ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Application Control policy to block writing to LNK files on removable drives
Article ID: 162079
Updated On:
Products
Endpoint Protection
Issue/Introduction
A common trait in many types of malware is to hide files/folders on removable USB drives and create link/shortcut .LNK files with the same name that point to the hidden files, but that also execute the malware. The intention is that you still see a familiar file or folder name when you plug in the drive on a new computer, but accidentally execute the malware instead when trying to access that file or folder.
Resolution
The attached Application Control policy blocks write attempts to .LNK files on removable USB drives. The process attempting to write to the LNK file is terminated.
It is recommended that this policy is combined with the default "Block running applications from removable media" [AC2] policy that comes with the product.
By default explorer.exe is excluded in this policy, the exclusion can be removed to also protect against malware that injects itself into the explorer.exe process, at the cost of an increased False Positive risk (blocking a legitimate attempt to copy files to the USB drive).
It is recommended that this policy is combined with the default "Block running applications from removable media" [AC2] policy that comes with the product.
By default explorer.exe is excluded in this policy, the exclusion can be removed to also protect against malware that injects itself into the explorer.exe process, at the cost of an increased False Positive risk (blocking a legitimate attempt to copy files to the USB drive).
Attachments
Feedback
Yes
No
Powered by
