Re: Disabling autorun for mapped network drives

["WALI" <hkhasgiwale () gmail com>]

An easier option is to use free download TweakUI, disable Autorun before 
sysprepping the image and make helpdesk run around with this TweakUI and 
udnertake quick disable of all Autorun.

With tweakUI, the operation would take 5 seconds (literally) and don't 
install tweakUI on the machine itself, just run it directly from flash 
disk/CD in order to make registry changes.

HTH
----- Original Message ----- 
From: "tima" <tima.soni () gmail com>
To: "'Johnny Wong'" <johnnywkm () gmail com>; 
<security-basics () securityfocus com>
Sent: Thursday, July 26, 2007 10:10 PM
Subject: RE: Disabling autorun for mapped network drives


> Hi Johnny,
>
> We tested the group policy setting in our envirotment and it worked fine.
> You should implement this in the local group policy of the images.
>
> Running a scan on the network and deleting all autorun.inf files might not
> be the solution. Because you might have software dumps in the network 
> shares
> and that have legitimate autorun.inf files.
>
>
> Another solution is go to the following key in the registry
> HKEY_CURRENT_USER-> Software -> Microsoft -> Windows ->CurrentVersion ->
> Policies -> Explorer
> Create a REG_DWORD - NoDriveTypeAutoRun , give it the following value -
> 0x10
> Then restart explorer.
>
> Regards,
> Tima
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 
> On
> Behalf Of Johnny Wong
> Sent: Thursday, July 26, 2007 7:33 AM
> To: security-basics () securityfocus com
> Subject: Disabling autorun for mapped network drives
>
> Hello all,
>
> Over the past few months, we have faced situations where user PCs
> were infected with virus when they connect to network mapped drives.
> What happened was that the virus creates "autorun.inf" in the root of
> the shared network drive, so users who double-click the drive in
> Explorer, the autorun.inf executes the linked virus-infected
> executable. Evem though the user PCs have anti-virus installed, the
> incidents we faced so far, the virus was not detectable. It was
> realised later that the virus was a new strain.
>
> We have tried to disable the mapped-drives autorun feature (based on
> registry key settings); however, it was not foolproof because the
> autorun.inf was still able to execute in some cases. We found later
> from Microsoft's KB (http://support.microsoft.com/kb/933008) that
> this registry setting may not work. So we did not roll out this
> registry settings to the users.
>
> Anyone of you facing the same situation as me? I can only think of
> the following solutions:
>
> - keep AV signatures updated - this is not foolproof because most of
> the time, the virus writers are leading the game. So we can only try
> to send the first specimen we find ASAP to the AV vendors so that
> they could develop signatures for them. Guessed by that time, a
> number of users would have been infected.
>
> - run a task on the file server that regularly checks for presence of
> autorun.inf in the root of the shared folders, and if found, rename
> or delete them. Implementation of this task will impact the
> performance of the server when it hosts a lot of shared folders.
>
> Please share your workarounds if you have any.
>
> Thank you,
>
> JW