search cancel

Application Control policy to block writing to LNK files on removable drives

book

Article ID: 162079

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A common trait in many types of malware is to hide files/folders on removable USB drives and create link/shortcut .LNK files with the same name that point to the hidden files, but that also execute the malware. The intention is that you still see a familiar file or folder name when you plug in the drive on a new computer, but accidentally execute the malware instead when trying to access that file or folder.
 

Resolution

The attached Application Control policy blocks write attempts to .LNK files on removable USB drives. The process attempting to write to the LNK file is terminated.

It is recommended that this policy is combined with the default "Block running applications from removable media" [AC2] policy that comes with the product.


By default explorer.exe is excluded in this policy, the exclusion can be removed to also protect against malware that injects itself into the explorer.exe process, at the cost of an increased False Positive risk (blocking a legitimate attempt to copy files to the USB drive).
 

Attachments

Block writing to .LNK files on removable drives.dat get_app