Example of writing software restriction policy rules in Windows Group Policy (2)

Actual combat: U disk virus solution

I am introducing some methods implemented by the system itself, without using third-party software. . Friends who like to use third-party software will not discuss it.

I have already introduced the first method: use the software restriction policy to create a rule "?\\*.* is not allowed", so that even if you have a U disk virus, it will not work.

The second method is actually an extension of the first method. We have analyzed the system's processing of the autorun.inf file. We can see that there is a step.
explorer.exe reads the contents of autorun.inf and writes it to the registry. From this, we can By restricting the permissions of the registry-related key values, it is impossible to modify the registry, thereby preventing the U disk virus from running. Related registry key:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\*\\shell\\open

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\ *\\shell\\autorun

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\*\\shell\\explorer

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\ *\\shell\\*\\Command

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2

The specific approach is to lower these keys or directly access all users. Cancellation of permission is fine.

The third method is to use a vulnerability in Windows to create a bug folder to prevent the Autorun virus. The specific method is:

First create a folder named Autorun.inf under the U disk, and then create a BUG folder with "." in this folder, so the autorun.inf folder Can not be deleted, for example, we set up under the D drive:

First create the Autorun.inf folder under the D drive and then run CMD, enter
md d:\\autorun.inf\\test..\\

This will create a folder named "test." in the autorun.inf folder, which cannot be accessed in the Explorer, cannot be renamed, and cannot be deleted.

This method is more negative, but it is suitable for the case where the U disk is often used on someone else's machine. However, it is said that some viruses can already deal with this method.

The fourth method, which is also widely practiced, is to disable the autoplay function through Group Policy or the registry. I have been convinced of this method before, but through the recent small experiments, I found that this method is also flawed. It can only prevent some rough U disk viruses, which are actually against many viruses. Nothing. This we can do the following experiments to verify. We create an autorun.inf file ourselves, put it in the root directory of the U disk, and then COPY a NOTEPAD to the root directory of your U disk. The contents are as follows:

[autorun]
OPEN=NOTEPAD. Exe
shell\\open=open(&O)
shell\\open\\Command=NOTEPAD.exe
shell\\open\\Default=1
shell\\explore=Resource Manager (&X
shell\\explore\\Command=NOTEPAD.exe

Turn off the autoplay function from Group Policy, right click on the U disk, there is no more option in the new menu, but you double click U disk to try You will find that NOTEPAD is running. Using the right button to select Open or Explorer is the same, it will run, because autorun.inf has modified the original two functions in the right-click menu. So what is autoplay to do? I believe that many packages know that there are a lot of CDs. When you put the CD into the CD-ROM drive, you don’t need to do anything. It will pop up an interface that lets you choose what to run, or what to play. Remember Rising’s soft kill. That's it, there are some motherboard graphics card drive disk also has this function, but put the same content into the U disk, it will not automatically run when you insert the U disk, it is obvious that this function of the operating system is only effective for the CD. Is the automatic play function we know, we have turned off the auto play function in Group Policy, just do not automatically run the CD into the CD-ROM drive, but you click on the CD-ROM right button, you will find that the auto-play option still exists. So turning off automatic playback makes no sense. Here we have to pay attention to a small concept, AutoPlay (AutoRun) which is different. In order to completely shut down this function of the system, we can only start from the service. If you are familiar with the system, you will know that the system handles the automatic playback and automatic operation of the service is Shell Hardware Detection, so we only need to close the Shell Hardware Detection service, all The U disk virus is impossible to run. However, this method is not omnipotent. Because of system differences, some systems may cause the system to start slowly after the service is shut down.

Personally think that for the U disk virus prevention, the method of modifying the registry is the most effective and has no side effects.