You could create a policy file for rootkit detection to detect windows workstations with autorun enabled. Then, you could create your own active response to disable autorun.
On Tue, Apr 13, 2010 at 10:24 PM, Dave S <[email protected]> wrote: > Regarding issue #1: You can't do it that way. > If autorun is enabled when a person inserts a USB drive, it will have > already run by the time OSSEC could respond. > Autorun must be shut off *before* any media is inserted, so this must > be a policy setting made through ActiveDirectory, or the registry, etc. > > > -- > To unsubscribe, reply using "remove me" as the subject. >
