You can use software restriction policies, to;
a. block the Name of the installer executable ( assuming its not something generic like setup.exe or somthing), and possibly the runtime (this may take care of the computers already "infected", although i am not sure of the potential for this to cause stability issues)
b. import the hash value of both the setup file and the executable and restrict access that way.
as always test test test.
disinfection could easily be carried out via wmi filtered computer startup script policy.
enumerate the services and if the DRM service is found run script X.vbs.
Windows 2003 kicks ass.
- Sam
- Sam
Some colleagues of mine were asking me how to stop CDs from auto-playing which allows something like Sony’s rootkit to install on their computers. The solution is actually quite simple and effective with Microsoft Active Directory Group Policy. It’s easy to disable auto-play from every single computer in the Enterprise globally with just a few tweaks in Group Policy and here’s how you do it. The same technique works for individual PCs as well.
Open up the "Active Directory Users and Computers" console. Right click on the top of the Active Directory and click "Properties"
Jump to the "Group Policy" tab, highlight "Default Domain Policy", and then click "Edit".
Expand "Computer Configuration" as shown below and click on the "System" folder. On the right hand pane, double click "Turn off Autoplay". Note that home users can jump to this screen by typing "gpedit.msc" from their "Start-run" prompt. If you’re not sure what that means, it’s probably not a good idea to mess with "gpedit.msc".
Choose "Enable" and select "All drives" to turn auto-play off for any device including CD and DVD drives and hit "Apply".
Close everything out and every computer on your domain is protected against auto-play and the Sony rootkit. Any business or organization that is serious about security should do this immediately.
