Dear Stackoverflow Community!
I've got a question concerning Windows Defender, Attack Surface Reduction and Endpoint Device Manager.
To prevent LNK Worm Expoitation I want to block.LNK files on removable devices (USB drives). Example: User inserts USB Drive and doubleclicks on a file 'USB Drive.lnk' which, in fact, is malicious.
Unfortunately after a lot of research and testing I have yet not found a satisfying solution for my problem. Maybe some of you had a similar problem.
Many thanks in advance!
Best regards
Solved it myself.
I enabled logging in event viewer under the path "Application and Services Logs\Microsoft\Windows\DriverFrameworks-UserMode".
Then created an Task in Task Scheduler that gets activated when Event ID 2003 is found in above path.
This task then executes a scripts that searches for.lnk files on USB sticks that have the drive letter D:.
#
# ------------- Globals -------------
#
# drive letter of usb device
$USBDeviceDriveLocation = "D:\"
# .lnk extensio
$LNKExtentsion = ".lnk"
#
# ------------- Functions -------------
#
function SearchAndRemoveFilesWithExtension
{
<#
#>
# file extension as parameter
param
(
$extension
)
# iterate through files and delete them
$FoundFiles = Get-ChildItem -Recurse -Path D:\ -Include "*$extension"
# if none lnk files found then exit
if ($FoundFiles.Count -eq 0)
{
exit
}
# remove those files
foreach ($file in $FoundFiles)
{
Remove-Item -Path $file.FullName
}
}
function Main
{
<#
.SYNOPSIS
Main Method
#>
SearchAndRemoveFilesWithExtension $LNKExtentsion
}
#
#
#
Main
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.