Windows

No Autorun can help protect Microsoft Windows from malware

If you are concerned about the security risks of MS Windows AutoRun, a malware protection tool called No Autorun might be just what you need.

When using MS Windows, even the US military is vulnerable to removable media malware, as explained in the article, "US military compromised by removable media malware". All else being equal, the best way to protect yourself against automatically executing malware infections is to use an OS whose system design philosophy reflects a real concern for security, rather than a security-unconscious OS.

Unfortunately, there are occasional practical realities that require the use of an OS we might otherwise avoid, such as the need to use a particular application, software testing, and employer policy. More often, there are also cases where we think we face such a practical reality even if we do not, or where short-term convenience pushes us toward that choice. Other reasons might prompt people to choose an OS that is poorly secured by design as well, such as attachment to the familiar, susceptibility to marketing, or simple ignorance of alternatives.

Regardless of the reasons, when you find yourself using an operating system that is particularly susceptible to vulnerabilities that might not even have meaning on other systems, the impact of those vulnerabilities needs to be mitigated to the extent it is reasonable to do so. The nature of the vulnerability relevant to "US military compromised by removable media malware," and hopefully made clear in that article, is the danger of the MS Windows AutoRun feature. Simply put, MS Windows executes anything it is told to execute by an autorun.inf file on the removable media.

Several mitigations for the problem were described, including disabling the AutoRun feature, but it is unfortunately the case that this is not always enough. MS Windows updates have been known to reset configuration changes made for security reasons, returning them to default (unsecured) values, for instance. This means that security-related configurations like disabling AutoRun not only need to be set by system administrators, but monitored closely for signs of unexpected reversion.

This creates a situation where, even when there is a possible work-around for security issues, some automated technical band-aid is needed to minimize vulnerability on MS Windows systems. This problem is a common one, as in the case of MS Windows viruses, which could be dealt with more permanently by patching the vulnerabilities they exploit. Instead, their damage is merely mitigated by a dirty hack: heuristic and signature based detection. It is at best a kludge, rather than a real solution, to "fix" the problem -- but unless and until Microsoft changes its policies regarding vulnerability patching, it is a necessary kludge.

A similar kludge may be necessary if you want to minimize the danger of MS Windows AutoRun. Luckily, an open source project that targets exactly this malware mitigation problem is available under the appropriate name No Autorun.

No Autorun can be configured to disable AutoRun as a whole, or to make exceptions for CD devices. It can also be configured to open a Windows Explorer browsing window to show the contents of USB storage devices without automatically executing anything stored on such devices, making their use more convenient in a controlled manner, in absence of AutoRun.

When my consulting work involved regularly helping small businesses configure, maintain, and (in case of disaster) recover their computers and networks, No Autorun did not exist. It would have been appreciated, however. Since I do not do much of that kind of work now, the opportunities to test malware protection software like No Autorun are few and far between. If you have the opportunity to test it more thoroughly than I have, please share your experiences in discussion.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

9 comments
SHCA
SHCA

I'd love to live in world like Mr. Perrin'g where there is such a thing as a perfect operating system, and where Microsoft could deliver the value of Windows while anticipating every vulnerability and not bothering to react to malware or intrusion events. But thanks for the 'No Autorun' idea. For all of my clients, I'll enforce it with Group Policy, a practical, real-world precaution.

apotheon
apotheon

You fail at the Reasonable Discussion game. Where did anything in the article suggest there's such a thing as a "perfect operating system"? Answer: Nowhere. Where did anything in the article suggest that Microsoft (or anything/anyone else) could deliver "the value of Windows" while "anticipating every vulnerability", et cetera? Answer: Nowhere. Seanferd is right. Your complaints are nothing but gigantic, flaming straw man fallacies. I'm glad you got some value out of the article's recommendation, though.

seanferd
seanferd

Autorun was a blatant vulnerability from inception. Windows architecture is poor at a low level, and MS should have known better. (MS sold Xenix, among other things.) I think you could have substantially the same user experience Windows wants to provide, but with solid privilege separation and a more solid architecture overall. I'm sure MS is quite capable of doing this.

Gis Bun
Gis Bun

Errrr. This is an old story. I guess a slow news day.

seanferd
seanferd

Why is this expected to be news at all? Chad isn't a reporter. NoAutorun appears to be fairly recent itself, if that helps. Autorun is still a problem, so I imagine some people would appreciate being reminded, or clued in. The application that ensures autorun will not occur may be appreciated as well. I do suppose it could be boring for those of us who already "get" these sorts of things.

Michael Horowitz
Michael Horowitz

You don't say exactly how No Autorun works. Also, making an exception for a CD is dangerous as some devices fake out Windows and pretend to be CDs when they are not. Here is a very simple, safe, easy to understand registry zap that TOTALLY disables autorun.inf files. http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives And, if you want to compare and contrast the two approaches, heres a sample autorun.inf file that mimics the tricks used by malware, but in a safe way. http://blogs.computerworld.com/test_your_defenses_against_malicious_usb_flash_drives

seanferd
seanferd

Download the file, and see the readme and changelog for information. In short, it locks autorun.inf and other suspicious related files on removable media.

Justin James
Justin James

Use Group Policy if you have more than a couple of machines, incidentally. J.Ja

OhTheHumanity
OhTheHumanity

You have Group Policy in place. This will help mitigate any change to the local system through a patch. If you got it, use it.

Editor's Picks