wow, disabling files to run from the root of all drives would never, ever fly in a corporate environment. Although I do like the idea on stopping autorun malware, it would work... but oh the calls to the helpdesk! ;-)
Simply disabling autorun is a much better solution. Exibar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam Sent: Friday, November 21, 2008 11:58 AM To: n3td3v Cc: [email protected]; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-disclosure] Fwd: Comment on: USB devices spreading viruses USB / FLOPPY are attractive means for virus/worm to propagate. Here is a workaround to stop a successful infection from happening (well ~99% of the time least) 1. if you dont use wscript.exe disable/rename it. 2. start menu > control pannel > administrative tools > local security policy >software restriction policy >additional rules say if c:\ d:\ and e:\ are your fixed drives then.... right click additional rules > create path rule and create path rule [DISALLOWED AS] c:\*.* d:\*.* e:\*.* // why let anything to execute from root of fixed drives. for all other drives (removable/non existing) from a - z do as a:\ b:\ f:\ g:\ ........and so on. Why let anything execute from removable drive unless you are 100% sure the pendrive is clean and from a trusted source only. always have file extension and hidden/protected system file to "show by default" from folder option. well this is it. From a personal experience i assure the above should be the BEST solution for this problem and a extra layer of defense if AV fails to detect it. thanks, -bipin On 11/21/08, n3td3v <[EMAIL PROTECTED]> wrote: > ---------- Forwarded message ---------- > From: n3td3v <[EMAIL PROTECTED]> > Date: Fri, Nov 21, 2008 at 1:11 AM > Subject: Comment on: USB devices spreading viruses > To: n3td3v <[EMAIL PROTECTED]> > > > by n3td3v November 20, 2008 5:08 PM PST > > "Meanwhile, the U.S. Department of Defense has temporarily banned the > use of thumb drives, CDs, and other removable storage devices because > of the spread of the Agent.bzt virus..." > > There is no security through obscurity. > > http://news.cnet.com/8618-1009_3-10104496.html?communityId=2114&targetCommun ityId=2114&blogId=83&messageId=5043948&tag=mncol;tback > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- x-no-archive: yes _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
