Advice Request Disable execution access via Group Policy to prevent removable media malware

Please provide comments and solutions that are helpful to the author of this topic.

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
 
F

ForgottenSeer 98186

Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
See this page. The first method on the list gives step to make a specific USB flash drive read-only. Of course you can test GPO to see if that method works for you.


You can use a utility such as Phrozen Safe USB Download Phrozen Safe USB 2.0 to manage access to an attached USB flash drive.
 
F

ForgottenSeer 97327

See this page. The first method on the list gives step to make a specific USB flash drive read-only. Of course you can test GPO to see if that method works for you.


You can use a utility such as Phrozen Safe USB Download Phrozen Safe USB 2.0 to manage access to an attached USB flash drive.
Not an aswer to OP's question :)
 
  • Like
Reactions: Pixel_
F

ForgottenSeer 97327

Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
Yes works flawless on my PC since 2019. I copied this to a Windows Home tablet with an 64GB microSD card (through registry tweak) and this prevented Windows major updates. So keep an eye on your Windows update when enabling this setting.
 
  • Like
Reactions: Nikos751 and Pixel_

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
Yes works flawless on my PC since 2019. I copied this to a Windows Home tablet with an 64GB microSD card (through registry tweak) and this prevented Windows major updates. So keep an eye on your Windows update when enabling this setting.
I cannot think of a reason why such setting can impact Windows updates. Messed up windows source code maybe. Are you 100% sure for that?
Thanks for that info!
 
Last edited:
F

ForgottenSeer 97327

I cannot think of a reason why such setting can impact Windows updates. Messed up windows source code maybe. Are you 100% sure for that?
Thanks for that info!
I had Googled and found that this setting could be preventing the update. After removing that registry setting, the update worked. I had read that Windows Update (at that time) choose teh disk with the largest free available space a sdownload location for major updates. So it sort of made sense (since it was a tablet with only 32GB primary SSD and the 64 GB SD card had more free space).
 
  • Like
Reactions: Nikos751

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
I had Googled and found that this setting could be preventing the update. After removing that registry setting, the update worked. I had read that Windows Update (at that time) choose teh disk with the largest free available space a sdownload location for major updates. So it sort of made sense (since it was a tablet with only 32GB primary SSD and the 64 GB SD card had more free space).
So I understand, it can happen when system partition is small and needs to put temp windows update installation files at another disk which has blocked executable permissions from gpedit.
 
F

ForgottenSeer 97327

So I understand, it can happen when system partition is small and needs to put temp windows update installation files at another disk which has blocked executable permissions from gpedit.
Yes, but I run this regedit tweak also on my wife's laptop with no problems (upgraded from Windows11 22H1 to 22H2). I split the SSD into 2 partitions (one for Programs 64 GB and one for Data the rest of the 512 GB SSD) just to make sure the Data disk had the most free space.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Execute"=dword:00000001
 
  • Like
Reactions: Nikos751

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
Denying execution will fail In most cases. It does not block the most common attack vectors like:
  • shortcut + LOLBin + DLL,
  • document + macro + LOLbin + DLL.
A better method for Defender is using ASR rules for documents, scripts, and removable media.
Microsoft Defender has got the same results in the Consumer and Enterprise tests. But in both tests the Network Protection and ASR rules were disabled:
Microsoft: Google Chrome extension “Windows Defender Browser Protection” installed and enabled; “CloudExtendedTimeOut” set to 55; “PuaMode” enabled.
 
Last edited:

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
970
Denying execution will fail In most cases. It does not block the most common attack vectors like:
  • shortcut + LOLBin + DLL,
  • document + macro + LOLbin + DLL.
A better method for Defender is using ASR rules for documents, scripts, and removable media.
Microsoft Defender has got the same results in the Consumer and Enterprise tests. But in both tests the Network Protection and ASR rules were disabled:
That was eye opening! I did not know these was the most common attack vectors. Fileless attacks using LOLbins seem to evolve fast.
I just set your tool's settings to high again xD
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top