March 27, 2009 at 02:17Protecting a flash drive from writing new files
I continue to develop the topic of protecting flash drives from viruses (previously I published AUTOSTOP materials - a script to protect flash drives from autorun viruses and Panda USB and AutoRun Vaccine - a cure for autorun viruses on a flash drive - it mainly focused on protecting a flash drive from writing to it malicious file autorun.inf). The topic is interesting in that cleaning the viruses on the computer is a fight against the investigation, and protecting the flash drive from viruses is measures aimed at eliminating the cause.
The flash drive is protected from writing new files by determining the free space on it, followed by its full filling, using the fsutil utility. This method is perfect, for example, to protect bootable flash drives (having the autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name.
The following is a description of the method, its analysis, and a way of full automation.
The method was not invented by me, it was suggested by the user cook , and later found in several specialized sources. I have developed a convenient automated way to use it, and also (based on an analysis of both its strengths and vulnerabilities) I have given a more correct name, namely “write protection of new files” (unlike the less accurate name in other sources “protection from the record ”, which does not fully reflect the essence of the method).
In the original, the command is used to create such a file: Fsutil is a command-line utility. To use fsutil, you must be logged on with an administrator account or a member of the administrators group. This method, as it turned out as a result of testing, has 2 minuses:
In my automated version, the following code is used (it needs to be executed in the form of a bat-file, copied to a USB flash drive and run from there), free of the listed disadvantages: The logic of the code is as follows:
As a result, approximately the following file structure is created on the USB flash drive, filling all the free space (a 7-digit unique code at the end of the name of each file is necessary to avoid the error of creating files with the same name):
[1-63 Mb] 7344296
[64 Mb] 7343581
[256 Mb] 6050959
[512 Mb] 6043075
[1024 Mb] 2341570
[1024 Mb] 2353157
After installing such protection on a USB flash drive, you cannot delete anything from it (including the mentioned bat-file), otherwise the protection will cease to work. To remove the write protection of new files (for example, if you need to write something to a USB flash drive), you must delete one or more files created in this way of the minimum required size and write down your data. Restoring protection after this will take a minimum time.
Strictly speaking, this method cannot be considered a complete analogue of the hardware read-only switch available on some types of flash drives. Even if the flash drive is protected from writing new files by the described method, the virus has the ability to create the autorun.inf file on the flash drive - but it will not be able to write anything to this file.
It should also be noted that the virus has the ability to infect potentially vulnerable files that are already on the flash drive, due to the remaining free space (due to clustering) allocated for storing the file. But the trends in the development of virus functionality allow us to say that today viruses infect individual files less and less, and more and more they use vulnerabilities in the Windows operating system.
Thus, it is possible to consider such a method as write protection only in the context of the impossibility of creating non-empty new files on a USB flash drive. However, as practice shows, this is a serious measure of protection against autorun viruses. As mentioned above, this method is great for protecting bootable flash drives (having the autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name, as well as for flash drives with a personal set of necessary software that connects to other people's computers.
I would like to say a few more words about the notorious reliability of protection provided by the hardware Read-only switch. There was such a case.
The code for creating the bat file yourself is shown above. But it’s most convenient to use the new version 2.4 of my AUTOSTOP script .
After each file is completed, it can give a short sound signal through the system speaker, eliminating the need to look every few seconds to see if another file has been created (as you know, the “kettle you look, it never boils ”), and upon completion of the installation of protection it emits a long beep.
PS - I remind you that no one canceled the protection of a flash drive using the NTFS rights method, but there are times when its use is undesirable for some reason.
PPS - Thanks to Elroir for helping writing the code.
The flash drive is protected from writing new files by determining the free space on it, followed by its full filling, using the fsutil utility. This method is perfect, for example, to protect bootable flash drives (having the autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name.
The following is a description of the method, its analysis, and a way of full automation.
The method was not invented by me, it was suggested by the user cook , and later found in several specialized sources. I have developed a convenient automated way to use it, and also (based on an analysis of both its strengths and vulnerabilities) I have given a more correct name, namely “write protection of new files” (unlike the less accurate name in other sources “protection from the record ”, which does not fully reflect the essence of the method).
