Autorun/Autoplay

Discussion in 'other software & services' started by HURST, Jul 18, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi
    today I performed a scan with AVZ, and it said that I have Autorun enabled for removable drives. But I have disabled it with TweakUI.
    Now I see that TweakUI disables "Autoplay".
    What is the difference? Is this a security risk?

    Dibujo.JPG
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Auto play can be a security risk if an infected CD, flash drive, etc. are inserted. I too have it disabled but did it using Group Policy Editor. My only guess concerning your situation is that AVZ does not read the change as it is made by TweakUI. What the differences may be in how the change is made by GPE vs TweakUI....... I have no idea.
     
  3. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    I too have disabled "AutoPlay" via TweakUI exactly like what HURST did. While my game cd (example) doesn't autorun when I insert the cd, but if I double-click on the drive (instead of right-click>open), then I see it autoruns the game setup screen o_O

    Is that supposed to happen if "Autorun/AutoPlay" is indeed disabled?
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    My testing has shown that only Windows XP - Solution 2 prevents Windows from "reading" the AutoRun.inf file and writing to the Registry to modifiy the context menu of the drive.

    The others, while preventing the AutoRun.inf file from automatically executing its commands, leaves open the possibility that they can be executed by d-clicking on the drive icon in My Computer.

    See my writup here:

    http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html

    I'm open to changing my conclusion if someone tests and proves otherwise.

    --
     
  8. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    If you set it to "Prompt me each time to choose an action", in D drive and other drives Properties, AutoPlay, is that enough?

    Thanks
     
    Last edited: Jul 20, 2008
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I'm not sure where you are getting these prompts, so I don't know.

    AutoPlay/AutoRun terminology can be confusing and misleading, depending on the particular Operating System, so I avoid getting into discussions about which is which.

    For example, the TweakUI for WinXP setting for AutoPlay on drives controls the NoDriveAutoRun value in the Registry. (TweakUI prior to WinXP did not have this setting.)

    From a practical point of view, people I'm in contact with, like the AutoPlay/AutoRun features. The concern has always been when you view someone else's USB drive on your computer. Even if from someone you trust, that person may not know the drive is infected, if that drive had been viewed on a computer infected with a USB virus.

    Technically savvy people can toggle settings via TweakUI or Registry files.

    For others, an easy solution I've recommended in the past is to hold down the Shift key which prevents the AutoRun.inf file commands from executing.

    Then, open to the drive in Windows Explorer (two pane view of My Computer) where the contents of the drive are displayed in the right pane. No commands in the AutoRun.inf file will run because you have not double-clicked the icon.

    An easy way to open to the drive in Windows Explorer is to make a shortcut for that drive letter.
    Then, put this command in the Target line in the Shortcut Tab in Properties Box.
    The /e switch causes the drive to "expand" into Explorer view:

    drive-icon.gif
    _______________________________________________

    drive-files.gif
    _______________________________________________

    I make similar shortcuts on every computer I help set up. I don't have to get into a technical discussion with people (AutoRun vs AutoPlay), other than to point out that for safety when viewing another's USB drive, you can prevent anything from automatically running/playing by using the above steps.

    --
     
  10. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Hi Rmus, can u help clarify my post #3. Double-clicking on drive still runs autorun.inf in my case. So that is not supposed to happen?

    THANKS
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    Hello,
    How about adding Autorun.inf to Disallowed under Restriction Policies via gpedit.msc? Tried and it works ...
    Mrk
     
  12. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Hi Mrkvonic,

    Is that for XP Pro, which ThunderZ also hinted at post#2? Then I'm out of luck, using XP Home.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    There's a hack to enable Group Policies for XP Home if you wanna bother.
    Mrk
     
  14. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Heheh, ehh maybe I'll try it out in Powershadow mode if u have a link. I'm not sure I can handle it if it's too complicated, so I'll try it virtual first.

    THANKS
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    No.

    1) Did you ever let that game CD run without disabling in TweakUI?

    2) Try another CD - maybe an installation CD and see if the same thing happens.


    --
     
    Last edited: Jul 20, 2008
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    What Registry key does that Policy change?

    If you aren't sure, see if that policy toggles the AutoRun value betweeen 0 and 1 in this key:
    Code:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
    
    Did you try d-clicking on the drive icon in My Computer to see if in fact the autorun.inf commands won't execute?

    --
     
    Last edited: Jul 20, 2008
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    Hello,
    Too tired now after basketball, tell you tomorrow.
    At home, the values are already at 0... so it won't matter.
    Mrk
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Maybe, maybe not.

    Test by d-clicking the drive icon in My Computer to see if the autorun command will open a setup.exe file on a CD or USB drive.

    --
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    Hi,
    It does not, that's what I meant. It does not open.
    So I'll check at work in a couple of hours.
    Mrk
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you specify what your configurations are to disable Autorun?

    Are you using the Security Policy setting? Did you determine which Registry Key it changes?

    --
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    Hello,

    I manually disabled them before installing some VMware product approx. 3 years ago. I do not remember, although I have it documented somewhere. I'll make a check.

    At home, I do use policies for some things - but not this one.

    At home, the reg value is 0.

    At work, it is 1 (after the policy is set), but there's another key:

    AutoRunAlwaysDisable

    --> this one contains the hardware list of all devices that belong to this category, mainly the different brands of CD/DVD drives...

    So, it's definitely ... interesting.

    However, fully comparing between policies in effect and the registry change can be tricky unless a program that monitors registry changes is use, specifically for the tracking purpose.

    I don't think I need to know every reg key and what it does... it's not effective.

    At home, the manual change works well enough.

    At work, the policy set by the gpedit works well enough; however, even if it's disabled, restricting autorun.inf works well enough.

    So, there are several options here.

    Mrk
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I was just curious, because in another forum, the user disabled autorun in group polices. The autorun.inf file did not execute its commands when the disk was inserted, but did when the user d-clicked in My Computer.

    The poster here had the same experience when using TweakUI, which is not supposed to happen.

    There are a number of Registry entries which can control AutoRun, and much depends on the OS and other configurations.

    --
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I didn't realize you were running Win2000. I also, and AutoPlay doesn't work the same as in XP.

    Yes, the Registry Key holds a lot of power! It is the one that TweakUI controls.

    --
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,286
    Hi,
    I'm using XP ... :) :) maybe I'm gifted - or cursed. The MS article is for 2000, but it works the same for XP. Anyhow, this key is the one controlled by the relevant policy, as well, so it works either way you choose.
    Cheers,
    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.