RE: Disabling autorun for mapped network drives


Hi Johnny,

We tested the group policy setting in our envirotment and it worked fine.
You should implement this in the local group policy of the images.

Running a scan on the network and deleting all autorun.inf files might not
be the solution. Because you might have software dumps in the network shares
and that have legitimate autorun.inf files.


Another solution is go to the following key in the registry
HKEY_CURRENT_USER-> Software -> Microsoft -> Windows ->CurrentVersion ->
Policies -> Explorer
Create a REG_DWORD - NoDriveTypeAutoRun , give it the following value -
0x10
Then restart explorer.

Regards,
Tima

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Johnny Wong
Sent: Thursday, July 26, 2007 7:33 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Disabling autorun for mapped network drives

Hello all,

Over the past few months, we have faced situations where user PCs
were infected with virus when they connect to network mapped drives.
What happened was that the virus creates "autorun.inf" in the root of
the shared network drive, so users who double-click the drive in
Explorer, the autorun.inf executes the linked virus-infected
executable. Evem though the user PCs have anti-virus installed, the
incidents we faced so far, the virus was not detectable. It was
realised later that the virus was a new strain.

We have tried to disable the mapped-drives autorun feature (based on
registry key settings); however, it was not foolproof because the
autorun.inf was still able to execute in some cases. We found later
from Microsoft's KB (http://support.microsoft.com/kb/933008) that
this registry setting may not work. So we did not roll out this
registry settings to the users.

Anyone of you facing the same situation as me? I can only think of
the following solutions:

- keep AV signatures updated - this is not foolproof because most of
the time, the virus writers are leading the game. So we can only try
to send the first specimen we find ASAP to the AV vendors so that
they could develop signatures for them. Guessed by that time, a
number of users would have been infected.

- run a task on the file server that regularly checks for presence of
autorun.inf in the root of the shared folders, and if found, rename
or delete them. Implementation of this task will impact the
performance of the server when it hosts a lot of shared folders.

Please share your workarounds if you have any.

Thank you,

JW

Relevant Pages

  • Re: Disabling autorun for mapped network drives
    ... We tested the group policy setting in our envirotment and it worked ... Running a scan on the network and deleting all autorun.inf files might ... were infected with virus when they connect to network mapped drives. ... this registry setting may not work. ...
    (Security-Basics)
  • RE: Securing a Local Network
    ... How much would it cost if a virus infected one ... be if a competitor hacked into their network and was able to access all ... Third issue is virus protection. ... can infect you from numerous other sources. ...
    (Security-Basics)
  • >>>> REMOVE MY <<<<
    ... Remove Secrurity From My Wireless Network ... How Can I Remove My Virus ... Remove My Search Tool Bar ... Remove My Bluetooth Desktop Icon ...
    (comp.lang.tcl)
  • RE: Using viruses in pen-test
    ... I wonder if there is some type of "fake" virus you could use in this case. ... David A. Swafford, Network Engineer ... I wish to know your views on "Using viruses in pen-test"I ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: If you used to use Windows or now used Windows less because of FreeBSD why?
    ... > but I've never had any virus or other malware on it. ... > network. ... then build a recommended s/w suite on that. ... toaster, not very expensive crap computers made to be less useful than ...
    (comp.unix.bsd.freebsd.misc)