Protect USB flash drive from writing new files
I continue to develop the topic of protecting flash drives from viruses (I previously published materials AUTOSTOP - a script to protect flash drives from autorun viruses and Panda USB and AutoRun Vaccine - a remedy for autorun viruses on a flash drive - there it was mainly about protecting flash drives from writing to it malicious file autorun.inf). The topic is interesting because the cleaning of viruses on a computer is a struggle against the investigation, and the protection of a flash drive from viruses is a measure aimed at eliminating the cause.
Protecting a flash drive from writing new files is done by determining the free space on it, followed by its complete filling using the utility fsutil . This method is great, for example, to protect bootable USB flash drives (with an autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name.
The following is a description of the method, its analysis, and a method of full automation.
The method was not invented by me, it was suggested by the user cook , and later found in several specialized sources. I also developed a convenient automated method for its use, and also (based on an analysis of both its strengths and vulnerabilities), a more accurate name was given, namely “protection from writing new files” (as opposed to a less accurate name in other sources, “protection from the record "which does not fully reflect the essence of the method).
')
In the original, to create such a file, use the command:
Fsutil is a command line utility. To use fsutil, you must be logged in with an administrator account or a member of the administrators group.
This method, as it turned out as a result of testing, has 2 minuses:
In my automated version, the following code is used (it should be formatted as a bat-file, copied to a USB flash drive and run from there), free from the listed disadvantages:
The logic of the code is as follows:
As a result, approximately the following file structure is created on the flash drive that fills all free space (the 7-digit unique code at the end of the name of each file is necessary to avoid the error of creating files with the same name):
[1-63 Mb] 7344296
[64 Mb] 7343581
[256 Mb] 6050959
[512 Mb] 6043075
[1024 Mb] 2341570
[1024 Mb] 2353157
After installing such protection on a USB flash drive, you cannot delete anything from it (including the bat file mentioned above), otherwise the protection will no longer work. To remove the protection from writing new files (for example, if you need to write something on a USB flash drive), you must delete one or more files created in this way with the minimum required size and record your data. Restoring protection after this will take minimal time.
Strictly speaking, such a method cannot be considered a complete analog of the hardware read-only switch found on some types of flash drives. Even if the flash drive is protected from writing new files by the described method, the virus has the ability to create the autorun.inf file on the flash drive — but it will not be able to write anything to this file.
It should also be noted that the virus has the ability to hit potentially vulnerable files already contained on the flash drive, due to the remaining free space (due to clustering) allocated for file storage. But trends in the development of functional viruses suggest that today viruses are less likely to infect individual files, and increasingly exploit the vulnerabilities of the Windows operating system.
Thus, such a method can be considered a write protection only in the context of the impossibility of creating non-empty new files on a flash drive. However, as practice shows, this is a serious measure of protection against autorun viruses. As mentioned above, this method is excellent for protecting boot flash drives (having an autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name, as well as for flash drives with a personal set of necessary software that is connected to foreign computers.
I would like to say a few more words about the notorious reliability of the protection provided by the hardware switch "Read-only". There was such a case.
The code for creating the bat file yourself is given above. But the most convenient is to use the new version 2.4 of my AUTOSTOP script .
After the creation of each file, it is able to generate a short sound signal through the system speaker, eliminating the need to look every few seconds to see if another file has been created (after all, as you know, the teapot you look at will never boil), but When the protection is installed, a long beep sounds.
PS - I remind you that nobody has canceled the protection of a flash drive using the NTFS rights method, but there are times when its use is undesirable for some reason.
PPS - thanks to Elroir for the help in writing the code.
Protecting a flash drive from writing new files is done by determining the free space on it, followed by its complete filling using the utility fsutil . This method is great, for example, to protect bootable USB flash drives (with an autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name.
The following is a description of the method, its analysis, and a method of full automation.
The method was not invented by me, it was suggested by the user cook , and later found in several specialized sources. I also developed a convenient automated method for its use, and also (based on an analysis of both its strengths and vulnerabilities), a more accurate name was given, namely “protection from writing new files” (as opposed to a less accurate name in other sources, “protection from the record "which does not fully reflect the essence of the method).
')
Way
In the original, to create such a file, use the command:
fsutil file createnew <filename> <length>Fsutil is a command line utility. To use fsutil, you must be logged in with an administrator account or a member of the administrators group.
This method, as it turned out as a result of testing, has 2 minuses:
- FAT32 has a file size limit (2 ^ 32 bytes, i.e. 4 gigabytes). Accordingly, a little filled with information 8GB flash drive size (such flash drives today are not so rare) and more so no longer protect
- Creating large files takes several minutes to complete. And if you need to remove the security file, add something to the USB flash drive, and then again set the protection? Time is lost again to create a large file.
