Endpoint Protection

Here's the story- I am the SEP admin, and have been told that SEP is blocking a USB stick from autorunning a VBS file which is supposed to run on the PC. It's a process we are stuck with, and the user can't run the VBS themselves (don't ask!).

So, SEP blocks the autorun/ VBS combo: "Security Risk Foun!VBS.Runauto in File: C:\WINDOWS\.vbe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully."

We need to *allow* file to run. I have added the vbs filename to the Centralized Exceptions list to be excluded, but this doesn't seem to have worked. I have also looked in the Known RIsks list, but it's not in there to exclude :(

Any ideas would be gratefully received! Thanks in advance.

If it's just one user, I would add them to a separate client group and add a custom Centralized Exceptions policy to that group.  Add the specific file path of the autorun to the custom centralized exceptions policy.  e:\auturin.inf.  The reason I say to move this client to a new group is so that you do not enable a free pass for e:\autorun.inf for everyone, as that would be a big security hole.

Hi and thanks.

It's not just one user, but there isn't many of them, so I'll try that- but unfortunately with USB sticks, it won't always be the same drive letter. Will specifying autorun.inf with no path be adequate?

I think so, but I may be wrong.

Worst case, it would usually be d:\, e:\, f:\, g:\ or h:\ I would imagine.  Maybe not.  But you could add those 5 paths within a couple seconds.

Turn OFF Antivirus ( File System AutoProtect ) before plugging in the USB with this file..but if USB would be already infected then it would catch the other threats.