Endpoint Protection

Autorun is very interesting thing. As all knows, it allow to start for example a setup\browse program from CD, so you needn't to search what to do with that disk and what file needed to be started.
That's why i have a question: is it correct to disable autorun? May it be better for SEP to just check this file before loading (as i suppose any antivirus must do)? Why i must manualy disable one of the helping tools? Why SEP can't protect me from this threat?

Autorun should be disabled into corporate environment. Absolutely no doubt about it.

Virus writer keeps lookingout for something which is very easy to exploit. Autorun features is very handly. Most of the users also makes silly mistakes.

Tejas

The problem is with new mutations of viruses or something designed just for small infection or whatever you can think of (those 2 are quickies from me).
You don't have to disable autorun if you don't want to, any AV should scan any file that is open and should protect you (I'm using should because no AV is 100% perfect). So you may be safe with autorun on but if it's off then you have another layer of security added, however very simple it comes useful from time to time.

I think Autorun should be disabled in a company/office network as they don't need this feature. In a home pc it can be enabled . but disableing the autorun feature gives more security to you.

You can look no further that what W32.Sality, W32.SillyFDC and the latest mutation of the Downadup can do to your system.

People use their USB storage devices at home where the administrator have no control and who knows what he or she is putting into the device and bringing to the office's network. You can also have autorun scanned automatically but the threat will still spread.

I've had experience in a user plugging an infected laptop into the network infecting several hundred PCs although the target PCs dealt with the threat without user intervention required so there was no outbreak. I still don't want to leave it all to the software.

The Windows autorun feature enables CDs to play automatically when inserted in the drive. Removable and thumb drives use the same autorun feature to load files when the drives are plugged into the USB port. Malware relies on this autorun feature to spread from thumb drive to PC.

Windessy, there are so many viruses coming out everyday..  Antivirus softwares checks programs running thru real-time scanning or autoprotect but what if the virus is a new one? Disabling autorun is the safest way.

Another side is if you dont want to disable autorun, you might want to disable programs that will be executed on the usb.

In my experience, an autorun.inf linking/pointing to a an unknown program, example autorun pointing to Good.exe(cloacked malware.) will not be deleted, but the infection will be cleaned/deleted/quarantined.

The logic is simple, do you want to be more prone to get infacted and then get cleaned after infection, or do you want little bit more proactive for not to get infacted.

Prevention is always better than cure.

Tejas

if u disable the autorun feature then u will not be able to run autoruncds automatically
if you doubt about a pendrive which may contain virus then try exploring it
remember always show the hidden files and the operating system files
you will be able to see the autorun.inf and any virus content present in it eg.sdaerf.exe

May be tomorrow we wouldI be recomended to disable runing any program by clicking on it - only by comand line?

I  agreed with pbogu, that real problem must be only with new mutations of viruses.
But antivirus must analyse and detect such things too, because without detecting suspicious activity, any signature-based detection is a road to nowhere. I don't ask to cure unknown virus, but to block it is possible.

Many companies was affected by w32.downloadup  infection, so just imagine, what would happen, if one day your company would be infected not by stupid stealer (i call it stupid, because it affects perfomance of computer, and so can be easily detected), but with smart silent killer.
Remember win.chih.95 (Chernobyl) plague?

for example, is it impossible to check starting services and libraries they trying to access? Even if they started through RPC.
AV must be as a guard with a rifle: if house is closed and thief sneaks through window - shoot at him. If house is open and burglars enters every minute in open doors - shoot them all too.

@windessy: I like your analogy. :D But what if there are too many burglars entering the front door or one of them has a bullet proof vest or disguised as a resident of the house - so well disguised that it can fool the guard.

It is possible to check the other files they're trying to access. They have tamper protection for that. But you have to set the security level so high that even legitimate softwares would get questioned. Think of your firewall asking for permission every time a software wants to access a file or open up a service. It usually places the responsibility to the user to decide on that.

For CDs. You can disable autorun and still be able to use the autoplay by right-clicking. The problem is the trend with the way hardware is being introduced to the IT world. The primary objective is for the convenience of the users. But there are people who would try to find any security holes in them as soon as they're available to the public. Take Wi-Fi for example and the war-driving that happened after the introduction of that.

>>if u disable the autorun feature then u will not be able to run autoruncds automatically<<

So what!
You  can still right click, like was said.

IMO, so what you take ONE SINGLE MORE mouse click to do something? It's more secure. So what if I have to think while I work? Prevents people who would do me harm from getting to my stuff.

The whole problem with computer security today is MS wants to DUMBDOWN computers so ANY fool can run one and anyone can share anything with anyone any time. And that means any badguy can share your stuff too. The reason we have security issues with computers is that the younger generation wants everything free, everything shared, everything now, everything convient - should not have to work for a solution, should simply have to ask for it and have it delivered to me. 

Do you lock your house at night? WHY? It's inconvenient and you must then use a key to get back in.
Do you lock your car? Why don't you just use a simple toggle switch on the dash to start it? Why bother locking it? It's inconvenient, you have to dig out a key, insert it, unlock the door then insert a key to start the car.
Why?

