Regarding issue #1: You can't do it that way. If autorun is enabled when a person inserts a USB drive, it will have already run by the time OSSEC could respond. Autorun must be shut off *before* any media is inserted, so this must be a policy setting made through ActiveDirectory, or the registry, etc.
-- To unsubscribe, reply using "remove me" as the subject.
