USB flash drives typically implement the USB mass storage device class.
- External Mass Storage Devices List
- Windows 10 Usb Mass Storage Driver
- External Mass Storage Devices Meaning
- External Mass Storage Devices Vs
- External Mass Storage Devices Definition
The USB mass storage device class (also known as USB MSC or UMS) is a set of computing communications protocols, specifically a USB Device Class, defined by the USB Implementers Forum that makes a USB device accessible to a host computing device and enables file transfers between the host and the USB device. To a host, the USB device acts as an external hard drive; the protocol set interfaces with a number of storage devices.
External Mass Storage Devices List
Uses[edit]
Shop for external storage devices at Best Buy. Find low everyday prices and buy online for delivery or in-store pick-up. The USB mass storage device class (also known as USB MSC or UMS) is a set of computing communications protocols, specifically a USB Device Class, defined by the USB Implementers Forum that makes a USB device accessible to a host computing device and enables file transfers between the host and the USB device. To a host, the USB device acts as an external hard drive; the protocol set. Take a look at our dependable external hard drives for backup, storage, and gaming, from desktop to portable use.
An action camera being accessed via mass storage device class
Devices connected to computers via this standard include:
- External magnetic hard drives
- External optical drives, including CD and DVD reader and writer drives
- Portable flash memorydevices
- Adapters between standard flash memory cards and USB connections
- Digital audio and portable media players
Devices supporting this standard are known as MSC (Mass Storage Class) devices. While MSC is the original abbreviation, UMS (Universal Mass Storage) has also come into common use.
Operating system support[edit]
Most mainstream operating systems include support for USB mass storage devices; support on older systems is usually available through patches.
Microsoft Windows[edit]
Microsoft Windows has supported MSC since Windows 2000. There is no support for USB supplied by Microsoft in Windows before Windows 95 and Windows NT 4.0. Windows 95 OSR2.1, an update to the operating system, featured limited support for USB. During that time no generic USB mass-storage driver was produced by Microsoft (including for Windows 98), and a device-specific driver was needed for each type of USB storage device. Third-party, freeware drivers became available for Windows 98 and Windows 98SE, and third-party drivers are also available for Windows NT 4.0. Windows 2000 has support (via a generic driver) for standard USB mass-storage devices; Windows Me and all later Windows versions also include support.
Windows Mobile supports accessing most USB mass-storage devices formatted with FAT on devices with USB Host. However, portable devices typically cannot provide enough power for hard-drive disk enclosures (a 2.5-inch (64 mm) hard drive typically requires the maximum 2.5 W in the USB specification) without a self-powered USB hub. A Windows Mobile device cannot display its file system as a mass-storage device unless the device implementer adds that functionality. However, third-party applications add MSC emulation to most WM devices (commercial Softick CardExport and free WM5torage). Only memory cards (not internal-storage memory) can generally be exported, due to file-systems issues; see device access, below.
The AutoRun feature of Windows worked on all removable media, allowing USB storage devices to become a portal for computer viruses. Beginning with Windows 7, Microsoft limited AutoRun to CD and DVD drives, updating previous Windows versions.[1]
MS-DOS[edit]
Neither MS-DOS nor most compatible operating systems included support for USB. Third-party generic drivers, such as Duse, USBASPI and DOSUSB, are available to support USB mass-storage devices. FreeDOS supports USB mass storage as an Advanced SCSI Programming Interface (ASPI) interface.
Classic Mac OS and macOS[edit]
Apple Computer's Mac OS 9 and macOS support USB mass storage; Mac OS 8.5.1 supported USB mass storage through an optional driver.
Linux[edit]
The Linux kernel has supported USB mass-storage devices since its 2.4 series (2001), and a backport to kernel 2.2.18[2] has been made. In Linux, more features exist in addition to the generic drivers for USB mass-storage device class devices, including quirks, bug fixes and additional functionality for devices and controllers (vendor-enabled functions such as ATA command pass-through for ATA-USB bridges, which is useful for S.M.A.R.T. or temperature monitoring, controlling the spin-up and spin-down of hard disk drives, and other options). This includes a certain portion of Android-based devices, through support of USB-OTG, since Android uses the Linux kernel. https://nhdj.over-blog.com/2021/02/pubg-on-iphone.html.
Other Unix-related systems[edit]
Solaris has supported devices since its version 2.8 (1998), NetBSD since its version 1.5 (2000), FreeBSD since its version 4.0 (2000) and OpenBSD since its version 2.7 (2000). Digital UNIX (later known as Tru64 UNIX), has supported USB and USB mass-storage devices since its version 4.0E (1998). AIX has supported USB mass-storage devices since its 5.3 T9 and 6.1 T3 versions; however, it is not well-supported and lacks features such as partitioning and general blocking.[3]
Game consoles and embedded devices[edit]
The Xbox 360 and PlayStation 3 support most mass-storage devices for the data transfer of media such as pictures and music. As of April 2010, the Xbox 360 (a) used a mass-storage device for saved games[4] and the PS3 allowed transfers between devices on a mass-storage device. Independent developers have released drivers for the TI-84 Plus and TI-84 Plus Silver Edition to access USB mass-storage devices.[5] In these calculators, the usb8x driver supports the msd8x user-interface application.
Device access[edit]
USB card readers typically implement the USB mass storage device class.
The USB mass-storage specification provides an interface to a number of industry-standard command sets, allowing a device to disclose its subclass. In practice, there is little support for specifying a command set via its subclass; most drivers only support the SCSI transparent command set, designating their subset of the SCSI command set with their SCSI Peripheral Device Type (PDT). Subclass codes specify the following command sets:
- Reduced Block Commands (RBC)
- SFF-8020i, MMC-2 (used by ATAPI-style CD and DVD drives)
- QIC-157 (tape drives)
- Uniform Floppy Interface (UFI)
- SFF-8070i (used by ARMD-style devices)
- SCSI transparent command set (use 'inquiry' to obtain the PDT)
The specification does not require a particular file system on conforming devices. Based on the specified command set and any subset, it provides a means to read and write sectors of data (similar to the low-level interface used to access a hard drive). Operating systems may treat a USB mass-storage device like a hard drive; users may partition it in any format (such as MBR and GPT), and format it with any file system.
Because of its relative simplicity, the most-common file system on embedded devices such as USB flash drives, cameras, or digital audio players is Microsoft's FAT or FAT32 file system (with optional support for long filenames). Large, USB-based hard disks may be formatted with NTFS, which (except for Windows) is less supported. However, a keydrive or other device may be formatted with another file system (HFS Plus on an Apple Macintosh, or Ext2 on Linux, or Unix File System on Solaris or BSD). This choice may limit (or prevent) access to a device's contents by equipment using a different operating system. OS-dependent storage options include LVM, partition tables and software encryption.
In cameras, MP3 players and similar devices which must access a file system independent of an external host, the FAT32 file system is preferred by manufacturers. All such devices halt their file-system (dismount) before making it available to a host operating system to prevent file-system corruption or other damage (although it is theoretically possible for both devices to use read-only mode or a cluster file system). Some devices have a write-protection switch (or option) allowing them to be used in read-only mode; this makes files available for shared use without the risk of virus infection.
Two main partitioning schemes are used by vendors of pre-formatted devices. One puts the file system (usually FAT32) directly on the device without partitioning, making it start from sector 0 without additional boot sectors, headers or partitions. The other uses a DOS partition table (and MBR code), with one partition spanning the entire device. This partition is often aligned to a high power of two of the sectors (such as 1 or 2 MB), common in solid state drives for performance and durability. Some devices with embedded storage resembling a USB mass-storage device (such as MP3 players with a USB port) will report a damaged (or missing) file system if they are reformatted with a different file system. However, most default-partition devices may be repartitioned (by reducing the first partition and file system) with additional partitions. Such devices will use the first partition for their own operations; after connecting to the host system, all partitions are available.
