AUTOSTOP - script to protect the flash drive from autorun-viruses
I propose my version of the fight against autorun-viruses on flash drives, because Current solutions do not suit me for several reasons.
The main existing methods can be divided into 3 categories:
It was the third method that was taken by me as a basis, and refined. Outwardly, everything looks like this:
')
The principle of the script is as follows:
2 directories are created on the flash drive: AUTORUN.INF and AUTOSTOP. Each of them is protected from deletion by creating subdirectories with “incorrect” names:
With the same attempt to rename the AUTORUN.INF directory with a virus, I am fighting as follows: in the above directory, a desktop.ini file is created with the following content:
The disable.ico icon is placed in the AUTOSTOP directory (in the AUTOSTOP directory itself, a desktop.ini of similar content is created, with a link to the enable.ini icon located in the AUTORUN.INF directory).
Thus, the two directories mentioned above result in a “round robin”: when renaming the AUTORUN.INF folder, the indicator icon on the AUTOSTOP folder disappears (see figure), which indicates that the autorun virus has infected the flash drive (i.e., there is a file on the flash drive autorun.inf) and that the computer to which the USB flash drive is currently connected is infected.
For objectivity, from inconvenience, I note the need to press F5 in the explorer after connecting the USB flash drive, and before removing it (to update the contents of the USB flash drive, and, therefore, the status of the indicators).
The script page in my LiveJournal is mechanicuss.livejournal.com/195192.html , the download link is also there (I don’t give a direct link, because I regularly modify and update the script by adding the version number to the file name).
For those who ask why they should foster such vegetable gardens - you can use other, simpler and more reliable methods, I will say the following:
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Thanks to the idea of FloppyFormator , which consists in using one directory and the absolute path to the icon ( IconFile = ".. \ AUTORUN.INF \ minus.ico ), the display has been improved, and version 2.1 of the script has been written. Now everything looks like this - much easier and more convenient:
I also want to sincerely thank dreamhelg for the invite, and dedicate version 2.1 to it (release date - March 8 :)
Friends, thank you for your attention to the script and ideas for its improvement - thanks to this, the effect of using the script increases.
The main existing methods can be divided into 3 categories:
- The installation of a resident monitor on the computer, which, when a flash drive is connected, checks for the presence of the autorun.inf file, and if so, takes action. Minus - binding to a specific machine
- Protecting a flash drive with the NTFS rights method is an excellent reinforced concrete method, but its advantages are at the same time its disadvantages - NTFS is not always applicable (for example, in the case of Win9x, or a specific model of car radio or DVD player that read only FAT).
- The method for creating the AUTORUN.INF directory on the flash drive of the same name. Of the minuses it can be noted that new viruses have learned to delete this directory, or rename it if it is impossible to remove
It was the third method that was taken by me as a basis, and refined. Outwardly, everything looks like this:
')
The principle of the script is as follows:
2 directories are created on the flash drive: AUTORUN.INF and AUTOSTOP. Each of them is protected from deletion by creating subdirectories with “incorrect” names:
mkdir "\\?\%~d0\AUTORUN.INF\LPT3"
mkdir "\\?\%~d0\AUTORUN.INF\LPT3\.."With the same attempt to rename the AUTORUN.INF directory with a virus, I am fighting as follows: in the above directory, a desktop.ini file is created with the following content:
[.ShellClassInfo]
IconFile="..\AUTOSTOP\disable.ico"
IconIndex=0
InfoTip=" AUTOSTOP"
The disable.ico icon is placed in the AUTOSTOP directory (in the AUTOSTOP directory itself, a desktop.ini of similar content is created, with a link to the enable.ini icon located in the AUTORUN.INF directory).
Thus, the two directories mentioned above result in a “round robin”: when renaming the AUTORUN.INF folder, the indicator icon on the AUTOSTOP folder disappears (see figure), which indicates that the autorun virus has infected the flash drive (i.e., there is a file on the flash drive autorun.inf) and that the computer to which the USB flash drive is currently connected is infected.
For objectivity, from inconvenience, I note the need to press F5 in the explorer after connecting the USB flash drive, and before removing it (to update the contents of the USB flash drive, and, therefore, the status of the indicators).
The script page in my LiveJournal is mechanicuss.livejournal.com/195192.html , the download link is also there (I don’t give a direct link, because I regularly modify and update the script by adding the version number to the file name).
For those who ask why they should foster such vegetable gardens - you can use other, simpler and more reliable methods, I will say the following:
- I want to show that “you can still beat the fascist” in alternative ways (any alternative is a plus).
- I love logical tasks, and working on a script is an excellent gymnastics for the mind.
- The method invented by me (cross-references to icons) can be taken as a basis in many other applied developments.
- - - - - - - - - - - - - - - - - - - - - - - - - - -
UPD:
Thanks to the idea of FloppyFormator , which consists in using one directory and the absolute path to the icon ( IconFile = ".. \ AUTORUN.INF \ minus.ico ), the display has been improved, and version 2.1 of the script has been written. Now everything looks like this - much easier and more convenient:
I also want to sincerely thank dreamhelg for the invite, and dedicate version 2.1 to it (release date - March 8 :)
Friends, thank you for your attention to the script and ideas for its improvement - thanks to this, the effect of using the script increases.
Source: https://habr.com/ru/post/53642/
All Articles