The ideal solution is to make SMARTER people, not dumb-down the computers.............

Sorry for the rant, but I can sure tell who is over 40 and who is under 40! LOL.
My solution,  Disable that which lets others in to snoop and take what isn't theirs, or damage that which isn't theirs.
Yes yes - prevention is better than cure. Takes less time to be safe than to clean-up because one was too lazy to lock the door.
If everyone operated as I do, then there would be no more new viruses, no effort put into creating them, no effort put into malware as it simply wouldn't work.
They work because people let them work.
SPAM works because people fall for it, scams work because people fall for them, phony ebay auctions work because as someone once said, there's a sucker born every minute (make that every 4 seconds today).
When we quit being lazy in security, quit falling for such obvious hoaxes and scams, then the junk mail will slow and the virus creation will dwindle.
They are there because they work.

Now that we've filled the negative side. What are the advantages of using autorun aside from saving a few mouse-clicks?
The only thing I can think of is that it allows you to open up the volume/media you've just plugged in and that's for the sake of reducing the amount of mouse-clicks.

I guess enabling autorun is just for new users of computers. IMHO, so computer backgroud is really important.

ShadowsPapa: to make people smarter is a very good idea. But who and how would make it? People wants tool for their needs, and it's important what this tool do, not how it works from inside. Computer is a tool, and it must do its work - draw lines, play music, share files, etc... 99,9% of users don't want to spend several years for learning HOW this tool works from inside and how to fix it. It looks easy and clear for you, cause you know it already. but for newbie it's all a voodoo magic.
Btw, most of people don't know screwdriver's phisics, mark of steel, or critical force. But they use it and it works fine.

To protect computer from virus, people buy anti-virus. and it must protect them.
They do not need to lock the door, they need guard who will control this door.

Guys. You have to consider the use of the PC. If it's a home PC or for a company PC.
If you have autorun enabled in your home PC - I don't care. But when it comes to a company where I'm in charge of IT security, better disable that or don't use it. And I'd force you to scan the device first if I can. :D

agree with shadow_papa and mon_raralio completely,

Yes disabling auto-run.inf is an inconvenience, and some users may not know how to get around it, etc. However, the costs associated with an autorun.inf type virus far outweighs the cost of that inconvenience. We learned this the hard way. I was not "allowed' to disable autorun.inf until after we were hit by W32Downadup.  Management learned very quickly the benefit and we now have it implemented. The same battle goes for USB keys, etc. We are now fighting that battle and will have to learn a hard lesson.

Yes absolutly disable autorun.  We did it here years ago and I am glad we did.   Like others have said just takes on mutation to get past live update.  So what if the users need to do a mouse click.   Also in an enterprise/corperate network wouldn't it also be prudent to have everyone but IT not able to install.  I know we did that and it cuts way down on issues as the users can not just install what ever they want.  Plus if the users can install software how do you prevent them from bringing in pirated copies of software and what do you do if your audited in that case.   In a corperate or locked down environment there is not that much of a need for users to have things auto launch from a disk or flash drive.

We are maintaining a combination of servers, desktops and laptops like most companies have. Most of the laptop users are officers and management - those with a higher rank than us. Would you also disable autorun on them as well? Some shares Windessy's viewpoint on the use of Autorun for convenience.

hi mon, it's really an inconvenience. But on this age, (we are on a high tech stage) we have to cope up with the technologies or we get left behind. Virus creators abuse us on this. The key to successful computing I guess is being well informed.

Another example also is even us (IT people) get infected, so less IT inclined people would sure be vulnerable.

Autorun is a feature that is given just to fancy OS.As a best security practise we should have the autorun disabled atleast on the fileserver or the main server where all other users have theie drives mapped to the servers or who save or reteive files from the server.
Because if the server gets infected all the computers in the network will get infected.
In todays world almost all threats use this method of propogation.So even a spyware can become a worm if you have this feature enabled.
For people who who really want to use Autorun can have it disabled atleast for CD-ROMs and External drives.

Personally i dont like autorun, and on my personal computers and servers it;s switched off since first appearance of Win2003 server, where as you remember was problem in first versions with crushing system if empty cdrw was put in cd-drive.

I understand, that autorun can hurt, but i also sure, that AV must protect from this. That is not unknown treat with unknown filename. We all knows it: autorun.inf !!! So why not to check this file or what it calls?

Real problem is that when i write to support, instead of: "Ok, we'll add checking of autorun.inf and its traces', as it MUST be, i just recieve: "Switch autorun off".

basically when talking about autorun you have to think is security more important (costly) for you or user comfort.
this dilema apply to most of the security.
like AV or no AV - will you take performance hit
proxy or no proxy - will you be maintaining whitelists for your users (or blacklists)
etc.
etc.

some of those choices are obvious at this stage but not all for ordinary people because normal people are only thinking - I want it to work and it should be easy for me to do whatever I wat whenever I want. This stays in conflict with best security practice in the world which is block everything until it's allowed.

you should definitely disable autorun.

Autorun needs to be disabled...
better manually see what you would be getting rather than being surprised to find virus or infections...
thanks... 

Absolutly disable it

Some auto run haved a virus threats