Having Autorun enabled in Microsoft Windows systems may help the spread of viruses. This is true because autorun can start any arbitrary code without user interaction.
In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.
Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.
When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.
In Microsoft, we can read many articles, such :
- How to correct “disable Autorun registry key” enforcement in Windows : which details also how to disable autorun useing Group Policy Objects (GPO)
- How to Enable or Disable Automatically Running CD-ROMs
- How to disable the use of USB storage devices (more radical solution!)
Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :
The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
The proposed solution is to set the following value to registry :
Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value : @=”@SYS:DoesNotExist”
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.
![[del.icio.us]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/facebook.png)
![[Google]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/google.png)
![[MySpace]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/myspace.png)
![[StumbleUpon]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Technorati]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/technorati.png)
![[Windows Live]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/windowslive.png)
![[Email]](http://www.ntsysv.com/wp-content/plugins/bookmarkify/email.png)
thank very much you for your post
i think it is usefull because it is a problem i suffred from and i still
i will try this solution
hi Aicha!
Nice to see you back.
Happy to see that it is useful for you! think to deploy it on the lab using GPO, if you need assistance, I can make a post to explain.
cheers!
Okey
it’s a great idea
I would be very grateful if you could tell us more
waiting for you new post
Thank you!