Return to

I'm becoming paranoid about infected USB sticks on my work machine - what can i use to protect it?


Lately i’ve been worrying about infected USB sticks finding their ways into my Windows machine.
Everyday there’s at least 3 different USB sticks on my machine , its not rare to find one that’s infected, so i don’t even connect my personal devices to it anymore.
Today i did a fresh install of Windows 10 Pro on it, i haven’t connected any foreign devices so far and i would like to know, what kind of software should i install to prevent infections on this machine?
I should mention that i’ve tried almost all antiviruses, only Kaspersky seemed to work properly on its 30 day free trial, if need be my manager has allowed me to buy a key for it.


Don’t let random people put usbs into your machine…

You could also sheepdip them


My computer kind of is the sheep dip machine, its was assembled with all sorts of parts that were laying around.
I’ll try to shoo people away from this machine from now on, as it stands its safe, it has a password now.


3 things come to mind:

  1. Disable all or specific USB ports in the UEFI.
    That of course means that you’re kind of boned when it comes to required peripherals (Mouse/Keyboard) or if you actually need a port yourself. You can use USB to PS2 adapters for Mouse and Keyboard at least, but that doesn’t solve the issue when you actually need a port.

  2. Disabling auto-mounting (limited success rate)
    I’d imagine that infected sticks don’t need to be mounted, so disabling auto-mounting is a really limited possibility, but at least something.
    Software side it’s kind of hard, especially with the recent IME attacks. Not sure how it’s on the AMD platform.

  3. You could also run Linux and virtualize Windows :X

Just because you’re not logged in doesn’t mean you’re not vulnerable.


Maybe you could take more relaxed angle and not care how infected that machine gets :smiley:


Curious, what kind of files are those sticks carrying


this. and make frequent known good snapshots.


I’ve been using this tactic for a while now, almost a year, but believe me, it doesn’t work…


I work at the city hall, most of us don’t have hall specific USB sticks (i have a dilapidated 16gb Eaget F90, which i brought from home), some of our staff often uses their personal USB sticks to move larger files between the buldings, unsurprisingly they bring these drives already infected from their own computers, we are already aware of some xxx aficionados…


Hmm, i’ll try these when i get back tomorrow.
I personally see no problem in using Linux daily (i’m very fond of Debian with Gnome) since all of our software is cloud based, no doubt i’ll try it out, thanks for the suggestion!


Could be from anywhere

I find it just interesting that what sort of use starts spreading, like is it pdfs with some enable content buttons, or what, like what do they all do :face_with_raised_eyebrow:


You know that little .bat file that adds a shortcut of the device with all the files inside of the device itself? A good share of our machines had problems with stuff like that, but every now and then we find keyloggers and bank accounts get lost and all the blues.
Its generally PDF files that change hands, but like i said before most of those sticks are personal, God knows whats in there…


Did just recently see example CV with enable content button which infects


Well, i’ll hold on my end and install a Linux distro on my own machine (as @mihawk90 suggested) , probably Debian with Gnome, it’ll help to shoo some of the common users of my machine and also keep the crap out of it too.
I wonder now, what could we use for the rest of the buildings? Kaspersky?


Disable the usb controller in the BIOS and add a BIOS password and lock the case. Only down side is you have to find a PS2 keyboard and mouse.


Holy shit is there no IT security policy at a city hall?!
Normally USB ports are disabled by default in a large company setting… especially when personal data is involved.

A PS2 adapter is like a dollar.


Nope, no security plan at all, the hall barely invested in tables for us two, we work in a 3x2m corridor with a 30U APC rack taking some of the space. We do have a split air-con, but just because it was the norm for the server rack.
They don’t really consider the I.T. department high priority, despite the fact our work makes the entire hall function, even Dell (our server supplier) has deemed the room very inadequate for the server…


Oh, and most of out network is based on 10/100 network switches and 15 year old CAT5 cables with low end keystones. The gigabit solution on my house is better than the one at the hall.


Couldn’t i leave just one port activated? I have a Lenovo keyboard with an USB passthrough that i can connect my mouse onto


Windows group policy link also in the comments: