How To Disable USB Ports To Prevent Malware Infection

thumbnail   How To Disable USB Ports To Prevent Malware InfectionA Reader writes in:
My PC is being shared by my roomies – they mainly use it for watching films – virus threats from USB is paramount. I have no issue with CD drives. But USB’s are a no-no. So its really important that I do this (block or lockdown USB ports).

There are plenty of ways to disable usb ports and you don’t need any special software.

Disable USB Ports By Disabling Autorun

Most of the malware that spreads through USB devices spreads because of the Autorun feature which automatically executes a said file mentioned in the autorun.inf file located at the root of the USB device folder tree. Something as unsuspicious as “Open folder to view files” to the untrained eye can be easily made to run any desired file on the drive and can thus infect your computer. So disabling autorun is always one of the better options. To do so:

groupedit   How To Disable USB Ports To Prevent Malware Infection

  • First, the key combination Win + R and type Gpedit.msc
  • Navigate to¬†Computer Configuration > Administrative Templates > Windows Components, then click¬†Autoplay Policies. (XP users should try Computer Configuration > Administrative Templates > System
  • In the¬†Details pane, double-click¬†Turn off Autoplay.
  • Click Enabled, select¬†All drives in the¬†Turn off Autoplay box to disable Autorun on all drives.

Microsoft Help and Support has more details and methods

Option 1. Disable users from connecting USB devices

registryedit   How To Disable USB Ports To Prevent Malware Infection

You can prevent selected user accounts from connecting USB devices to your computer. So if you share your laptop/computer with a friend, you should create a separate user account and deny his/her account the ability to connect USB devices. Microsoft Help and Support provides steps to obtain such fine grain control.

Or you can simply navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and set the value of Start to 4. To enable access again change the value back to 3

Although the site mentions that this applies to Windows XP, 2000 and 2003 it worked just fine on Windows Vista and Windows 7 as well.

Option 2. Change BIOS, disable USB ports, password protect BIOS

Enter your system’s BIOS, just when you press the Power On button. Look for anything that allows you to disable USB ports, disable them and make sure you add a BIOS password.

Option 3. User Device Manager to disable USB

devicemangerdisable   How To Disable USB Ports To Prevent Malware Infection

  • Go to Device Manager (Right click My Computer, choose Manage, choose Device Manager in left pane)
  • Now look for USB Devices in the right pane, right click on the device and choose disable.

Of course you would like to make it a little easier to enable/disable the USB ports. For that you need to create a reg file that modifies the appropriate registry key. Here is an example (make sure to spell everything correctly):

regentry   How To Disable USB Ports To Prevent Malware Infection

Now double clicking on this file will enable access, similarly you can change 00000003 to 00000004 to create a reg file for disabling access.

None of these are fool proof, there is always someone smart enough to find a way around. If you really want to go all the way you can fill the ports with some epoxy or a similar substance! This is of course not a recommended solution for your personal computer but might come in handy for large organizations trying to prevent employees from using USB devices.

All in all the options are good enough to stop accidental, non intentional spread of malware/compromise of your computer as mostly happens when a USB device is plugged into different computers. However don’t bet your life on these if some one is really determined to use a USB device on your computer for whatever reason.

How do you protect your computer from malware spread via USB drives?

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

5 Comments -

JK the First

I use USB 1.3 (yes, the app is named “USB”) to prevent autorun files from executing. A lightweight, portable program that works. It’s been reviewed on MUO before.

Another choice is iKill, but I will not recommend it due to its dangerous requirement, that to disable the autorun file, you must remove the usb and then reinsert it. You can imagine how annoying and potentially dangerous this can be.

Waseem

I think they solved it in Windows 7 .

Christian Velasquez

Why not just scan the drive for malware with Spybot, Malwarebytes’, Super Anti-Spyware, etc?

I ran scans with Malwarebytes’ and Super Anti-Spyware, Malwarebytes’ picked up some spyware and autorun.ini files, and Super Anti-Spyware detected to Trojans, both were on my iPod.