Ariad started as a tool to prevent inserted USB sticks from executing code. Technically, it achieves this goal with a minifilter driver by blocking access to \autorun.inf on USB sticks. When you try to access autorun.inf on USB sticks, you’ll get an access denied error. Hence the name Ariad (AutoRun.Inf Access Denied).

But Ariad has evolved and now restricts access to several file types on different media types (not only USB sticks).

Ariad’s many idiosyncrasies stem from the design process. In stead of defining a feature set for this tool, I explored the technical possibilities of minifilter drivers and let the features emerge from it.

Ariad is a minifilter driver, and as such, operates inside the Windows Kernel. Bugs in kernel software can have grave consequences: the dreaded BSOD. So please test this software first on a test machine you can miss.

The 32-bit version of Ariad is more than a year old now and the previous version (0.0.0.7, never published) has run for more than a year on Windows XP SP2, SP3, Windows Vista SP1 without causing a single BSOD. Ariad was also tested on Windows 7 in a VM. So I consider the 32-bit version of Ariad stable now.

Ariad V0.0.0.7 has proven to be very reliable in the environments I use. Ariad V0.0.0.8 is very similar to V0.0.0.7: I just added .LNK to the blacklist of executable files, and added a couple of debugprint statements.

Version 0.0.0.9 has a minor change in the source code (a pointer cast), but the big difference is that I’ve compiled it with WDK 7.1 for Windows 7 x64 machines. And I’ve signed this version with a SPC valid for kernel drivers. This 64-bit version is identical in its operation to the 32-bit version. And you use the Ariad.exe 32-bit GUI to configure it.

THIS IS BETA SOFTWARE OPERATING IN THE KERNEL, SO TEST THIS FIRST ON 64-BIT TEST MACHINES WITH FILES YOU CAN MISS.

I’ve compiled the 32-bit version on Windows XP SP2 32 bit, and installed it on Windows XP SP2 (virtual and physical), Windows XP SP3 (virtual and physical) Windows Vista SP1 (physical), Windows 7 Beta (virtual) and Windows 2000 Professional SP4 with Update Rollup 1 (virtual).

I’ve compiled the 64-bit version on Windows 7 SP1 32-bit, and installed it on Windows 7 SP1 64-bit.

Download 32-bit:

Ariad_V0_0_0_8.zip (https)

MD5: B8E46212CA56B7BD056BA30E84DF8596

SHA256: 99620D77B23C21BC1C020352C5E9CCC467A4C450E0C69AA6FFBCE7227063964C

Download 64-bit (only Ariad.sys, get the .inf and ariad.exe files from the 32-bit download):

Ariad_V0_0_0_9.zip (https)

MD5: C41EFF12D1C454595C5F8B8EBB09DA69

SHA256: DC0F40BA397E19FDFED67E287E0CF24FB55314B9760477D3783D492043FFF698

Installing Ariad:

I provide 2 ways to install Ariad. When you look inside the install folder of the ZIP file, you’ll find the driver file (ariad.sys) and two install files: ariad-manual.inf and ariad-boot.inf

You need admin rights to install Ariad. I recommend you start installing with ariad-manual.inf. This will install the ariad.sys driver but will not start it, it has to be started manually. To start the Ariad minifilter, issue command: sc start ariad

Now you’ve started Ariad and you can observe if your system is still stable. When you reboot your machine, Ariad will not be started automatically. You need to run command sc start ariad to start it again. This is your fail-safe mode. If Ariad makes your system unstable, you just have to reboot it (power-cycling it as a last resort) to disable Ariad.

After you’re satisfied with the reliability of Ariad and want to run it permanently, you can install it with ariad-boot.inf. This installs Ariad the same way as the first installer, except for the startup parameter: in stead of requiring a manual start, it will start at boot time.

If you’ve problems with Ariad starting in boot mode, you’ll need to disable it with sc. Worst case, you’ll need to boot from a Live CD and delete ariad.sys from %system32%\drivers. So don’t use a machine with full disk encryption to test this.

Configuring Ariad

Ariad comes with a GUI application that runs in userspace: ariad.exe You use it to configure the behavior of the ariad.sys minifilter.

Before explaining the many configuration options, I need to explain how to minifilter works.

The minifilter operates in the file system driver and filters file system requests. The minifilter is instantiated each time a file system is mounted. So Ariad does not only work on USB sticks, but also on CD-ROMs, harddisks (fixed and USB) and network shares. If a particular file system does not require to be filtered, the Ariad minifilter is not instantiated for this file system.

When you start Ariad.exe, you’ll see this dialog:

For security reasons, Ariad.exe requires local admin rights to change configurations. This way, you can prevent your users with a LUA to change the configuration. Ariad.exe will elevate on systems with UAC.