Devices connected by a single USB port may function as multiple USB devices, one of which is a USB mass-storage device. This simplifies distribution and access to drivers and documentation, primarily for the Microsoft Windows and Mac OS X operating systems. Such drivers are required to make full use of the device, usually because it does not fit a standard USB class or has additional functionality. An embedded USB mass-storage device makes it possible to install additional drivers without CD-ROM disks, floppies or Internet access to a vendor website; this is important, since many modern systems are supplied without optical or floppy drives. Internet access may be unavailable because the device provides network access (wireless, GSM or Ethernet cards). The embedded USB mass storage is usually made permanently read-only by the vendor, preventing accidental corruption and use for other purposes (although it may be updated with proprietary protocols when performing a firmware upgrade). Advantages of this method of distribution are lower cost, simplified installation and ensuring driver portability.
Design[edit]
Some advanced hard disk drive commands, such as Tagged Command Queuing and Native Command Queuing (which may increase performance), ATA Secure Erase (which allows all data on the drive to be securely erased) and S.M.A.R.T. (accessing indicators of drive reliability) exist as extensions to low-level drive command sets such as SCSI, ATA and ATAPI. These features may not work when the drives are placed in a disk enclosure that supports a USB mass-storage interface. Some USB mass-storage interfaces are generic, providing basic read-write commands; although that works well for basic data transfers with devices containing hard drives, there is no simple way to send advanced, device-specific commands to such USB mass-storage devices (though, devices may create their own communication protocols over a standard USB control interface). The USB Attached SCSI (UAS) protocol, introduced in USB 3.0, fixes several of these issues, including command queuing, command pipes for hardware requiring them, and power management.
Specific USB 2.0 chipsets had proprietary methods of achieving SCSI pass-through, which could be used to read S.M.A.R.T. data from drives using tools such as smartctl (using the -d option followed by 'chipset').[6] More recent USB storage chipsets support the SCSI / ATA Translation (SAT) as a generic protocol for interacting with ATA (and SATA) devices.[7] Using esoteric ATA or SCSI pass-through commands (such as secure-erase or password protection) when a drive is connected via a USB bridge may cause drive failure, especially with the hdparm utility.[8]
See also[edit]
References[edit]
- ^'Changes in Windows to Meet Changes in Threat Landscape'. TechNet Blogs. 2009-04-28. Retrieved 2012-11-07.
- ^'Driver for USB Mass Storage compliant devices'. Archived from the original on 2005-09-23.
- ^'eserver: HOWTO: JFS2 on USB device on AIX 5.3.11.1'. Eserver.livejournal.com. 2010-01-21. Archived from the original on 2012-03-31. Retrieved 2012-11-07.
- ^'Xbox Live's Major Nelson » USB Memory Support for the Xbox 360 coming April 6th :'. Majornelson.com. 2010-03-26. Retrieved 2012-11-07.
- ^'83Plus:Software:usb8x/Asm Interface/MSD'. WikiTI. 2009-02-18. Retrieved 2012-11-07.
- ^'#25 (SCSI pass through for SMART via USB on MacOSX smartmontools? 3rd party code available!) – smartmontools'. Sourceforge.net. Retrieved 2014-01-21.
- ^'USB smartmontools'. Sourceforge.net. Archived from the original on 2012-02-07. Retrieved 2014-01-21.
- ^'ATA Secure Erase - ata Wiki'. Ata.wiki.kernel.org. 2013-07-22. Retrieved 2014-01-21.
Further reading[edit]
From the USB Implementers Forum website:
External links[edit]
- What actually happens when you plug in a USB device? – Linux kernel internals
Retrieved from 'https://en.wikipedia.org/w/index.php?title=USB_mass_storage_device_class&oldid=995254424'
-->Applies to:Microsoft Defender for Endpoint
Microsoft recommends a layered approach to securing removable media, and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
- Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting. Identify or investigate suspicious usage activity.
- Configure to allow or block only certain removable devices and prevent threats.
- Allow or block removable devices based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
- Prevent threats from removable storage introduced by removable storage devices by enabling:
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
- Create customized alerts and response actions to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with custom detection rules.
- Respond to threats from peripherals in real-time based on properties reported by each peripheral.
