Windows Defender ATP - Disable .LNK files from running on USB devices

Question

Dear Stackoverflow Community!

I've got a question concerning Windows Defender, Attack Surface Reduction and Endpoint Device Manager.

To prevent LNK Worm Expoitation I want to block .LNK files on removable devices (USB drives). Example: User inserts USB Drive and doubleclicks on a file 'USB Drive.lnk' which, in fact, is malicious.

Unfortunately after a lot of research and testing I have yet not found a satisfying solution for my problem. Maybe some of you had a similar problem.

Many thanks in advance!

Best regards

Answer 1

Solved it myself.

I enabled logging in event viewer under the path "Application and Services Logs\Microsoft\Windows\DriverFrameworks-UserMode".

Then created an Task in Task Scheduler that gets activated when Event ID 2003 is found in above path.

This task then executes a scripts that searches for .lnk files on USB sticks that have the drive letter D:.

#
#  ------------- Globals ------------- 
#

# drive letter of usb device
$USBDeviceDriveLocation = "D:\"

# .lnk extensio
$LNKExtentsion = ".lnk"

#
#  ------------- Functions ------------- 
#

function SearchAndRemoveFilesWithExtension
{
    <#
    
    #>

    # file extension as parameter
    param
    (
        $extension
    )

    # iterate through files and delete them
    $FoundFiles = Get-ChildItem -Recurse -Path D:\ -Include "*$extension"

    # if none lnk files found then exit
    if ($FoundFiles.Count -eq 0)
    {
        exit
    }

    # remove those files
    foreach ($file in $FoundFiles)
    {
        Remove-Item -Path $file.FullName
    }
}


function Main
{
    <#
        .SYNOPSIS
            Main Method
    #>
    SearchAndRemoveFilesWithExtension $LNKExtentsion

}


#
#
#
Main