Why Disabling Autorun Only Helps The Viruses, and What You Should Actually Do to Protect Yourself.

The Internet is full of well-intentioned advice to disable AutoRun (or AutoPlay), so that you will be protected from getting infected from a worm on a USB stick. I took this advice seriously, and still ended up getting infected. This happened because I hadn’t understood some basic concepts, nor had I disabled the real culprit.

The full text of this article can be found at: http://autorun.synthasite.com

Please use the COMMENTS link below to post any comments.

7 comments:

Dekkerfan said...

I have a Sandisk Cruzer Micro 2 GB U3 drive. It will not allow me to create, delete, modify any file on the "system" partition of the drive. I get "access denied" when I try to. I can do whatever I want with the "data" partition of the drive.

Dan said...

Changing the system partition is not simple. You'll find people who have done it if you google for "U3 LaunchPad replacement". I doubt that there are currently any viruses that are able to write to the system partition without you knowing it.

Dancer X said...

I found your "Autorun Reference Guide" very helpful, as I'm pretty new to thinking about this stuff and have been having difficulty getting to the bottom of it. However, after researching this over a couple days now, I've come to believe that one part of your article is in need of overhaul.

You talk about what you call "EDDC" as though it were something distinct from AutoRun and AutoPlay. And you say that using the accepted registry keys to disable the latter two features does nothing to "EDDC", and so leaves users vulnerable to infection when they, for example, double-click on the icon of a USB key infected with an "autorun" worm. The implication is that this is just the way Windows is designed.

However, according to Microsoft's documentation, what you're calling "EDDC" (double-click and contextual menu behavior) is considered a feature of AutoRun. What's more, the registry keys used for disabling AutoRun/AutoPlay were *supposed* to also disable "EDDC", but do not work correctly.

So Microsoft has issued an update which will make them work as designed. (See KB953252.) I've done some quick testing and this patch seems to do the job. If so, then is there still a need for Nick Brown's (brilliant) hack?

Dan said...

Thanks, Rick. I haven't had time to absorb KB953252 let alone test it yet, due to other commitments.

For reasons I cannot yet publish online, there are certain tests I'd want to do before I was satisfied that the KB953252 solution is adequate. I know that Nick's solution solves those other issues. Unfortunately, I won't be able to get to those tests very soon.

If you'd like to reach me off-blog, you can email me at the address shown in my profile.

Dan

Unknown said...

AVG8 has a different path to the one in autorunguard.cmd

c:\program files\AVG\AVG8\avgscanx

There are also fewer command line options according to the help file. I had problems getting it to work. A misplaced " I think. I will add more if I need to correct anything

Peter

Unknown said...

Here is what you need for AVG8 Free:
"%ProgramFiles%\AVG\AVG8\avgscanx" /ARC /EXT=* /SCAN="%d%\"

adding /PROC will also scan live processes
/CLEAN to automatically clean
/TRASH to move to virus vault

Kai said...

Command line for Free Rising Antivirus in autorunguard.cmd

%ProgramFiles%\Rising\Rav\RavLite.exe" %d%