Wednesday 27 January 2016

Remove the Panda vaccine protection from the \AUTORUN.INF file (FAT)

Some people who use Panda AV or Panda USB Vaccine may find that the \AUTORUN.INF file on their E2B USB drive has been hidden and write-protected. Although it will not affect E2B, it does affect how the drive appears in Windows Explorer and how it is listed by grub4dos:

  • The \AUTORUN.INF file is not visible in Explorer (even if 'Show all files' is enabled)
  • You cannot write a new \AUTORUN.INF file or copy it over the top of the existing (hidden) one
  • Windows Explorer does not show the E2B icon or display the Volume Label of the drive - it just shows 'Removable drive' or 'Local Disk'
  • Grub4dos will not detect or list the file

What Panda appears to do is (on a FAT volume)
  • Set the 'Hidden attribute' on the file
  • Set one of the 'Reserved' attribute bits which makes Windows (and grub4dos) ignore it.

For a FAT volume, we can remove protection with this bit of (seemingly wrong!) code executed from the grub4dos command line once booted to E2B:

errorcheck off
if not exist /AUTORUN.INF fat del /AUTORUN.INF

This looks incorrect, but works because the grub4dos fat utility does not use the grub4dos filesystem driver and seems to ignore the 'reserved bit' that makes the file 'illegal'.

After this code is executed, the AUTORUN_.INF file can be renamed to AUTORUN.INF.

I have added a $Panda_RestoreAutorun.inf_FAT.mnu file to the Sample menus and also to the Alternate Download Area - mnu files folder. Just copy it to your \_ISO\MAINMENU folder to use it. You will only see it if there is no \AUTORUN.INF in the current volume.

$Panda_RestoreAutorun.inf_FAT.mnu
iftitle [if not exist /AUTORUN.INF] Restore \AUTORUN.INF (FAT32 only)\n Undo Panda Vaccination and delete or unhide AUTORUN.INF
errorcheck off
if not exist (hd0,0)/autorun.inf /%grub%/fat del (hd0,0)/autorun.inf > nul
if exist (hd0,0)/AUTORUN_.INF /%grub%/fat ren (hd0,0)/AUTORUN_.INF AUTORUN.INF
if exist (hd0,0)/AUTORUN.INF echo (hd0,0)/AUTORUN.INF now restored!
if not exist (hd0,1)/autorun.inf /%grub%/fat del (hd0,1)/autorun.inf > nul
if exist (hd0,1)/AUTORUN_.INF /%grub%/fat ren (hd0,1)/AUTORUN_.INF AUTORUN.INF
if exist (hd0,1)/AUTORUN.INF echo (hd0,1)/AUTORUN.INF now restored!
pause Press a key to reload the Main menu...
configfile (md)0xa000+0x8000 || configfile /menu.lst


For NTFS volumes, it is a lot trickier as there is no grub4dos equivalent to the fat utility for the NTFS filesystem (see next blog post).

If you want to try directly editing the NTFS filesystem to fix the AUTORUN.INF file, check the post  by Vasily Ignatov  here.

1 comment: