Advice Request Disable execution access via Group Policy to prevent removable media malware

Please provide comments and solutions that are helpful to the author of this topic.

Nikos751

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
969
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
 
F

ForgottenSeer 98186

Nikos751 said:
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
Click to expand...
See this page. The first method on the list gives step to make a specific USB flash drive read-only. Of course you can test GPO to see if that method works for you.

www.maketecheasier.com

How to Secure Your USB Drive And Prevent It From Spreading Virus

Your USB drive can be exploited to spread virus and malware to the computer. Here is how you can secure your USB drive and prevent it from spreading virus.
www.maketecheasier.com www.maketecheasier.com

You can use a utility such as Phrozen Safe USB Download Phrozen Safe USB 2.0 to manage access to an attached USB flash drive.
 
F

ForgottenSeer 97327

Oerlink said:
See this page. The first method on the list gives step to make a specific USB flash drive read-only. Of course you can test GPO to see if that method works for you.

www.maketecheasier.com

How to Secure Your USB Drive And Prevent It From Spreading Virus

Your USB drive can be exploited to spread virus and malware to the computer. Here is how you can secure your USB drive and prevent it from spreading virus.
www.maketecheasier.com www.maketecheasier.com

You can use a utility such as Phrozen Safe USB Download Phrozen Safe USB 2.0 to manage access to an attached USB flash drive.
Click to expand...
Not an aswer to OP's question :)
 
  • Like
Reactions: Pixelman
F

ForgottenSeer 97327

Nikos751 said:
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
Click to expand...
Yes works flawless on my PC since 2019. I copied this to a Windows Home tablet with an 64GB microSD card (through registry tweak) and this prevented Windows major updates. So keep an eye on your Windows update when enabling this setting.
 
  • Like
Reactions: Nikos751 and Pixelman
Nikos751

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
969
Max90 said:
Yes works flawless on my PC since 2019. I copied this to a Windows Home tablet with an 64GB microSD card (through registry tweak) and this prevented Windows major updates. So keep an eye on your Windows update when enabling this setting.
Click to expand...
I cannot think of a reason why such setting can impact Windows updates. Messed up windows source code maybe. Are you 100% sure for that?
Thanks for that info!
 
Last edited:
F

ForgottenSeer 97327

Nikos751 said:
I cannot think of a reason why such setting can impact Windows updates. Messed up windows source code maybe. Are you 100% sure for that?
Thanks for that info!
Click to expand...
I had Googled and found that this setting could be preventing the update. After removing that registry setting, the update worked. I had read that Windows Update (at that time) choose teh disk with the largest free available space a sdownload location for major updates. So it sort of made sense (since it was a tablet with only 32GB primary SSD and the 64 GB SD card had more free space).
 
  • Like
Reactions: Nikos751
Nikos751

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
969
Max90 said:
I had Googled and found that this setting could be preventing the update. After removing that registry setting, the update worked. I had read that Windows Update (at that time) choose teh disk with the largest free available space a sdownload location for major updates. So it sort of made sense (since it was a tablet with only 32GB primary SSD and the 64 GB SD card had more free space).
Click to expand...
So I understand, it can happen when system partition is small and needs to put temp windows update installation files at another disk which has blocked executable permissions from gpedit.
 
F

ForgottenSeer 97327

Nikos751 said:
So I understand, it can happen when system partition is small and needs to put temp windows update installation files at another disk which has blocked executable permissions from gpedit.
Click to expand...
Yes, but I run this regedit tweak also on my wife's laptop with no problems (upgraded from Windows11 22H1 to 22H2). I split the SSD into 2 partitions (one for Programs 64 GB and one for Data the rest of the 512 GB SSD) just to make sure the Data disk had the most free space.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Execute"=dword:00000001
 
  • Like
Reactions: Nikos751
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
Nikos751 said:
Today I came across the latest ATP test results on av-comparatives.org , and noticed Windows Defender inability to protect from the malware used in that test, coming from removable storage, in the specific testing circumstances.
I wonder if denying execution access to removable media via Group Policy would protect the system. Would such measure, generally, be a bullet proof solution for usb malware? Copy & pasting into the system, would be a convenient way to just run a trusted executable.
Click to expand...
Denying execution will fail In most cases. It does not block the most common attack vectors like:
  • shortcut + LOLBin + DLL,
  • document + macro + LOLbin + DLL.
A better method for Defender is using ASR rules for documents, scripts, and removable media.
Microsoft Defender has got the same results in the Consumer and Enterprise tests. But in both tests the Network Protection and ASR rules were disabled:
Microsoft: Google Chrome extension “Windows Defender Browser Protection” installed and enabled; “CloudExtendedTimeOut” set to 55; “PuaMode” enabled.
Click to expand...
 
Last edited:
  • Like
Reactions: Nikos751 and simmerskool
Nikos751

Nikos751

Level 20
Thread author
Verified
Malware Tester
Feb 1, 2013
969
Andy Ful said:
Denying execution will fail In most cases. It does not block the most common attack vectors like:
  • shortcut + LOLBin + DLL,
  • document + macro + LOLbin + DLL.
A better method for Defender is using ASR rules for documents, scripts, and removable media.
Microsoft Defender has got the same results in the Consumer and Enterprise tests. But in both tests the Network Protection and ASR rules were disabled:
Click to expand...
That was eye opening! I did not know these was the most common attack vectors. Fileless attacks using LOLbins seem to evolve fast.
I just set your tool's settings to high again xD
 
  • Like
Reactions: Andy Ful

Similar threads

Bot
Malware News Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
Replies
0
Views
448
Security News
Bot
Bot
silversurfer
    • Like
    • +Reputation
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices
Replies
0
Views
510
News Archive
silversurfer
silversurfer
SeriousHoax
    • Like
    • Thanks
    • +Reputation
AV-Comparatives Real-World Protection Test July-October 2022
Replies
7
Views
983
Security Statistics and Reports
brambedkar59
brambedkar59

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top