Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to protect PCs from USB-malware carriers?


  • Please log in to reply
11 replies to this topic

#1 Aberrant

Aberrant

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 07 August 2014 - 06:51 AM

We maintain several PCs from a library, a research lab for students in a university. Just recently bunch of malwares swarm inside the lab and nearly affected all the machines. Most of these malwares are being imported from student's flash drives in which they're freely allowed to plug on the PC's. So cleaning the infections was really tedious. We cloned the drives and some were fixed using anti-malware softwares. 

 

Each computer is running a Microsoft Security Essentials for virus protection, and that's it.

Our main problem is, how should we setup each PCs so that we can prevent those viruses from porting inside the system? Is there any particular software or windows configurations that can offer such functionality? MSE merely detects all these viruses and most of it already infiltrated the system and removing each as I said is very tedious and time consuming.

Maybe you guys got some efficient workarounds with this type of predicament.

NOTE:
All PCs have the same hardware and uses Windows 7 32bit.
 



BC AdBot (Login to Remove)

 


#2 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 07 August 2014 - 10:22 AM

Simple, look at:

 

http://www.bleepingcomputer.com/forums/t/541639/security-suggestions-post-3-of-7/

 

Have a great day!
:bananas: :bounce:
 



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 AM

Posted 07 August 2014 - 02:52 PM

I developed a free open source tool to block all execution from removable drives: http://blog.didierstevens.com/programs/ariad/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 07 August 2014 - 06:59 PM

If you do a Google search you will find various free and paid for programs which will protect a usb. However, I would recommend using Ariad...that way if you have any questions, our very own Didier Stevens is readily available to answer them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aberrant

Aberrant
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 07 August 2014 - 07:20 PM

Thanks! Great collection.



#6 Aberrant

Aberrant
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 07 August 2014 - 07:36 PM

I developed a free open source tool to block all execution from removable drives: http://blog.didierstevens.com/programs/ariad/

Neat tool man! I will surely test this software on my personal machine before deploying it in the student's lab and beep you up if ever I encounter problems or so! Thanks for this!


Edited by Aberrant, 07 August 2014 - 07:49 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 AM

Posted 08 August 2014 - 02:52 AM

I developed a free open source tool to block all execution from removable drives: http://blog.didierstevens.com/programs/ariad/

Neat tool man! I will surely test this software on my personal machine before deploying it in the student's lab and beep you up if ever I encounter problems or so! Thanks for this!

Feel free.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Aberrant

Aberrant
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 August 2014 - 06:17 AM

I just installed Ariad and it works well on my personal system (Windows 7 64bit). But for some reason after I stop Ariad's process the computer lagged for a couple of minutes, I wonder what causes it to lag because both my CPU and RAM usage on the task manager was fine. Nevertheless everything works perfectly, no BSoD and whatnots. .

I have another question which is somehow related to my problem, so using this powerful software makes the system much more secure and it provides a solid preventive method against malware infection, but how can I also restrict the users from transferring/copying files from their USB to the computer? Like they can only run their documents inside their USB and denying them from moving it to the computer's disk.

Thanks! 



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 AM

Posted 08 August 2014 - 07:01 AM

 

But for some reason after I stop Ariad's process the computer lagged for a couple of minutes, I wonder what causes it to lag because both my CPU and RAM usage on the task manager was fine. Nevertheless everything works perfectly, no BSoD and whatnots. .

 

Can you be more specific? What process do you mean, did you stop the driver (ariad.sys) or the GUI (ariad.exe)? And how did you stop it?

 

I have another question which is somehow related to my problem, so using this powerful software makes the system much more secure and it provides a solid preventive method against malware infection, but how can I also restrict the users from transferring/copying files from their USB to the computer? Like they can only run their documents inside their USB and denying them from moving it to the computer's disk.

 

For this you need more sophisticated endpoint protection than my Ariad tool.

At the level of the driver, copying a file from a USB drive is the same as reading a file from the USB file. That is why I can't program my driver to block copies but allow reading.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Aberrant

Aberrant
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 10 August 2014 - 05:55 AM

 

 

Can you be more specific? What process do you mean, did you stop the driver (ariad.sys) or the GUI (ariad.exe)? And how did you stop it?

Hello sir, sorry for the late reply. Anyway, I stop Ariad using the stop command as instructed in the readme file. after I entered that command in the command prompt my pc lags for a bit then everything works normal. It was somewhat like a glitch or stater type of lag.  I only installed the manual .INF as what I tested when I encountered this problem. I'll test more PC and if all units will work fine then I'll switch to the permanent .INF of ariad. 

Thanks!



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 AM

Posted 10 August 2014 - 08:57 AM

Yes, that can happen when you stop filters.

But with normal usage, you would never stop the filter.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Aberrant

Aberrant
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 12 August 2014 - 07:29 AM

I am very pleased by Sir Didier Steven's ARIAD program, in which I am currently using it as an additional layer of protection in our student's lab, and that it solved my problem on this thread. Thanks for the help guys!



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 AM

Posted 12 August 2014 - 02:09 PM

I am very pleased by Sir Didier Steven's ARIAD program, in which I am currently using it as an additional layer of protection in our student's lab, and that it solved my problem on this thread. Thanks for the help guys!

 

Cool!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users