Tuesday, August 09, 2005

USB blocking software

I ran across this NetworkWorld article on USB blocking software products, by Ellen Messmer, this morning. There's not a whole lot of interest in the article, from my perspective...it basically says that McAfee and Sygate are adding the functionality to their products.

What did catch my attention is the first sentence: Unauthorized use of USB hardware to gain access to information in laptops and servers is a growing concern.

Really? A growing concern for whom? What about all of those systems out there that haven't had the software installed on them yet, and may possibly have already been used in this unauthorized manner?

Well, if you're a regular reader of this blog, you already know how to go into systems and check to see if any USB removable storage devices have been connected to the system.


Anonymous said...

For non-regular readers, are you going to codify all of your posts about how to enumerate the USB devices used on the system? In a paper? article? book?

And is there a way to determine when a device was used?

H. Carvey said...


To answer your first question...yes, yes, and yes. ;-)

Seriously, I've got the presentation available, and once I get it approved for public release for GMU2005, I'll post it. I am planning to put together an article, as well as include detailed information in my next book.

As far as determining when the device was used...yes, but with caveats. First, when a device is plugged in for the first time and the driver is loaded, this information is recorded to the setupapi.log file, as well as within the Registry (in the form of the LastWrite time of the Registry keys).

I'm still working out the wording for how to determine when a device was last plugged in, as it's a bit complicated...there are several Registry keys involved...but I will be posting something on that, once I can get it boiled down.