How to prevent the spread of USB flash drive virus in Windows 7

Floppy disk has become a dusty history. I am afraid it is rare for computer users who have never used U disks. With its increasingly small size and rapidly expanding capacity, U disks have successfully replaced the floppy disk at a cheaper price and become the mainstream mobile storage media.

Convenience brings about a huge security risk. The U disk has become the most widely spread virus and malicious program in addition to the network. By mistake, viruses or malicious programs are infected with your computer.

Is it always possible to use anti-virus software passively to defend against attacks? Like car security technology, in addition to passive defense, Windows 7 also provides the technology of active defense-limiting the running of programs on mobile storage.

To enable this function, you can run gpedit directly. msc, open "Local Group Policy Editor", find "Computer Configuration", expand and find "management template", click "system", find and click "removable storage access ". All configurable removable storage access policies are displayed on the right.

The U disk is a removable disk, so let's look at how to set an access policy for a removable disk.

Since Windows Vista, the system has been able to restrict the reading and writing of removable disks. Besides, only limiting the read and write operations on the U disk cannot meet our needs. If you cannot read the disk, it will not be infected with viruses, but it will also lose the meaning of the U disk. Cannot Write can prevent information outflow, but cannot prevent virus intrusion.

What we need is a new feature provided from Windows 7 that denies execution permissions.

Click the policy and select "enabled" to open the policy. When this policy is enabled, the execution permission on the removable storage class is denied. If this policy is disabled or not configured, the execution permission for this removable storage class is allowed.

After setting this policy, let's run the program on the U disk. The system directly prompts that the operation is not allowed:

Although this prompt is a bit like UAC, it cannot be executed by changing the running account. Unless the policy is changed to allow execution.

If the read permission is denied, the information on the U disk cannot be accessed.

If the write permission is denied, the information cannot be written to the U disk.

Expand to discuss. For CD/DVD media, you can also make restrictions like U disks. Prevent viruses from automatically running the CD.

What about card readers, MP3/MP4, digital cameras, and even mobile phones? These can be connected to and read through the USB interface. In the system, these devices are classified into the WPD class and can be restricted from reading or writing.

There will always be non-standard devices, right? In this case, the system also provides the "Custom class" setting. As long as the GUID of the device is written, the system can restrict reading and writing.

If you are an enterprise administrator and do not need to go to every machine for configuration, you can quickly implement the policy through group policies.

Well, I am no longer afraid that the U disk that I lent to my colleagues will bring the virus back.

1. 13 Basic Windows security measures
2. Manual cleanup of udisk virus auto.exe