Flash drive protection against Autorun viruses.



D obrogo time of day, dear Habr reader. I work at the university, in the laboratory of computer technology. We administer about a hundred computers. We faced the problem of protection against Autorun viruses on flash drives. Naturally, we disabled autorun in Windows, however, it was necessary to protect the flash drives themselves so that the worker at home, after inserting a working flash drive, would not infect his computer. Under kat solution to the problem.


Before you start ...


Dear users, the steps described below were performed in Microsoft Windows Xp; in other operating systems, the process may differ from the above. I would also like to say that the author of the text is not responsible for equipment damaged due to the following steps.

Training.


To implement our plan, we will need to format the flash drive in NTFS, for this there are several methods known to me. For me, the easiest is to use Acronis Disk Director .

After starting Disk Director, you will see a list of disks connected to your system. In this list we find our flash drive, right-click and select “Delete Partition”, in the new window we leave everything as it is (there is not much difference there). Then again, right-click on our disk and select "Create Partition". In the "Create Partition" window, select:
  • File System: NTFS .
  • Create as: Main section .


Окно 'Создать раздел'

Now click on the “Flag” icon and click “Proceed” in the window that appears. After the changes are made, restart the computer.

A flash drive can also be formatted in a simpler way specified by uv. maxshopen :

Пуск → Выполнить → cmd →

convert f: /FS:NTFS < — это если данные на флэшке нужны и их некуда сбэкапить

или

format f: /FS:NTFS < — если данные нафик


Customization.


So, the card is ready to configure, go to the USB flash drive and create a directory in the root directory in which the data will be stored, I called it “DATA”. Right-click on the new directory and go to the security tab, then click on the "Advanced" button. Here we uncheck the box “Allow inheritance of permissions from the parent to this ...”, in the dialog that appears, click “Copy”, then click “OK” in both windows. Now, let's go to the “Security” section of the root directory of our media and configure the permissions as follows:
In the “Allow” column, leave the following items checked:
  • Read and execute
  • List folder contents
  • Reading


In the “Deny” column, check the box next to “Record”, in the dialog that appears, click “Yes”.

Настройка разрешений корневого каталога флэшки.

That's all, in the end we get a flash drive that Autorun cannot sign up for. For this, we sacrifice a small share of productivity, the ability to write to the root directory of the medium and, of course, the inability to use the "Send" menu to copy data to the medium.

Possible problems and their solution.


  1. После форматирования накопителя в NTFS, его не видно в системе.

    Right click on “My Computer”, select “Management”, in the window that appears, go to “Disk Management”, click on our flash drive with the right button and select “Change drive letter or drive path”. Select the letter, click OK.


Unfortunately or fortunately, I have not found any more problems, if you suddenly find it, write, and try to solve it.

Turn off autorun.


In addition to XP Home Edition:
start - run - gpedit.msc - computer configuration - administrative templates - System - disable autorun (select where to disable). Next, apply the new policy with the gpupdate command in the console.

There is no Group Policy Management snap-
in in Home , however the same effect can be achieved by manually editing the registry:
1) Start -> run -> regedit
2) open the HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies
branch 3) Create a new section
4) Rename the created section in Explorer
5) In this section, create the NoDriveTypeAutoRun key
Valid key values:
0x1 - disable autorun on unknown type of drives
0x4 - disable autorun of removable devices
0x8 - disable autostart of non-removable devices
0x10 - disable autostart of network drives
0x20 - disable autostart of CD drives
0x40 - disable autostart of RAM disks
0x80 - disable autorun on drives of unknown types
0xFF - disable autorun in general of all disks.

Values ​​can be combined by summing their numerical values.

Default values:
0x95 - Windows 2000 and 2003 (autorun of removable, network and unknown drives is disabled)
0x91 - Windows XP (autorun of network and unknown drives is disabled)
Comment: in XP Home, by default this key is absent (as is the Explorer section itself), therefore the process of creating it is described above. For other versions, you don’t need to create it, it already exists, just fix it.

Useful to browse through the Microsoft Resource Kit