All changes are written to the registry immediately when a change is made in the dialog box. All configuration settings will be applied to new instances of the minifilter, and not to existing instances. For example, if you’ve inserted a USB stick with read-only option toggled on, this setting will remain until you remove the USB stick. Changing the read-only toggle for USB drive in the dialog box does not affect the USB stick you already inserted. It will only be applicable to new USB sticks you insert.

If you need to change the setting for an existing USB stick, you’ll need to eject it first, change the setting, and then re-insert it. This is by design.

Ariad was designed for 2 types of users: very technical users who understand the working of the underlying OS; and IT-agnostic users, whom will be protected by Ariad installed and configured by an administrator that makes all the configuration choices for them. These users don’t see Ariad at all, they will just encounter the occasional access denied. As an administrator, you don’t give access to ariad.exe to these LUA users.

This is also the reason why I don’t provide a one-click setup program that installs the driver and the GUI. I don’t want inexperienced users to install this. This tool is not user-friendly.

The configuration options

Remember that all the settings in the Ariad configuration dialogbox apply to new instances: i.e. a drive that will be mounted, not drives that are already mounted.

Every change performed in the dialogbox is immediately active and saved in the registry, there is no Save or Apply button.

To exclude particular drives from Ariad’s filtering, add the drive letters to the “Allow drives” textbox. A good idea is to add your system harddrives to this textbox, like C.

To temporarily prevent Ariad from instantiating an instance for a drive you want to insert, click on the button “Disable Ariad for newly inserted disks during 60s”. Every drive inserted within 60s after clicking the button, will no be restricted by Ariad. Use this feature if you need full access to some USB drives you trust.

Ariad identifies 4 types of drives:

USB Drive (these are USB sticks, not external USB harddisks) CDROM (DVDs too of course) Harddisk (build-in harddisks and external USB harddisks) Network (shares mounted as network drives)

I made the distinction between USB sticks and USB harddisks because users of my USBVirusScan tool requested this, and I want to apply the same logic here.

Be careful when configuring harddisks, you might make your system unstable and unbootable. Be sure to exclude your system harddisks before you do this.

For each of these 4 drive types, you can define up to 5 filtering options:

– no autorun.inf: denies all access to \autorun.inf (that’s in the root directory of the disk, not in subdirectories)

– no executables: denies all access to executables identified by their file extension. Here is the list of extensions hardcoded in version 0.0.0.8:

BAT

CMD

COM

CPL

DLL

EXE

OCX

PIF

SCR

SYS

VB

VBE

VBS

WSF

WSH

LNK

This is a hardcoded blacklist. I plan to provide this list in the registry in a future version, and also implement a whitelist.

I have not tested alternate data streams.

– block all: denies access to the complete drive. The filesystem is mounted, but every access to files is denied

– read-only: files can’t be written to. You could use this for forensic investigations if you don’t have an hardware blocker.

– no file execute: this is a very special option. It prevents files from being mapped into memory. When executables are loaded (creating a process with an .EXE, LoadLibrary of a DLL, …) they are mapped into memory. This setting prevents this. The effect is that executable files can be read and copied, but not launched from the mounted drive. The advantage of this setting is that it blocks binary executables independently of the file extension they have. For example, LoadLibrary of dll.tmp will be prevented.

Further plans

– Add whitelist

– Export hardcoded extension list to registry

README.TXT

THIS IS EARLY BETA SOFTWARE OPERATING IN THE KERNEL, SO ONLY USE THIS ON TEST MACHINES WITH FILES YOU CAN MISS. Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk. It's beta software running inside the kernel Ariad (AutoRun.Inf Access Denied) is a minifilter that started as a way to block access to \autorun.inf on USB sticks, but now blocks several file types on several media types. USB Sticks are identified by their FILE_REMOVABLE_MEDIA device characteristics. USB HDD will not be recognized as USB sticks but as harddisks autorun.inf files not in the root directory of the USB stick are accesible Ariad.sys is the minifilter and runs in the kernel Ariad.exe is a GUI to configure the filter and runs in user space. It requires admin rights. Before you install this driver, you'll have to decide if this driver must start when your machine boots, or if you want to start/stop it when you want to. To upgrade: first stop the minifilter: sc stop ariad then proceed with install To install and start/stop manually: use ariad-manual.inf You'll have to start the driver manually (also after each boot): net start ariad To install and start at boot time: use ariad-boot.inf You'll be prompted to restart your machine. This is because ariad will start a boot time. If you don't want to reboot, no problem. Cancel the reboot prompt and start the driver manually: net start ariad Next boot, ariad will be running automatically I advice to use ariad-boot.inf only after you've worked with the manual start option and are satisfied that your system is stable To uninstall: sc stop ariad sc delete ariad del \%windowsdir%\system32\drivers\ariad.inf To stop the driver (for example to allow autorun.inf) net stop ariad Bugs: