Sunday, 10 January 2016

Write-Protect your E2B USB drive

There has been a discussion on recently about how to write-protect a USB drive.

It is not advisable to hardware write-protect an E2B USB drive because E2B needs write-access to the MBR (to modify it) as well as needing to modify other files (e.g. \autounattend.xml, etc.). Some WinPE's and linux's (via ISOBOOT) may be able to boot from a write-protected E2B drive though. I intend to investigate this further at a later date, to see just what is possible if the whole E2B USB drive is hardware write-protected.

So the use of the write-protect switch on the Netac USB 3.0 U335 flash drive, for instance, is not a recommended option when booting from an E2B drive (although once it has booted to an OS from the flash drive, you could remove the USB drive - flip on the WP switch - and then re-insert it again and hope that it did not have enough time to get infected!).

However, it is possible to protect files and folders from Windows malware (to some extent) if the E2B USB drive is an NTFS volume, by using NTFS file permissions. It does not protect the drive from linux malware however, if you boot to an infected linux OS. On the good side however, it does not interfere with grub4dos either!

Agent47 pointed us to a free NTFS Drive Protection utility from sordum,org which looks very useful if you have an NTFS E2B drive!

Keep this utility on your E2B USB drive!

For other security measures for E2B, see the Passwords and Security page.

Let me know if you have used any other solutions or have any tips!

P.S. Wonko suggest that you always boot from the USB drive to WinPE or linux. Run your AV software, etc, to clean up the target system and then copy over any files/folders you need to the target system hard drive. Then remove the USB drive and boot from the target system. That way you don't have the USB drive connected when you are running a potentially infected system.