Forefront Client Security and the Autorun virus Tip
First I need to clarify that FCS will catch any virus Autorun or any kind but this post to for you to go the extra Mile and be proactive to prevent the virus from even entering your system even if a USB stick was inserted into infected computer not under your Management(home computer for example ).
in windows that you can not create file and folder using the same name so we use this to our advantage which means that when autorun virus try’s to write it self it will not be able to 
.
note : most of the autorun viruses I have seen the virus in the autorun.inf file not the exe file as you might think
so how this is done ?
FCS use MOM as management for its clients this means you get all the MOM nice features. this is one of them we will be creating a time based event ( you can change it to event based ) that will create folder named autorun.inf hide it and make it system folder so that users don’t see it and finally create a read me file for any one get to this folder. (this file is very important ….please customize the line of text to your organizations in many cases the user thought that the folder and the file inside a virus and caused a panic so please type in it something the virus will never know like the service-desk/helpdesk phone number ) .
now we open the MOM administration console
go to management pack host behavior event rules
next create new rule
note : I know that 1 Minutes is a bit low but it will only take about 1 MB from memory and .5%from the CPU (the first time only will take a bit more ) also you can make this a low as 15 Seconds
now we add the command lines needed for our operations
so press add execute a command
we type this
MKDIR a:\autorun.inf b:\autorun.inf c:\autorun.inf d:\autorun.inf e:\autorun.inf f:\autorun.inf g:\autorun.inf h:\autorun.inf i:\autorun.inf j:\autorun.inf k:\autorun.inf l:\autorun.inf m:\autorun.inf n:\autorun.inf o:\autorun.inf p:\autorun.inf q:\autorun.inf r:\autorun.inf s:\autorun.inf t:\autorun.inf u:\autorun.inf v:\autorun.inf w:\autorun.inf x:\autorun.inf y:\autorun.inf z:\autorun.inf
we add another one for setting the Hidden and system
attrib +H +S b:\autorun.inf | attrib +H +S c:\autorun.inf | attrib +H +S d:\autorun.inf | attrib +H +S e:\autorun.inf | attrib +H +S f:\autorun.inf | attrib +H +S g:\autorun.inf | attrib +H +S h:\autorun.inf | attrib +H +S i:\autorun.inf | attrib +H +S j:\autorun.inf | attrib +H +S k:\autorun.inf| attrib +H +S l:\autorun.inf | attrib +H +S m:\autorun.inf | attrib +H +S n:\autorun.inf | attrib +H +S o:\autorun.inf | attrib +H +S p:\autorun.inf | attrib +H +S q:\autorun.inf | attrib +H +S r:\autorun.inf | attrib +H +S s:\autorun.inf | attrib +H +S t:\autorun.inf | attrib +H +S u:\autorun.inf | attrib +H +S v:\autorun.inf| attrib +H +S w:\autorun.inf | attrib +H +S x:\autorun.inf | attrib +H +S y:\autorun.inf | attrib +H +S z\:autorun.inf
last thing we add the echo command to create the read me file
Echo Dummy File to prevent viruses> a:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >b:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses>c:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >d:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses>e:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >f:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses>g:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >h:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >i:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >j:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >k:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >l:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >m:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >n:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >o:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >p:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >q:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >r:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >s:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >t:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >u:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >v:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >w:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >x:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >y:\autorun.inf\Readme.txt | Echo Dummy File to prevent viruses >z:\autorun.inf\Readme.txt
this is the final result
this is how it looks
now you don’t have to worry about autorun viruses anymore
