JLospinoso
commented
5 years ago Hi! Thanks very much for your comment. I think this sounds like an interesting topic for research, do you have any interest in exploring it?
Open g1th4ck opened 5 years ago
JLospinoso
commented
5 years ago Hi! Thanks very much for your comment. I think this sounds like an interesting topic for research, do you have any interest in exploring it?
jdgregson
commented
5 years ago One thing I noticed when developing my PnP device blocker is that WMI query subscriptions are expensive CPU-wise. The more individual queries we have for specific types of devices the more CPU will be used. It might be easier in the long run to make Beamgun listen for all PnP devices and then give the user a list of device types they want to block.
g1th4ck
commented
5 years ago I agree with jdgregson. I think the application should be redesigned.
It needs to look more like Latch (https://www.elevenpaths.com/labstools/latch-usb-monitor/) and USB Flash Drives Control (https://www.binisoft.org/usbc.php) but simpler.
Just a Windows Service with a Black/White list and that´s all, it will cover every kind of possible device type.
Personally, i think i am going to give a try to implementing a local policy for this. I only need a whitelist of 4 or 5 devices to pass through and block the rest. Surely it will be less resource hog and it suits my needs.
I´ll inform how it goes.
g1th4ck
commented
5 years ago Hi.
I've tested local policies to block the installation of removable devices and they work like a charm. You can use them even in Windows Home versions thanks to PolicyPlus (https://github.com/Fleex255/PolicyPlus).
For most scenarios, using "Prevent installation of removable devices" under "Device Installation" will allow you use already installed devices while blocking unknown ones, which is more than enough. If you just want the nuclear option, then "All Removable Storage classes: Deny all access" under "Removable Storage Access" will block everything, even your already installed ones.
I think that moving to this approach would be easier to implement and more lightweight, as it would only need to set several registry keys and a simple UI to enable/disable some options. You can use Element Inspector on PolicyPlus to see the registry keys affected for each one of them.
This would delegate all the security to the operating system though.
fjarlq
commented
4 years ago @g1th4ck That sounds promising. What local policies did you test specifically?
Hi.
I´ve been playing around with the application and i´ve noticed that it doesn´t block android devices. It does block USB Storage, but when i plug in my phone it apperas on windows as a portable device.
I think this may be a possible vector attack as the phone could send some kind of commands that could exploit the system.
¿Could this be achieved?
Thank you very much.