In my automated version, the following code is used (it should be formatted as a bat-file, copied to a USB flash drive and run from there), free from the listed disadvantages:
@echo off
setlocal enabledelayedexpansion
set /a sizofile=1024 * 1024 * 1024
for /l %%K in (1,1,256) do (
for /f "tokens=3" %%J in ('dir %~d0 /-C') do (set freespace=%%J)
if !freespace! EQU 0 goto ready
if !freespace! GTR !sizofile! (
call :getime
fsutil file createnew "%~d0\[ 1024 Mb ] !randtime!" !sizofile!
) else (
for /l %%K in (1,1,5) do (
for /f "tokens=3" %%J in ('dir %~d0 /-C') do (set freespace=%%J)
set /a sizofilemb=!sizofile! / 1024 /1024 / 2
set /a sizofile=!sizofile! / 2
if !freespace! GEQ 67108864 (
if !freespace! GEQ !sizofile! (
call :getime
fsutil file createnew "%~d0\[ !sizofilemb! Mb ] !randtime!" !sizofile!
)
) else (
if !freespace! EQU 0 goto ready
call :getime
fsutil file createnew "%~d0\[ 1-63 Mb ] !randtime!" !freespace!
goto :EOF
)
)
)
)
:getime
set randtime=!time:~-10!
set randtime=!randtime::=!
set randtime=!randtime:,=!
exit /b
The logic of the code is as follows:
- determines the amount of free space on the flash drive
- if the free space is greater than 1Gb, create 1Gb files as long as this condition is met
- When free space is less than 1 gigabyte - we are trying to create files of 512Mb, 256Mb, 128Mb, 64Mb in size and the last file from 1 to 63Mb in size
As a result, approximately the following file structure is created on the flash drive that fills all free space (the 7-digit unique code at the end of the name of each file is necessary to avoid the error of creating files with the same name):
[1-63 Mb] 7344296
[64 Mb] 7343581
[256 Mb] 6050959
[512 Mb] 6043075
[1024 Mb] 2341570
[1024 Mb] 2353157
After installing such protection on a USB flash drive, you cannot delete anything from it (including the bat file mentioned above), otherwise the protection will no longer work. To remove the protection from writing new files (for example, if you need to write something on a USB flash drive), you must delete one or more files created in this way with the minimum required size and record your data. Restoring protection after this will take minimal time.
Analysis
Strictly speaking, such a method cannot be considered a complete analog of the hardware read-only switch found on some types of flash drives. Even if the flash drive is protected from writing new files by the described method, the virus has the ability to create the autorun.inf file on the flash drive — but it will not be able to write anything to this file.
It should also be noted that the virus has the ability to hit potentially vulnerable files already contained on the flash drive, due to the remaining free space (due to clustering) allocated for file storage. But trends in the development of functional viruses suggest that today viruses are less likely to infect individual files, and increasingly exploit the vulnerabilities of the Windows operating system.
Thus, such a method can be considered a write protection only in the context of the impossibility of creating non-empty new files on a flash drive. However, as practice shows, this is a serious measure of protection against autorun viruses. As mentioned above, this method is excellent for protecting boot flash drives (having an autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name, as well as for flash drives with a personal set of necessary software that is connected to foreign computers.
I would like to say a few more words about the notorious reliability of the protection provided by the hardware switch "Read-only". There was such a case.
In the camera of the wife (Canon A610) there is no possibility of displaying the battery charge indicator. I found an alternative firmware that has this feature. I recorded it on a memory card. The instructions for the firmware say that in order for it to be loaded automatically (rather than starting up with your hands after turning on the camera), you need to switch the switch on the memory card to the “Blocked” position. I re-read this point several times - wasn’t I mistaken. No - that's right. I put the switch in the “Lock” position, charge the card to the camera, anticipating that now he curses the impossibility of recording, and ... And nothing happens - all the captured frames are perfectly saved to the memory card, and bad frames can be deleted without any problems. Draw your own conclusions.
Concrete implementation
The code for creating the bat file yourself is given above. But the most convenient is to use the new version 2.4 of my AUTOSTOP script .
After the creation of each file, it is able to generate a short sound signal through the system speaker, eliminating the need to look every few seconds to see if another file has been created (after all, as you know, the teapot you look at will never boil), but When the protection is installed, a long beep sounds.
PS - I remind you that nobody has canceled the protection of a flash drive using the NTFS rights method, but there are times when its use is undesirable for some reason.
PPS - thanks to Elroir for the help in writing the code.
Source: https://habr.com/ru/post/55524/
All Articles