Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Beware the USB Stick! current page
Link copied

Beware the USB Stick!

Oct 20, 2017
Author:
Kris Zentek
Kris Zentek
Senior Product Manager
Blog banner default
Beware the USB Stick!
Kris Zentek
Kris Zentek
Senior Product Manager

Privilege Guard v3.8 introduces Drive Rule

The Drive Rule is a new validation rule that lets you match applications being executed from particular types of drive. Not too dissimilar in concept to the file path rule (where applications are matched based on their directory location), the drive rule lets you target the drive itself.

So what do we mean by drive?

Basically, anything which shows up under My Computer with a drive letter.

Why is that important?

As you know, storage comes in many forms and all modern PC's and laptops allow extra storage, or peripherals, to be plugged into external ports. Any storage peripheral that is plugged in, or loaded in the case of a CD-Rom, will then register itself with Windows as a drive, and pop up in Explorer ready for the user to access.

Below is a summary of the different categories a drive would fall under:

  • Fixed Disk - Any drive identified as an internal Hard Disk
  • Network - Any drive mapped to a network share
  • RAM Disk - Any drive identified as a RAM disk
  • Removable Media - Any drive identified as generic Removable Media
  • USB - Any drive detected as a USB connected device
  • CD/DVD - Any drive identified as a CD or DVD optical drive
  • eSATA Drive - Any drive detected as an eSATA connected device

OK, so why should I be concerned?

There are a number of reasons why a drive type is cause for security concerns, specifically any drive that allows the user to transport code onto their computer. Below are some example scenarios which highlight just some of the issues:

Untrustworthy file systems

Non-standard media, such as homemade CD/DVD Rom's and USB sticks have an unreliable file system format. In many cases it will be FAT, which does not include any security information. So robust policies designed to match on properties such as Trusted Owner may not be available.

Executing unknown code from personal media and devices should always be blocked by default.

TIP: The device rule, when used in combination with the Trusted Owner rule creates a robust layer of protection to prevent users executing code from untrusted devices, and also prevents users from attempting to bypass this by copying it to a trusted drive. NTFS security ensures that the user who introduces code becomes the owner, and in the case of a standard user, an untrusted owner, which will result in an automatic block by Avecto software.

Auto-run exploitation

Many USB devices as well as CD/DVD's include auto-run capabilities, where a specific application on the media will execute automatically once connected or inserted. This is a common attack vector used by cybercriminals against unsuspecting users to gain control of a computer. For example, a malicious auto-run executable that installs a trojan or keylogger is presented on a CD to a target through social engineering, or on a USB stick dropped by an office entrance. Simply plugging in the media to your desktop is all that it takes to seize control of the computer and open a backdoor for further exploitation.

Auto-run executables pose a significant security risk to any organization, and should be blocked by default.

Portable app installs

Portable apps offer users a convenient way of transporting their favorite application, web browser or game, from computer to computer. They do not need to be installed (that's what makes them portable), and they are generally designed to run without admin rights (many apps only need admin rights because they require access to protected areas of the registry and filesystem.

Because of the lightweight nature of portable apps, they can very easily slip past application control mechanisms; you only need to take a look at the range of available portable apps to realize this can pose significant problems from both a security and license compliance perspective.

Portable apps allow users to run untrusted and unauthorized code, and should be blocked by default.

To block or not to block?

Applying a blanket stop on all of the above may be a great idea from a security perspective, but there are cases where users genuinely need to run code from CD/DVD's (for example a vendor installation disk). Likewise many IT departments have genuine use cases for using portable debugging tools. So a flexible, granular and policy based level of control is required.

Privilege Guard 3.8 Drive Rule

The new drive rule can be used in combination with any other of the 18+ validation rules that Avecto offers, giving you a diverse set of criteria to target applications individually or by classification.

Firewall style rules means you can easily build a robust security model for dealing with unauthorized code introduced through unknown drive types, and strong validation rules enable allow allow listing of trusted and authorized applications.

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.

Latest Posts
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
  • How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    May 21, 2026 How to Secure Cloud-Native Infrastructure at Scale and Speed: A Conversation with Madhu Adireddi
    Blog
    5m
  • Cybersecurity as a Boardroom Priority for Major African TelCos
    May 12, 2026 Cybersecurity as a Boardroom Priority for Major African TelCos
    Blog
    8m
Related
  • 2025 Gartner® Magic Quadrant™ for Privileged Access Management (PAM)
    Nov 14, 2025 2025 Gartner® Magic Quadrant™ for Privileged Access Management (PAM)
    Blog
    7m
  • 5 Best Practices Healthcare Organizations can do to Help Mitigate Risks
    Mar 20, 2015 5 Best Practices Healthcare Organizations can do to Help Mitigate Risks
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.