Using Folder Guard to protect from the social engineering attacks

The U.S. Department of Homeland Security ran a test recently to see how easy it could be to trick people into plugging random USB sticks into their computers and potentially infect them with malware. The test showed that the human factor is possibly the weakest link in the computer security: your network may have the best firewall, you can have the strongest policies prohibiting the users from downloading random files from the Internet, yet all that is useless when people have little hesitation in using the USB sticks they find on the company parking lot.

Microsoft has attempted to address such a problem somewhat by disabling the AutoRun feature for the USB sticks in Windows. Still, it leaves a rouge program on the USB stick just a few clicks away from running. Wouldn't it be nice to be able to stop running programs from the USB sticks completely?

It's possible to achieve that with our software Folder Guard, by creating a file access filter that would restrict access to the files on the removable drives. Let us show how to do that in detail:

Run Folder Guard, and switch to the window that shows the existing filters, by choosing View - Filters from the menu. If you use one of the latest versions of Folder Guard, you should see a filter that we need already in the list, it's called Lock external drives:

Folder Guard filters

If you don't see this filter in the list, it's easy to create it: choose Filter - New from the menu, and then enter the properties of the filters as follows:

The Lock external drives filter of Folder Guard

(If the properties of the existing filter on your computer are different, you may want to edit them to make them match the image above. To edit the contents of a box, press the triple-dot button next to it.)

To see how this filter would work for us, it's easier to separate our goal into parts first. Remember, we want to:

Part 1. Restrict access...
Part 2. To any file or folder...
Part 3. Located on any removable drive.

Part 1 is easy: all we need to do is assign the No Access attribute to the filter, and this would stop any attempt to open a file that would match the filter. To do that, right-click on the filter and choose Access - No Access from the shortcut menu. (See below.)

Part 2 of our goal is pretty easy, too: to specify that a filter should apply to all files, enter the mask consisting of a single star character into the Apply to files and Apply to subfolders boxes. (Actually, we could just leave these boxes empty, because an empty Apply To... box means Apply To All, which is what we need. Still, entering the star character there makes it a bit more explicit, so let's do that.)

Part 3 of our goal is the trickiest one: how would we specify that the filter should apply to any folder located on a removable drive? We could do it using the drive letters: when someone attaches a drive to a computer, Windows creates a drive letter for it. The problem is, however, that it is difficult if not impossible to predict which letter would be assigned to any specific drive. Usually Windows does it sequentially, but the user can change the drive letter, and what if the user attaches several removable drives at once?

We could list all possible drive letters in the Apply to locations box, but instead of that, it's easier to specify which drive(s) and folder(s) the filter should NOT apply to. Most computers have a single hard drive, C:, so if we specify that a filter should apply to any drive but C: that would work for our goal. That's why we used the mask C:* in the Except locations box of our filter: it would exclude any folder that starts with C: from the scope of the filter, just what we want.

What about the second mask in the Except locations box, \\* ? It is there to exclude any path that starts with the double-backslash. Such paths are used to specify files on the network, such as \\server\share\ . This way, we exclude the network files and folders from the scope of the filter, because we don't want it to apply to the network files.

The final mask of the Except locations box, *:\RECYCLE.BIN, excludes the Recycle Bin folder on any drive from the scope of the filter. If it were not there, then Windows would not be able to access the Recycle Bin folders on the removable drives, and it would probably make it complain that the Recycle Bin on each removable drive is corrupted. To avoid such problems, we exclude the Recycle bin folder from the scope of the filter, so Windows would have an unrestricted access to it.

Now, if there are other drives permanently attached to the computer and you want the users to be able to use such drives without restrictions, you should add the appropriate masks to the Except folders box, too. (You can separate masks with comas, semicolons, or line breaks). For example, if your computer has a DVD drive that has the drive letter D: and you want the users to use the DVD drive without restrictions, modify the content of the Except folders box to read as follows: (Press the [...] button to modify the content of the box.)


The rest of the filter properties can be left empty. An empty Apply to box means Apply to all and an empty Except for box means Except for none. We have entered a star character in the Apply to files box, to emphasize that it should apply to all files, but we could have left the box empty, it would produce the same result as the star character.

Now that we have created the filter that we need, it's time to apply a restricting attribute to it. If you want to completely lock access to the removable drives, assign the No access attribute to the filter:

The No access attribute will prevent all access to the external drives

The result of the No access attribute would be that the users would be prevented from both opening the files from the external devices, and saving the files to them. This way, if someone attaches a USB stick to the computer protected with such a filter, he or she would not be able to use the stick at all.

What if at some point you do need to access a removable drive? Just pause the protection of Folder Guard, perform the task, then resume the protection back (no Windows restart required!).

Happy computing!

Folder Guard User's GuideVideosDownloadPurchase

If you want to link to this article, you can use this HTML code: <a href="">Using Folder Guard to protect from the social engineering attacks</a>

More information