To disable write access only to USB storage devices (XP SP2 and above only!) set:
1: 2: 3: 4: 5: 6: | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies add: DWORD: WriteProtect=1 |
To disable remove the DWORD value or set it to 0 (zero).
Preventing your USB drive from auto-infecting
Even if the computer is protected it could still become infected on other computers and have a malware autorun.inf and related files added to it, there are two ways to deal with it:
1) Use the following bat file to protect or unprotect your USB drive. The imbedded instructions assume you named this file usbarpro.bat
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: | @echo off cls if [%1]==[p] goto prot-prot if [%1]==[P] goto prot-prot if [%1]==[u] goto prot-unprot if [%1]==[U] goto prot-unprot ::above - check protect or unprotect goto prot-about :prot-prot if exist %2:\autorun.inf goto prot-bad ::file already exists - break out md %2:\autorun.inf ::make dir md \\.\%2:\autorun.inf\CON ::make illegal file names below echo www.kalman.co.il>\\.\%2:\autorun.inf\CON\PRN echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT1 echo www.kalman.co.il>\\.\%2:\autorun.inf\LPT2 ::change directory attributes attrib +s +h +r %2:\autorun.inf ::for ntfs file systems remove everyones rights echo y|cacls %2:\autorun.inf /t /c /d system >nul cls echo y|cacls %2:\autorun.inf /t /c /e /r system >nul cls echo Protection activated on drive %2: goto prot-end :prot-unprot echo y|cacls %2:\autorun.inf /t /c /g %username%:f >nul cls attrib -s -h -r %2:\autorun.inf del \\.\%2:\autorun.inf\CON\PRN rd \\.\%2:\autorun.inf\CON del \\.\%2:\autorun.inf\LPT1 del \\.\%2:\autorun.inf\LPT2 rd %2:\autorun.inf echo Protection removed from drive %2: goto prot-end :prot-bad echo Autorun.inf file/directory already exist on drive %2: - Please remove it first! echo You can also try running this tool with the unprotect option. echo. :prot-about echo Syntax: echo. echo To Protect drive E: usbarpro p e echo To Unprotect drive E: usbarpro u e echo. echo DO *NOT* TYPE A COLON AFTER THE DRIVE LETTER!! echo. :prot-end echo. echo. echo USB Autorun Protect Tool V1.2 - Protect the storage device (FAT/FAT32/NTFS) echo (C) All Rights Reserved - Erez Kalman - www.kalman.co.il echo Free for use and distribution, may not be sold/modified in any way! echo. echo. echo on |
Note: This USB Security tool (free and open source) bat file is available as a download from the author's site (http://www.kalman.co.il/f
2) Panda security tool - This tool does NOT allow protection to be removed without fromatting the storage device, unlike the first tool.
Blocking USB storage devices
If this is a new system with no USB storage device ever connected:
Set deny permissions for the user/s and/or group/s to:
%SystemRoot%\Inf\Usbstor.p
%SystemRoot%\Inf\Usbstor.i
It is highly recommended to rename the file names before changing
permissions.
If you aren't sure or know a USB storage device was previously connected:
Either run this on the machine or do what it does, change:
1: 2: 3: 4: 5: | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor Key: Start To: 4 (Hex) |
Disabling autorun (autorun.inf) from being run by your computer
IMPORTANT!! Read this page by US-CERT: Systems must have KB953252 (Vista/2008) or KB967715.
If you do not have the KB on all systems, update them and/or use the following method recommended by US-CERT, create a .reg file with:
1: 2: 3: 4: | REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" |
It is critical to restart the system after updating the registry or deleting the registry key:
HKEY_CURRENT_USER\Software
If they have the KB then you can use the official Microsoft method for disabling autorun.
Conficker / Downad virus
You can visit www.kalman.co.il/conficke
To clean your computer use the McAfee STINGER tool, to scan your network use the McAfee Conficker detection tool.
Remember - ALL computers must be patched, especially with Microsoft patch MS08-67
