+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 44
Windows Thread, Stopping .exe files from being run from a USB stick in Technical; I don't understand why your network hasn't been owned by now. The only safe thing to do is disable USB ...
  1. #16
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,781
    Thank Post
    213
    Thanked 263 Times in 213 Posts
    Rep Power
    67
    I don't understand why your network hasn't been owned by now. The only safe thing to do is disable USB ports altogether, that and the CD drives and floppies (if you still have them).

    bypasses used before I gave up...

    bootable ISO USB and CD (bios config)
    copy the exe to own / shared folder.
    renaming exes to word.exe etc
    autorun (broken in M$ even when it's disabled it's really not)
    malformed .WMF and any other DOC, PPT file that contains a virus for your unpatched PC.



    and I'm sure many more.

    The only ultimatum I've ever issued was on USB drives. I now force all students to email files in those that can't have to come to me directly. (and they soon died off)

    We'll soon have a VLe in place that should eliminate this need altogether! (phew)

  2. #17

    Join Date
    Mar 2010
    Location
    New Zealand
    Posts
    19
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Wish I had found this site/thread *before* writing a little script to watch over processes...

    I'll play with this method of blocking exe from USB stick, but my solution may interest someone so here it is:

    I wrote a vb script that is compiled to exe;
    On boot the PC copies this exe to the c: drive (which is hidden from the pupils);
    On pupil log in the exe is executed and loads the script in to memory;
    The script checks every 15 seconds for a process with a path that is NOT on the c: drive and NOT in (a rather cludgy OR statement that creates) a whitelist;
    If it finds the process, it logs who, what, when and which machine to a network folder and emails me the same information after it has quietly canned the process.

    The kids think their software doesn't work (though there are usually two or three tries!) and I know who is fooling around. I usually rename the exe file to something without deleting it so that they can see that I am on top of things.

    It has been running for a week now and I have trapped three kids so far.

    Weaknesses:
    They have to have write access to the network share (which is hidden) so if they found it they could delete those records;
    If they are clever and work out what is going on they could write a script to disable my script but they would inevitably inform me of what they were doing as they did that unless they were *really* good. This is why I like the system here that shuts down all exes.

    If anyone is interested in the script reply here and I will post it.

  3. #18

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,511
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    Yes please share away the more ways and suggestions of combating this the better for us please

  4. #19
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,013
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    USBDLM and Software Restriction Policies

    I've just cracked it with a combination of USBDLM to lock USB drives to drive letters, and a Software Restriction Policy to stop executables.

    Install USBDLM with the .msi and GPO and another .msi to deploy the .ini file with USBDLM's drive letters.

    Set a GPO with a Software Restriction Policy for pupils. Leave everything at the defaults and add additional rules to disallow %homeshare%, %homepath%, H:\ (their home drive, but this may be the same as %homepath%), then the USBDLM drive letters: U:\, W:\ etc.

    Don't set paths like U:\*.bat. It doesn't work like that. Disallowing U:\*.bat will only block .bat file on the root of U: and nothing else. Pretty useless. Just set paths like U:\ and it will block all file types listed in the Designated File Types in all subfolders.
    Attached Images Attached Images
    Last edited by OverWorked; 19th March 2010 at 05:28 PM. Reason: spelling

  5. 3 Thanks to OverWorked:

    FragglePete (21st March 2010), john (19th March 2010), zag (20th June 2011)

  6. #20

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,511
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    oooh thats a way i didn't think of doing it!! We already have USB Drives set to use 4 letters..... Cheers

  7. #21

    Join Date
    Mar 2010
    Location
    New Zealand
    Posts
    19
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by john View Post
    Yes please share away the more ways and suggestions of combating this the better for us please
    Here you are: Things you need to change in <<<THIS_STYLE>>>.

    I am no Bill Gates but it does the job. I compile it to exe using VbsEdit. This does NOT stop it running as a WScript process however, it just makes it harder for them to find the source. I have been pondering rewriting it in C++ but I would need to learn it first Or AutoIT, or doing what is described in this thread as a first line of defence!

