Why Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections
search cancel

Why Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections

book

Article ID: 154161

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A machine, drive or USB drive is scanned by a third party antivirus solution, which then detects autorun.inf files, scheduled tasks (AT tasks), or registry keys as malicious.

Environment

SEP 14.x

Cause

It can be difficult to differentiate a legitimate task from a task that launches a threat; therefore, we do not remove tasks as part of our threat remediation. The same applies to .LNK shortcut files.

SEP (Symantec Endpoint Protection) has the ability to prevent autorun.inf from being read and from launching threats. Because AutoRun is a legitimate function of the operating system, we leave the blocking and/or deletion of these files in the hands of the Administrator.

Application and Device Control also has the ability to prevent files from executed on removable drives, thereby preventing the threat from installing. We are not able to, as a rule, restore some registry keys as we have no way of knowing what values they held before the threat infected a machine.

By themselves, autorun.inf files are harmless. They contain no malicious code and cannot cause harm to a system. Our detection engines are focused on actual malicious files. Malicious files using an autorun.inf file to launch itself are detected by Symantec. From a security standpoint there are no protection gaps for customers based on our policies towards autorun.inf.

Resolution

Customers who want to prevent all use of autorun.inf files are advised to turn off AutoPlay/AutoRun functionality and/or use Application and Device Control to lock down this functionality. Symantec has created Application and Device Control Policies to lock down the creation of certain files as well as prevent the propagation of threats via USB drives.

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
http://www.symantec.com/docs/TECH145973

We are aware that some security vendors report autorun.inf files as malware, and consequently they will remove them. Symantec chooses to not remove files that do not contain viral code due to the potential for causing system instability or breaking the normal functionality of good applications. However, Symantec does recognize that in remediating malware, orphaned autorun.inf files can be left behind. While harmless, they can cause customer concern. The Eraser functionality to identify and remove the majority of these orphaned autorun.inf files that have been left behind after the removal of the linked malware is implemented in the Eraser Engine. However, this should not be interpreted to imply that we will delete all autorun.inf files, nor even that we will always agree with other antivirus vendors when they render a malicious verdict against a specific file.

 

Additional Note

Scheduled tasks created by malware are not malicious in themselves (a submission will result in Determination: Data File) but can be a useful clue for identifying undetected malware or infected computers on the network.  See How to determine which remote computer has created a malicious scheduled task.