note https://support.symantec.com/en_US/article.TECH104909.html

    says the policy only protects

    You can create an "Application and Device Control" policy to block this type of vectors of infection. The attached policy will allow you to block "autorun.inf" in all devices except CDs and DVDs.

     



  • 4.  RE: Disable Autorun

    Posted Mar 19, 2018 03:34 AM

    Those two are regular expression, to find out where the autorun.inf is located, Yes update both of them

    Application Control Regular Expression syntax in Symantec Endpoint Protection

    https://support.symantec.com/en_US/article.HOWTO111096.html



  • 5.  RE: Disable Autorun

    Posted Mar 19, 2018 03:43 AM
      |   view attached

    Test (log only) mode or in Production mode. Test mode lets you apply this collection of rules to devices without modifying the behavior of those devices. You can then examine the generated log.
    When you first create a collection of rules for a policy, the mode is Test (log only).

     

    Where do i see the Logs for the test mode??

     

    Is the attached Policy correct because it mention ( enable drivetype) and doesnt show disable ( drive types or menation the drive types there c:, D: etc?



  • 6.  RE: Disable Autorun

    Posted Mar 19, 2018 04:40 AM

    Hello AnitaP,

    Since regex are complicated to understand , let me try to explain what it does here

     

    1) The first Regex  is \\\\.*\\Autorun\.inf

    shall break this into three parts,

    Part 1) \\\\ 

    Part 2) .*\\

    Part 3) Autorun\.inf

    Part 1) \\\\ 

       a) \ is an escpace charector , if you want to write \s you will write \s but if you want to write only \ then you write \\ .

             so the Part 1 becomes \\

     

    Part 2) .*\   ( one \ is escape so it will be *.\ )

    Dot . matches any charector

    * any preceeding charector of part 3

    ex: 

    one charectory + zeror or more of any preceeing chqrector of \ , (anything before \ format)

    these could be of the form

    temp\y\xy\1235\

     

     

     

     

    Part 3: Autorun\.inf 

    \ nothing but escaping the dot so it will be Autorun.inf

     

    This is what the first one would do

     

    \\servername\c$\temp\temp2\temp3\temp4\temp6\.................\till it finds it\autorun.inf

    matching Examples

     

    \\servername\c$\temp\temp2\temp3\temp4\temp6\autorun.inf
    \\temaaaaaaaaaaa\daaaaaaaaaaaaaa\autorun.inf
    \\c\test\autorun.inf
    \\servername\autorun.inf

     

    ===================

    second one is for local drive

    [^\\]*\\Autorun\.inf

    ^ meaning not, so any path which does not start with \\

    it will be match

    C:\autorun.inf

    and

    c:\windows\sxx\yy\autorun.inf

    your USB or local drive does not start with \\ ( if you are not accessing it remotely )

    you will use the second one, if you are accessing network you will be using first reg ex

     

     



  • 7.  RE: Disable Autorun

    Posted Mar 19, 2018 07:54 AM

    Is this rule applied correct? what does it mean if

     

    1. %windir%\explorer.exe

    2.%windir%\System32\explorer.exe

    3.%windir%\SysWOW64\explorer.exe

    is shown under the Block AutoRun policy??

    The second image, shows the action taken.  Is that correct? Should we keep the Create<delete, Write attemmpt as continue processing other rules?

     

    Someone please explain



  • 8.  RE: Disable Autorun

    Posted Mar 19, 2018 08:12 AM
    That's the process which would open autorun, so you are sayin , if explorer process is trying to open autorun from these paths (regular expressions) block it


  • 9.  RE: Disable Autorun

    Posted Mar 19, 2018 08:18 AM

    That's the process which would open autorun, so you are sayin , if explorer process is trying to open autorun from these paths (regular expressions) block it

    Explorer.exe will not write anyting to the autorun.inf file, so you dont have to worry about the second part, 

    whatever is in the screen shot is correct.

     



  • 10.  RE: Disable Autorun

    Posted Mar 19, 2018 08:31 AM

    for logs

    Monitors- logs -Application control

    By Default local drives are selected