    Code:
    ' Forbidden process tracker
    ' Thomas W-P
    ' First code based on
    ' Process.vbs
    ' Free Sample VBScript to discover which processes are running
    ' Author Guy Thomas http://computerperformance.co.uk/
    ' -------------------------------------------------------'
    '
    'Command line Arguments:
    '0 - the path to the log file
    '1 - the wait time in seconds
    '2 - debugging (1 = true, anything else = false)
    
    Option Explicit
    Dim objWMIService, objProcess, colProcess, objFSO, objLogFile, wshNetwork
    Dim strComputer, strList, strNameOfUser, Return, strPathToLog, strComputerName, iWaitTimeSeconds
    Dim debugging, argu, dbStr
    
    'constants can't be changed by code
    	Const ForAppending = 8 'for the log save
    	Const tryEmail = true
    
    'default values that can be overridden by arguments
    	strPathToLog = "<<<YOUR_HARD_CODED_LOG_LOCATION>>>" 'default argument 0
    	iWaitTimeSeconds = 15 'default time = argument 1
    	debugging = false 'argument 3
    
    'does the command line switch on debugging?
    	If Wscript.Arguments.Count > 2 Then
    		If Wscript.Arguments(2) = "1" Then debugging = True
    	End If
    	
    	If debugging Then
    		dbStr = "Arguments found are:" & vbCrLf
    		For Each argu In Wscript.Arguments
    			dbStr = dbStr & argu & vbCrLf
    		Next
    		GoDebug dbStr
    	End if
    
    'set up variables
    	Set wshNetwork = WScript.CreateObject( "WScript.Network" )
    	strComputerName = wshNetwork.ComputerName
    	Set wshNetwork = Nothing
    
    'initialise the object that will let us write a log file
    	Set objFSO = CreateObject("Scripting.FileSystemObject")
    
    'check and load the arguments
    	If Wscript.Arguments.Count > 0 then
    		If  objFSO.FolderExists(Wscript.Arguments(0)) And Not Wscript.Arguments(0) = "null" Then
    			strPathToLog = Wscript.Arguments(0)
    		End If
    	End If
    	If Right(strPathToLog, 1) <> "\" Then strPathToLog = strPathToLog & "\"
    
    'check if there is a second argument setting the seconds to wait
    	If Wscript.Arguments.Count > 1 then
    		If IsNumeric(Wscript.Arguments(1)) And Not Wscript.Arguments(1) = "null" Then iWaitTimeSeconds = Int(Wscript.Arguments(1))
    	End If
    
    'debug what we have found so far
    GoDebug("Log: " & strPathToLog & strComputerName _
    	    & ".csv" & vbCrLf & "Wait time: " & iWaitTimeSeconds & " seconds")
    
    
    'prepare to get the list of processes
    	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
    	strComputer = "."
    
    	Do
    		'get the list of services
    		Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process")
    		'run through processes checking the path
    		For Each objProcess in colProcess
    			   'if the path does not start with c, then get the user and write to file
    		       If LCase(Left(objProcess.ExecutablePath,1)) <> "c" _ 
    		       		And objProcess.ExecutablePath <> "<<<YOUR_ALLOWED_NON-C_PATH>>>" Then 
    		               Return = objProcess.GetOwner(strNameOfUser)
    		               If Return <> 0 Then
    		                       strNameOfUser = "unknown"
    		               End If
    		       		   GoDebug("strNameOfUser: " & strNameOfUser & _
    		       		   		":  Will try to kill " & objProcess.ExecutablePath)
    		               'send an email?
    		               If tryEmail Then SendEmail strNameOfUser, objProcess.ExecutablePath, strComputerName
    		               'write to the file
    		               Set objLogFile = objFSO.OpenTextFile(strPathToLog & strNameOfUser _
    		               		   & ".csv", ForAppending, True)
    		               objLogFile.Write strNameOfUser & ", " & strComputerName & ", " & objProcess.ExecutablePath _
    		                       & ", " & FormatDateTime(now(),0) 'name, file, date/time
    		               objLogFile.writeline
    		               objLogFile.Close 'ensure it is closed and forgotten
    		               'kill the process
    		               On Error Resume next
    		               objProcess.Terminate()
    		               On Error Goto 0
    		               End if
    		Next
    		'wait the given number of seconds
    		WScript.Sleep iWaitTimeSeconds * 1000
    		Set colProcess = nothing
    	Loop
    
