Protecting flash write new files - 16 Марта 2011

Main » » Protecting flash write new files

13:17

Protecting flash write new files

I continue to develop the theme for the Protection of flash drives from viruses (I have previously published materials AUTOSTOP - script to protect the stick from the autorun-virus and Panda USB and AutoRun Vaccine - a cure for autorun-virus on flash - there are mostly dealt with the protection of the stick write her a malicious file autorun.inf). Interest is interesting in that sweep of viruses on your computer - it is a struggle with the investigation and protection pendrive from viruses - it measures aimed at addressing the causes.

Protecting the stick from the recording of new files carried out by determining the free space on it, followed by complete filling it using a tool fsutil. This method is perfect, for example, to protect the boot flash drives (with the file autorun.inf), which is impossible to defend the creation of the eponymous catalog AUTORUN.INF.

The following is a description of the method, its analysis and the method of full automation.

The method was invented not by me, he is prompted by a user cook, and later found in more specialized sources. I have also developed a convenient automated method to application, and (based on analysis of both strengths of its sides, and vulnerabilities) has been given a more correct name, namely "the protection of the recording of new files (as opposed to less accurate title in other sources of" write protection ", does not fully reflect the essence of the method).

Method

In the original, to create such a file, use the command:

fsutil file createnew <filename> <length>

Fsutil a command-line utilities. To use fsutil program must be logged in with an account administrator or a member of the Administrators group.

This way, as revealed by testing, it has 2 minus:

FAT32 has a file size limit (2 ^ 32 bytes, t . is, 4 gigabytes). Accordingly, there is little information completed an 8-gigabyte memory stick (flash drives are now not uncommon) and more so not to protect
Creating a large file takes a few minutes of your time. And if you want to remove the security file , to finish something on a flash drive, and then again to put the protection? again lost the time to create a large file

In my same automated version, use the following code (it should be made into a bat-file, copy to flash drive and run from there) free from these shortcomings:

@ echo off
setlocal enabledelayedexpansion
set / a sizofile = 1024 * 1024 * 1024
for / l%% K in (1,1,256) do (
for / f "tokens = 3"%% J in ('dir% ~ d0 /-C') do (set freespace =%% J)
if! freespace! EQU 0 goto ready
if! freespace! GTR! sizofile! (
call: getime
fsutil file createnew "% ~ d0 \ [1024 Mb]! randtime!"! sizofile!
) else (
for / l%% K in (1,1,5) do (
for / f "tokens = 3"%% J in ('dir% ~ d0 /-C') do (set freespace =%% J)
set / a sizofilemb =! sizofile! / 1024 / 1024 / 2
set / a sizofile =! sizofile! / 2
if! freespace! GEQ 67,108,864 (
if! freespace! GEQ! sizofile! (
call: getime
fsutil file createnew "% ~ d0 \ [! sizofilemb! Mb]! randtime!"! sizofile!
)
) else (
if! freespace! EQU 0 goto ready
call: getime
fsutil file createnew "% ~ d0 \ [1-63 Mb]! randtime!"! freespace!
goto: EOF
)
)
)
)

: getime
set randtime =! time: ~ -10!
set randtime =! randtime:: =!
set randtime =! randtime:, =!
exit / b

The logic of the code is as follows:

determined by the amount of free space on flash
if free space is greater than 1Gb - creating files up to 1Gb in size as long as this condition is satisfied
When free space is less than 1 gigabyte - consistently trying to create files of 512Mb, 256Mb, 128Mb, 64Mb, and the last file size from 1 to 63Mb

As a result, on a flash drive is created around the following file structure, filling all available space (7-digit unique code at the end of the name of each file is necessary to avoid errors creating files with the same name):

[1-63 Mb ] 7344296
[64 Mb] 7343581
[256 Mb] 6050959
[512 Mb] 6043075
[1024 Mb] 2341570
[1024 Mb] 2353157

After installing on a flash drive for such protection, you can not remove anything from it (including those referred to the bat-file), otherwise the protection will cease to operate. To remove the write protection of new files (for example, want to record something on a stick), it is necessary to remove one or more files created in this way the minimum required size, and record their data. Restoring security after that will take less time.

Analysis

Strictly speaking, this method can not be considered complete analog hardware switch «read-only», available in some kinds of flash drives. Even if the flash drive is protected from entry of new files by this method, the virus has the ability to up autorun.inf file on a flash drive - but here write anything in the this file is no longer able to.

It should also be noted that the virus has the ability to strike a potentially sensitive files already contained on a flash drive, because the balance of free space (due to the cluster) selected to store the file. But the trends of functional viruses suggest that that today viruses are less striking individual files, but increasingly exploit vulnerabilities in the operating system Windows.

So, consider this method of protection can only record in the context of the impossibility of creating a flash drive non-empty new files. What, however, as practice shows , is a serious measure of protection from the autorun-viruses. As mentioned above, this method is well suited for the protection of boot flash drives (with the file autorun.inf), which is impossible to defend the creation of the eponymous catalog AUTORUN.INF, as well as flash drives with a personal set of required software to be connected to other people's computers.

I want to say a few words about the of the notorious security protection afforded by the hardware switch «Read-only». There were a such a case.

The camera's wife ( Canon A610) is not possible to display a battery charge indicator. I found an alternative firmware that has this feature. recorded it on a memory card. The instructions for the firmware says to her loaded gun (not your hands start after the inclusion of the camera), it is necessary switch on your memory card to transfer to the "Blocked." Several times I read this paragraph - I'm not mistaken there. No - that's right. I put the switch «Lock», charge card in the camera, sensing that he is now cursed the impossibility of writing, and ... And anything that does not happen - all footage shot well saved on the memory card and bad shots without any problems can be removed. to make conclusions on their own.

Concrete implementation of

The code for the Self-bat-file is shown above. But most convenient to use the new version 2.4 of my script AUTOSTOP

She can, after completion of each file to give a short beep through the speaker system, eliminating the need to own every few seconds to glance, this does not create another file (because, as you know, "Maker to which you look, never boils "), and after installation of protection issues a long beep.

PS - let me remind that the protection of human flesh by NTFS has not been canceled, but there are occasions when its application for some reason undesirable.

PPS - thanks Elroir for help in writing code.

Views: 828 | Added by: w1zard | Rating: 0.0/0

Total comments: 0


Имя *:
Email *:

Код *: