I’m wondering if I can set comodo to pop a defense + alert on attempts to read/write anything to a removable USB HD/flash drive? And potentially allow reads, but not writes? And can I do this so windows doesn’t autowrite something to the drive…
You can add your removable drive to protected items (Defense+ → Common Tasks → My protected files → Add… → Browse, then drag your removable drive to the right part of the browse dialog and apply).
And you will be alerted for every application is trying to create new or modify existing files in the location. But in clean PC and even In safe mode windows applications(like explorer.exe) will be assumed safe and will be allowed to write to protected files and folders. In order to avid this - find Defense+ rule for all applications and move it on top.
It is only half-way =)
For example, USB drive can get another Drive Letter, but at another moment I can install a new harddrive and I should look up Rules to remove It from Write-protecting.
D+ has wonderful option to protect \Device\HarddiskVolume?.…
Is there ability to protect such way removable devices? If Yes - tell us, please =) It can be very helpful, especialy Office computers.
Other way
"Microsoft has introduced some changes into Windows XP Service Pack 2 that allow an administrator slightly more granular control over how USB removable drives are handled. A new storage device policy named WriteProtect makes it possible to prevent all removable USB drives from being written to. They will still act as readable devices, but they cannot be written to.
The new policy is set in the Registry in HKEY_LOCAL_MACHINESystem CurrentControlSetControlStorageDevicePolicies, as a DWORD named WriteProtect. When set to 1, all USB removable drives are write-protected. When set to 0 (or when the DWORD entry is removed entirely), USB drives can once again be written to. This is a machine-level setting and not a user-level setting."
No, for now there is no way CIS can detect a specific removable device if it’s letter has been changed.
add \Device\STORAGE#RemovableMedia* to My Protected Files?
HKUS<User directory>\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ is a wideaccessed key.
It contains basically info on what letter corresponds to what physical location. Use that perhaps?
\Device\Harddisk?\DP(?)-+*
That is the string for Removable Media =)
Comp Sec Policy - All Applications (at top) - Custom - Access Rights - My Protected Files - Blocked - THIS STRING
After that RemMedia is READ-Only even on CleanPC Mode (Like in my case)
And if you will set \Device\Harddisk?\DP(?)-+*\autorun.inf as Blocked File - it can protect you from any autoruns from Removable Media.
Also, if you will witedown this string in “My Blocked Files” - you will make all your Removable Media unreadble and unwriteable. No access to media at all =) So this is a good protect for public computers - no Flash-disk,USB disks or anything like that
p.s. I’m a little bit confused, help me!
If I take a look at WinObj application, there I can see, that my partitions on HardDrive (not removable) have th same type of view. For example Primary Partition has type \Device\Harddisk0\DP(1)0x7ee-xxxxx+xxxxx, so it must match \Device\Harddisk?\DP(?)-+*, but it doesn’t.
May be it is because of that partitions symlinked not to \Device\Harddisk?\DP… but symlinked to \Device\HarddriveVolume?.. ?
Anyway, described above and below instructions works fine. They Block USB devices, but not CDROM or FLOPPY. Other types I didn’t tried.
p.p.s. \Device\Harddisk?\DP(?)?-?+?* is the RIGHT string to protect ALL files on Removable Media. The last “*” means all files on root of device and any subfolders.
So \Device\Harddisk?\DP(?)?-?+?*.exe means all .exe files on Media (even in subfolders)
[attachment deleted by admin]
Windows 7 has another logic of mounting Removable Media…
So explained above fit only to XP
Any Ideas about Windows 7 ?