Note
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable disks. Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
Discover plug and play connected events
You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations.For examples of Defender for Endpoint advanced hunting queries, see the Microsoft Defender for Endpoint hunting queries GitHub repo.
Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the GitHub repository for PowerBI templates for more information. See Create custom reports using Power BI to learn more about Power BI integration.
Allow or block removable devices
The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration.
Control | Description |
---|---|
Restrict USB drives and other peripherals | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. |
Block installation and usage of removable storage | You can't install or use removable storage. |
Allow installation and usage of specifically approved peripherals | You can only install and use approved peripherals that report specific properties in their firmware. |
Prevent installation of specifically prohibited peripherals | You can't install or use prohibited peripherals that report specific properties in their firmware. |
Allow installation and usage of specifically approved peripherals with matching device instance IDs | You can only install and use approved peripherals that match any of these device instance IDs. |
Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs | You can't install or use prohibited peripherals that match any of these device instance IDs. |
Limit services that use Bluetooth | You can limit the services that can use Bluetooth. |
Use Microsoft Defender for Endpoint baseline settings | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. |
Restrict USB drives and other peripherals
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals.
Control | Description |
---|---|
Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
All of the above controls can be set through the Intune Administrative Templates. https://cwamr.over-blog.com/2021/02/wondershare-filmora-7-8-1-download-free.html. The relevant policies are located here in the Intune Administrator Templates:
Note
Using Intune, you can apply device configuration policies to Azure AD user and/or device groups.The above policies can also be set through the Device Installation CSP settings and the Device Installation GPOs.
Note
Kontakt 6 2 1. Always test and refine these settings with a pilot group of users and devices first before applying them in production.For more information about controlling USB devices, see the Microsoft Defender for Endpoint blog.
Allow installation and usage of USB drives and other peripherals
One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
Note
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
![External External](https://cdn.windowsreport.com/wp-content/uploads/2015/12/usb-hard-drive-problem-in-windows-10.png)
- Enable Prevent installation of devices not described by other policy settings to all users.
- Enable Allow installation of devices using drivers that match these device setup classes for all device setup classes.
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
When configuring the allow device installation policy, you must allow all parent attributes as well. You can view the parents of a device by opening Device Manager and view by connection.
In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-444553540000}. See Microsoft-provided USB drivers for more information.
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see Standard USB Identifiers.
To find the device IDs, see Look up device ID.
For example:
- Remove class USBDevice from the Allow installation of devices using drivers that match these device setup.
- Add the device ID to allow in the Allow installation of device that match any of these device IDs.
Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
- Enable Prevent installation of devices that match any of these device IDs and add these devices to the list.
- Enable Prevent installation of devices using drivers that match these device setup classes.
Note
The prevent device installation policies take precedence over the allow device installation policies.
The Prevent installation of devices that match any of these device IDs policy allows you to specify a list of devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
- Look up device ID for devices that you want Windows to prevent from installing.
- Enable Prevent installation of devices that match any of these device IDs and add the vendor or product IDs to the list.
Look up device ID
You can use Device Manager to look up a device ID.
- Open Device Manager.
- Click View and select Devices by connection.
- From the tree, right-click the device and select Properties.
- In the dialog box for the selected device, click the Details tab.
- Click the Property drop-down list and select Hardware Ids.
- Right-click the top ID value and select Copy.
For information about Device ID formats, see Standard USB Identifiers.
For information on vendor IDs, see USB members.
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
The Prevent installation of devices using drivers that match these device setup classes policy allows you to specify device setup classes that Windows is prevented from installing.
To prevent installation of particular classes of devices:
- Find the GUID of the device setup class from System-Defined Device Setup Classes Available to Vendors.
- Enable Prevent installation of devices using drivers that match these device setup classes and add the class GUID to the list.
Block installation and usage of removable storage
- Sign in to the Microsoft Azure portal.
- Click Intune > Device configuration > Profiles > Create profile.
- Use the following settings:
- Name: Type a name for the profile
- Description: Type a description
- Platform: Windows 10 and later
- Profile type: Device restrictions
- Click Configure > General.
