Disabling autorun for mapped network drives



Hello all,

Over the past few months, we have faced situations where user PCs were infected with virus when they connect to network mapped drives. What happened was that the virus creates "autorun.inf" in the root of the shared network drive, so users who double-click the drive in Explorer, the autorun.inf executes the linked virus-infected executable. Evem though the user PCs have anti-virus installed, the incidents we faced so far, the virus was not detectable. It was realised later that the virus was a new strain.

We have tried to disable the mapped-drives autorun feature (based on registry key settings); however, it was not foolproof because the autorun.inf was still able to execute in some cases. We found later from Microsoft's KB (http://support.microsoft.com/kb/933008) that this registry setting may not work. So we did not roll out this registry settings to the users.

Anyone of you facing the same situation as me? I can only think of the following solutions:

- keep AV signatures updated - this is not foolproof because most of the time, the virus writers are leading the game. So we can only try to send the first specimen we find ASAP to the AV vendors so that they could develop signatures for them. Guessed by that time, a number of users would have been infected.

- run a task on the file server that regularly checks for presence of autorun.inf in the root of the shared folders, and if found, rename or delete them. Implementation of this task will impact the performance of the server when it hosts a lot of shared folders.

Please share your workarounds if you have any.

Thank you,

JW



Relevant Pages

  • Re: Disabling autorun for mapped network drives
    ... were infected with virus when they connect to network mapped drives. ... autorun.inf in the root of the shared folders, and if found, rename ... Disable autorun via group policy for all drives. ...
    (Security-Basics)
  • Re: Zero Memory?
    ... I'm glad to hear you don't think all children are perverts but jumping ... mp3s or by a virus is flawed and lazy analysis and rude to assume ... Do you have kids? ... > | total size is the drives capacity regardless of how much ...
    (microsoft.public.windowsxp.hardware)
  • Re: Hacker Help
    ... Try cleaners you can get from the major AV vendors, ... files it is likely indicating what virus is involved, ... That your firewall is on is good, ... Both these drives can be ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Windows Script Host "Can not find script file "C: tidr.vbs".
    ... Our area recently got hit with a funky virus; ... full scan of two of my drives and McAfee didn't notice a thing. ... "Windows Script Host" title. ... IE to be disturbed I had to get rid of the Radz file so that meant also ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Warning!
    ... I believe the "anti-virus" industry is full of virus writers. ... Gone in 5 minutes with an image restore. ... cloning drives and manipulating partitions. ...
    (rec.boats)