    
    	WScript.Quit '(won't get here if it is coded right)
    	'End of script
    
    'sub routines
    
    'debugging
    	Sub GoDebug(strMessage)
    	Dim m
    	
    		If Not debugging Then Exit sub
    	
    		m = MsgBox(strMessage & vbCrLf & vbCrLf & "Click [Cancel] to abort",49,"Process Tracker Debugging")
    		
    		Select Case m
    		Case 2
    			WScript.Quit
    		Case Else
    		End select
    	
    	End Sub
    
    'send email
    	Sub SendEmail(strUser, strMessage, strComputer)
    		Dim objEmail
    			
    		Set objEmail = CreateObject("CDO.Message")
    		objEmail.From = "<<<YOUR_EMAIL_FROM>>>"
    		objEmail.To = "<<<YOUR_EMAIL_TO>>>"
    		objEmail.Subject = strUser & " has been naughty."
    		objEmail.Textbody = strUser & " was prevented from running the following application:" _
    			& vbCrLf & "Time: " & FormatDateTime(now(),0) _
    			& vbCrLf & "PC:   " & strComputer _
    			& vbCrLF & "App:  " & strMessage
    		objEmail.Configuration.Fields.Item _
    		    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
    		objEmail.Configuration.Fields.Item _
    		    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
    		        "<<<YOUR_SMTP_SERVER_IP_ADDRESS>>>" 'Modify to your SMTP Server Address
    		objEmail.Configuration.Fields.Item _
    		    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
    		objEmail.Configuration.Fields.Update
    		objEmail.Send
    	End Sub

  8. #22
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,013
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    Doesn't block Flash

    The above method does block executables like .bat, and .exe, but does not block .swf, even if you add it to the Designated File Types.

    I'm not sure what's going on, but the Desgnated File Types list by default includes items like .lnk and .url but the policy doesn't disallow these.

    I've added SWF file type and it doesn't block that either.

    Any ideas why it's only applying to some file types and not others?

    (We're wandering off topic now, which was how to block executables. I might start another thread).

  9. #23
    mortstar's Avatar
    Join Date
    Jan 2007
    Location
    Oxford
    Posts
    341
    Thank Post
    12
    Thanked 29 Times in 18 Posts
    Rep Power
    21
    Quote Originally Posted by OverWorked View Post
    The above method does block executables like .bat, and .exe, but does not block .swf, even if you add it to the Designated File Types.

    I'm not sure what's going on, but the Desgnated File Types list by default includes items like .lnk and .url but the policy doesn't disallow these.

    I've added SWF file type and it doesn't block that either.

    Any ideas why it's only applying to some file types and not others?

    (We're wandering off topic now, which was how to block executables. I might start another thread).
    This is exactly the situation I'm in.

    executables have been blocked from running from Home Areas and pen drives for a couple of years. Recently we've had a spate of Flash Games running from pen drives. I thought adding .swf to Designated File Types would lock them down, but it doesn't seem to take effect

    Those who have it working are you blocking from User Config, Computer Config or both?

  10. #24

    Join Date
    Mar 2010
    Location
    New Zealand
    Posts
    19
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I have deployed the policy now. I did not put in the WUSB thing, just blocked all drives apart from C:, and added %UserProfile% too.

    This works nicely, but:

    - their "My Documents" is the X: drive and they are still able to execute exe files on that drive despite my disallowing x: and %HOMEDRIVE%%HOMEPATH%.
    - worse, one of the files that is run is automatically extracting an exe file to a temp folder in their user profile and running that with no problems despite it being on the %UserProfile% path

    I have just added \ to the end of the above AND added \\server\Student$\%USERNAME\ to the disallowed list. I have also added the name of the one exe I know of that so far that copies to the temp folder to my process tracking script mentioned above. It might put them off but is not a long term solution.

    I have also noticed that my login script no longer runs and throws a wscript error despite me making \\server\SYSVOL\domain\ unrestricted

    Later: with the changes described, everything started working. I worked out that the login error was my own process tracker being launched in to a temp file and being blocked by the policies which had started working properly.
    Last edited by thomaswp; 24th March 2010 at 11:17 PM. Reason: Everything started working :D

  11. #25
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,013
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    New thread

    I've started a new thread, as it's changed topic from .exe file to .swf.

