New Technologies System Virtualisation » virus http://www.ntsysv.com La théorie rejoint la pratique Fri, 02 Dec 2011 13:33:14 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 How To Disable Autorun In Windows Systems : The Effective Way http://www.ntsysv.com/index.php/howto-disable-autorun-windows-systems-effective-way http://www.ntsysv.com/index.php/howto-disable-autorun-windows-systems-effective-way#comments Wed, 21 Jan 2009 09:44:06 +0000 ElMehdi http://www.ntsysv.com/?p=287 Having Autorun enabled in Microsoft Windows systems may help the spread of viruses. This is true because autorun can start any arbitrary code without user interaction.

In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.

Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.

When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.

In Microsoft, we can read many articles, such :

Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft   Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

The proposed solution is to set the following value to registry :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Value : @=”@SYS:DoesNotExist”
You can copy past the following code to a blank text file, and save it as .reg file, name it for example “disable-autorun.reg”, you will just have to double click on it to register the value.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
To have this configuration taken into account, you’ll have to reboot your system. If it is not possible, you’ll have to clean pre-cached mounted devices by deleting the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.

Copyright Ntsysv.com ]]> http://www.ntsysv.com/index.php/howto-disable-autorun-windows-systems-effective-way/feed 4