Endpoint Protection

 View Only
Back to Library

KB 971029 - A good step towards malware propagation prevention. 

Sep 17, 2009 08:46 AM

It has always been observed that autoplay/autorun feature of MS windows OS is one of the most preffered selection of malware propagation.We've witnessed some devastating examples of malware which used this feature effectively to replicate and converting a single machine infection to a malware outbreak with in first few hours.Conficker a.k.a W32.downadup is the most recent example of such malware.But this is not at all a new method of infection,rather this method of infection is there since decades.Some more popular examples are Trojan.Brisv.A!inf,W32.Gammima and many more in the long list.

Many other AV vendors detect autorun.inf but Symantec does not.Many people take it in a wrong way but there's a valid reason behind this decision that why Symantec does not detect autorun.inf.
 
 
The answer is pretty simple and logical "It's a feature of MS windows OS which is abused by malcious code and the AV "should not" just go on and remove a feature of the OS as this feature is also used by 'many' other software vendors.Secondly, Autorun.inf is just an information file and usually contains the instructions (when maliciously used) to execute the "original" malicious code/file.Autorun.inf alone can't do anything even if the instructions are in it if the main file is detected and clean..Period.But there're many other arguments, one of them is one can't open the drive [untill shell (explorer.exe) is refreshed or the system is rebooted] if the main file [malicious executable] is deleted and autorun.inf is still present in the drive present.The simple resolution is disable the feature.
 
 
However, ‘auto play’ still remained a feature of windows and there was no official fix/patch available from the OS vendor .But now there's a good news from Microsoft.
 
 
After successful installation of the update the update auto run feature would not be available for "removable medias" but with an exception to CD/DVD.
 
Here is the announcement from MS 
 
"After you install this update, users will no longer see this dialog box. Users must browse to the setup executable that is found on the USB flash drive to start the "Copy Network Settings" process. This update disables Auto Run entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media."
 
Anyways, it's a good step by MS to prevent the auto play feature abuse which would surely help preventing malware up to 'some extent' as the usage of  flash drives/external hard drive /CF cards are more in use than 'writeable' CD/DVD in current scenario. 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jun 21, 2010 09:19 PM


Hi, I recently installed this patch (KB971029) on a Windows XP Pro system at the recommendation of my AV software provider. It seems to be working, but how do I access the files on my USB drive?

I'm asking because the USB drive no longer shows up when plugged into my system. Does this patch make it so that you can NO LONGER use a USB Drive on the system at all? Or, is there still a way to access the files on the USB Drive, even though the undesirable Autorun.inf behavior has been disabled?

Thank you in advance for any assistance you can provide!

Migration User
Nov 23, 2009 09:05 AM

Finally a really decent change in autorun behavior

Migration User
Sep 21, 2009 04:33 AM

Thank you for the information. 

Migration User
Sep 21, 2009 12:29 AM

This is a good move from microsoft which releases their Os with too many  bugs.

Migration User
Sep 17, 2009 02:54 PM

Very nice

Migration User
Sep 17, 2009 11:31 AM

 Looks this time Microsoft is serious about security..

Rafeeq
Sep 17, 2009 09:13 AM

nice one

Related Entries and Links

No Related Resource entered.