  12. #26

    aerospacemango's Avatar
    Join Date
    Apr 2010
    Location
    Northants
    Posts
    1,994
    Thank Post
    283
    Thanked 249 Times in 200 Posts
    Blog Entries
    2
    Rep Power
    295
    Totally invaluable!

    This will stop the little blighters from bypassing our Sophos proxy box!!!!

  13. #27

    Join Date
    Jun 2010
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Thumbs up Stopping executables from any path

    Quote Originally Posted by Kyle View Post
    I think this has been covered many times but i can't seem to find older posts when i search,

    Is there a way to stop kids from running exe files from the usb keys they bring into school? We don't want to ban them altogether but wondered if there is away to stop this.

    Sorry if this has been answered before but i can't find it.

    Kyle:

    I had the same issue and came up with a solution that does not require third party tools and it works every time . You can do it using domain software restriction policies and specified the path and the extension to block, such as *.exe or *.bat, while allowing documents to be opened from those locations.

    open the group policy management tool and navigate to
    computer config
    windows settings
    software restriction policies (right click on it to populate the right pane)

    then right click on security levels and make sure you have the "disallowed" and "unrestricted" policies. If you dont have them right click and create them.

    then right click on "additional rules" and click on NEW PATH RULE. If your USBs are, let's say, in E Drive and you want to block all exe extensions, then
    PATH: E:\*.exe
    SECURITY LEVEL: Disallowed
    and click oK.

    You can add more path rules for extensions such as .bat, .vbs, etc.

    You would need to restart the workstations to refresh the policy in all. The policy has to be linked and enforced in whichever OU you want to implement it in.

    You can use PsTools to restart all workstations remotely. (you can get the entire list from AD)

    Good luck!

  14. #28
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by haleman View Post
    Kyle:

    I had the same issue and came up with a solution that does not require third party tools and it works every time . You can do it using domain software restriction policies and specified the path and the extension to block, such as *.exe or *.bat, while allowing documents to be opened from those locations.

    open the group policy management tool and navigate to
    computer config
    windows settings
    software restriction policies (right click on it to populate the right pane)

    then right click on security levels and make sure you have the "disallowed" and "unrestricted" policies. If you dont have them right click and create them.

    then right click on "additional rules" and click on NEW PATH RULE. If your USBs are, let's say, in E Drive and you want to block all exe extensions, then
    PATH: E:\*.exe
    SECURITY LEVEL: Disallowed
    and click oK.

    You can add more path rules for extensions such as .bat, .vbs, etc.

    You would need to restart the workstations to refresh the policy in all. The policy has to be linked and enforced in whichever OU you want to implement it in.

    You can use PsTools to restart all workstations remotely. (you can get the entire list from AD)

    Good luck!

    I tried this method and one flaw is that it only works to about 3 or 4 folders deep, try creating a structre and see if you can run an .exe file from E:\folder1\folder2\folder3\folder4\folder5

    In the end we blanket banned all exes except from where we specified that they could run.

  15. #29

    Join Date
    Jun 2010
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi:

    I created this folder structure
    1 folder
    2 folder
    3 folder
    4 folder
    5 folder
    6 folder

    and moved exe and bat files to every folder and it worked in all of them. I also applied the same domain policy to floppy drives mapped to A and it also worked.

  16. #30

    Join Date
    Jun 2010
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    While I was typing the previous message, I was burning the folder structure to cd and just finished testing it. It also works. The executables I'm testing with are u995.exe (ultrasurf) and Tor, plus a couple of batch files.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. What's On Your Stick
    By russdev in forum General Chat
    Replies: 19
    Last Post: 23rd January 2008, 09:50 AM
  2. Who is stopping up then?
    By russdev in forum General Chat
    Replies: 13
    Last Post: 7th January 2008, 08:42 PM
  3. Moodle on a stick
    By beeswax in forum Virtual Learning Platforms
    Replies: 1
    Last Post: 23rd November 2007, 09:47 AM
  4. mem stick thats how they should be built
    By russdev in forum Hardware
    Replies: 7
    Last Post: 22nd December 2006, 09:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •