Search this site

Real Time Web Analytics Clicky

USB Security





  • Disabling autorun (autorun.inf)
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"
It is critical to restart the system after updating the registry or deleting the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

If they have the KB then you can use the official Microsoft method for disabling autorun

At the bottom of this page you can find an easy to use ADM template file for use with the GPO without the Microsoft hotfix

If this is a new system with no USB storage device ever connected:

Set deny permissions for the user/s and/or group/s to:
  1. %SystemRoot%\Inf\Usbstor.pnf
  2. %SystemRoot%\Inf\Usbstor.inf
If you aren't sure or know a USB storage device was previously connected:

Either run this on the machine or do what it does, change:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Key: Start

To: 4 (Hex)

Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:

1) Use the USB Autorun Protect tool (from the File-Cabinet) - it will protect the drive (FAT/FAT32/NTFS), created by Erez Kalman.

This tool takes several steps to make it very difficult to enter/edit/remove the protection (except when using the tool) among them playing around with the file system, ACL (if NTFS) and more...




2) Create a directory called autorun.inf then add the attributes +r +s +h (Read only, System, Hidden) - this isn't full proof but is simple and works on all drives, make sure to add an autorun.inf file inside the directory and provide it with the same three attributes.

3) Use the Panda Security USB and Autorun Vaccine tool, the tool can be memory resident and provides two options:

First one: Computer Vaccination - Performs the change shown at the top of this page:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Second one: USB Drive Vaccination - Creates an unreadable/uneditable/undeletable (well, if you study how it works it can be deleted) file that unless you know how.... can only be deleted by formatting the disk - works only on FAT32 drives (no NTFS!!)

Command line usage:

USBVaccine.exe [ A|B|C…|Z ] [ +system|-system ] [ /resident [/hidetray] ]

[drive unit]:   Vaccinate drive unit
+system :    Computer vaccination
-system :     Remove computer vaccination
/resident:     Start program hidden and prompt for vaccinating every new drive
/hidetray:     Hides tray icon when used with the /resident command

Examples:
To vaccinate USB drives F:\ and G:\, use
   USBVaccine.exe F G

To vaccinate the computer, use
   USBVaccine.exe +system

To vaccinate computer and prompt for vaccinating every new drive without showing a tray icon, use
   USBVaccine.exe /resident /hidetray +system

It could be very useful to create a Shortcut in the Startup folder to USBVaccine.exe with this last command line (or without the /hidetray) to make sure that every time you boot the computer USBVaccine gets loaded by the system and it vaccinates the computer and prompts the user for vaccinating any new non-vaccinated USB drive. However if you do this under Vista, UAC will block it from running at Startup as it requires admin priviledges.


  • USB Information tool (e.g. Find S/N, VID, PID)

USBDeview - Cached version available in file cabinet

  • Protect the USB storage device
To disable write access only to USB storage devices (XP SP2 and above only!) set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies

add:

DWORD: WriteProtect=1

To disable remove the DWORD value or set it to 0 (zero).

Below you can find an ADM template I created named usbro.adm

Attachments (2)

  • autorunforcedisable.adm - on May 12, 2009 1:12 PM by Erez Kalman (version 1)
    1k Download
  • usbro.adm - on May 17, 2009 12:09 PM by Erez Kalman (version 1)
    1k Download