Way
In the original, the command is used to create such a file: Fsutil is a command-line utility. To use fsutil, you must be logged on with an administrator account or a member of the administrators group. This method, as it turned out as a result of testing, has 2 minuses:
fsutil file createnew - FAT32 has a file size limit (2 ^ 32 bytes, i.e. 4 gigabytes). Accordingly, a flash drive of 8 gigabytes in size is not full of information (such flash drives are not so rare today) and can no longer be protected in this way
- Creating large files takes a few minutes. And if you needed to delete the protection file, add something to the USB flash drive, and then set protection again? Again, time is wasted creating a large file
In my automated version, the following code is used (it needs to be executed in the form of a bat-file, copied to a USB flash drive and run from there), free of the listed disadvantages: The logic of the code is as follows:
@echo off
setlocal enabledelayedexpansion
set /a sizofile=1024 * 1024 * 1024
for /l %%K in (1,1,256) do (
for /f "tokens=3" %%J in ('dir %~d0 /-C') do (set freespace=%%J)
if !freespace! EQU 0 goto ready
if !freespace! GTR !sizofile! (
call :getime
fsutil file createnew "%~d0\[ 1024 Mb ] !randtime!" !sizofile!
) else (
for /l %%K in (1,1,5) do (
for /f "tokens=3" %%J in ('dir %~d0 /-C') do (set freespace=%%J)
set /a sizofilemb=!sizofile! / 1024 /1024 / 2
set /a sizofile=!sizofile! / 2
if !freespace! GEQ 67108864 (
if !freespace! GEQ !sizofile! (
call :getime
fsutil file createnew "%~d0\[ !sizofilemb! Mb ] !randtime!" !sizofile!
)
) else (
if !freespace! EQU 0 goto ready
call :getime
fsutil file createnew "%~d0\[ 1-63 Mb ] !randtime!" !freespace!
goto :EOF
)
)
)
)
:getime
set randtime=!time:~-10!
set randtime=!randtime::=!
set randtime=!randtime:,=!
exit /b
- determines the amount of free space on a flash drive
- if free space is more than 1Gb - create files of 1Gb in size until this condition is met
- When there is less than 1 gigabyte of free space, we try to create files 512Mb, 256Mb, 128Mb, 64Mb in size and the last file in size from 1 to 63Mb
As a result, approximately the following file structure is created on the USB flash drive, filling all the free space (a 7-digit unique code at the end of the name of each file is necessary to avoid the error of creating files with the same name):
[1-63 Mb] 7344296
[64 Mb] 7343581
[256 Mb] 6050959
[512 Mb] 6043075
[1024 Mb] 2341570
[1024 Mb] 2353157
After installing such protection on a USB flash drive, you cannot delete anything from it (including the mentioned bat-file), otherwise the protection will cease to work. To remove the write protection of new files (for example, if you need to write something to a USB flash drive), you must delete one or more files created in this way of the minimum required size and write down your data. Restoring protection after this will take a minimum time.
Analysis
Strictly speaking, this method cannot be considered a complete analogue of the hardware read-only switch available on some types of flash drives. Even if the flash drive is protected from writing new files by the described method, the virus has the ability to create the autorun.inf file on the flash drive - but it will not be able to write anything to this file.
It should also be noted that the virus has the ability to infect potentially vulnerable files that are already on the flash drive, due to the remaining free space (due to clustering) allocated for storing the file. But the trends in the development of virus functionality allow us to say that today viruses infect individual files less and less, and more and more they use vulnerabilities in the Windows operating system.
Thus, it is possible to consider such a method as write protection only in the context of the impossibility of creating non-empty new files on a USB flash drive. However, as practice shows, this is a serious measure of protection against autorun viruses. As mentioned above, this method is great for protecting bootable flash drives (having the autorun.inf file) that cannot be protected by creating the AUTORUN.INF directory of the same name, as well as for flash drives with a personal set of necessary software that connects to other people's computers.
I would like to say a few more words about the notorious reliability of protection provided by the hardware Read-only switch. There was such a case.
In the wife’s camera (Canon A610) there is no way to display the battery indicator. I found an alternative firmware that has this feature. I wrote it to a memory card. The instructions for the firmware say that in order for it to load automatically (and not start by hand after turning on the camera), you need to switch the switch on the memory card to the "locked" position. I re-read this item several times - have I really made a mistake? No - that's right. I put the switch in the “Lock” position, load the card into the camera, anticipating that now he is cursing about the impossibility of recording, and ... And nothing happens - all the shots are perfectly saved to the memory card, and failed frames can be deleted without problems. Draw your own conclusions.
Concrete implementation
The code for creating the bat file yourself is shown above. But it’s most convenient to use the new version 2.4 of my AUTOSTOP script .
After each file is completed, it can give a short sound signal through the system speaker, eliminating the need to look every few seconds to see if another file has been created (as you know, the “kettle you look, it never boils ”), and upon completion of the installation of protection it emits a long beep.
PS - I remind you that no one canceled the protection of a flash drive using the NTFS rights method, but there are times when its use is undesirable for some reason.
PPS - Thanks to Elroir for helping writing the code.