- For Removable storage and USB connection (mobile only), choose Block. Removable storage includes USB drives, whereas USB connection (mobile only) excludes USB charging but includes other USB connections on mobile devices only.
- Click OK to close General settings and Device restrictions.
- Click Create to save the profile.
Allow installation and usage of specifically approved peripherals
Peripherals that are allowed to be installed can be specified by their hardware identity. For a list of common identifier structures, see Device Identifier Formats. Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
For a SyncML example that allows installation of specific device IDs, see DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP. To allow specific device classes, see DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP.Allowing installation of specific devices requires also enabling DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings.
Prevent installation of specifically prohibited peripherals
Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options:
- Administrative Templates can block any device with a matching hardware ID or setup class.
- Device Installation CSP settings with a custom profile in Intune. You can prevent installation of specific device IDs or prevent specific device classes.
Allow installation and usage of specifically approved peripherals with matching device instance IDs
Peripherals that are allowed to be installed can be specified by their device instance IDs. Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
You can allow installation and usage of approved peripherals with matching device instance IDs by configuring DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs policy setting.
Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs
Peripherals that are prohibited to be installed can be specified by their device instance IDs. Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
You can prevent installation of the prohibited peripherals with matching device instance IDs by configuring DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs policy setting.
Limit services that use Bluetooth
Using Intune, you can limit the services that can use Bluetooth through the 'Bluetooth allowed services'. The default state of 'Bluetooth allowed services' settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked.
Use Microsoft Defender for Endpoint baseline settings
The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
Prevent threats from removable storage
Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices.
Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
Note
Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage.
For more information about controlling USB devices, see the Microsoft Defender for Endpoint blog.
Control | Description |
---|---|
Enable Microsoft Defender Antivirus Scanning | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans. |
Block untrusted and unsigned processes on USB peripherals | Block USB files that are unsigned or untrusted. |
Protect against Direct Memory Access (DMA) attacks | Configure settings to protect against DMA attacks. |
Note
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
Enable Microsoft Defender Antivirus Scanning
Protecting authorized removable storage with Microsoft Defender Antivirus requires enabling real-time protection or scheduling scans and configuring removable drives for scans.
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally run a PowerShell script to perform a custom scan of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
Note
We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in Device Restrictions > Configure > Microsoft Defender Antivirus > Real-time monitoring.
Block untrusted and unsigned processes on USB peripherals
End-users might plug in removable devices that are infected with malware.To prevent infections, a company can block USB files that are unsigned or untrusted.Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.This can be done by setting Untrusted and unsigned processes that run from USB to either Block or Audit only, respectively.With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
These settings require enabling real-time protection.
- Sign in to the Microsoft Endpoint Manager.
- Click Devices > Windows > Configuration Policies > Create profile.
- Use the following settings:
- Platform: Windows 10 and later
- Profile type: Device restrictions
- Click Create.
- For Unsigned and untrusted processes that run from USB, choose Block.
- Click OK to close settings and Device restrictions.
Protect against Direct Memory Access (DMA) attacks
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
- Beginning with Windows 10 version 1803, Microsoft introduced Kernel DMA Protection for Thunderbolt to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the DMA Guard CSP. This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
- On Windows 10 systems that do not support Kernel DMA Protection, you can:
Create customized alerts and response actions
You can create custom alerts and response actions with the WDATP Connector and the custom detection rules:
Wdatp Connector response Actions:
Windows 10 Usb Mass Storage Driver
Investigate: Initiate investigations, collect investigation package, and isolate a machine.
Threat Scanning on USB devices.
Restrict execution of all applications on the machine except a predefined setMDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
Custom Detection Rules Response Action:Both machine and file level actions can be applied.
For information on device control related advance hunting events and examples on how to create custom alerts, see Advanced hunting updates: USB events, machine-level actions, and schema changes.
External Mass Storage Devices Meaning
Respond to threats
You can create custom alerts and automatic response actions with the Microsoft Defender for Endpoint Custom Detection Rules. Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using PowerApps and Flow with the Microsoft Defender for Endpoint connector. The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See Connectors to learn more about connectors.
External Mass Storage Devices Vs
For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine.