How to have removable devices scanned as soon as they are plugged

Question

Hey guys,

So I need to make sure USB's will be scanned for any type of vulnerability as soon as they are plugged into the endpoint. I actually recommended blocking the USB ports but the users of the org really need to use them and are not willing to have them scanned by trained personnel before each new connection (they will use their removable devices to share files with other orgs which security posture we aren't aware of). This leaves us with only one option: make sure the device is thoroughly scanned each time they are connected to endpoint in the organization.

Problem is, we searched all over Learn (and third party blogs) and all we found is a way to enforce scans on removable devices during Full scans on the endpoint, either by an Intune policy a GPO or from Windows Defender config. The removable will be scanned only if there is an ongoing system scan, not because it was plugged.

Last but not least, we placed a malicious script (for testing purposes) in a thumb drive and plugged it into an Defender 365 onboarded endpoint. Not Win defender nor Defender for endpoint threw any alert whatsoever, but then when we manually scanned the drive Windows DID report a vulnerability.

So, could it really be there is no way of force scanning a removable as soon as it connects to a USB port? Third party Antivirus software has such capability, so, are we missing something here?

Thank you very much guys!

Answer 1

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

You are correct that by default, Windows Defender and Defender for Endpoint do not automatically scan removable devices as soon as they are connected to a USB port. However, there are some third-party antivirus solutions that do offer this capability.

One possible solution is to use a script to trigger a manual scan of the USB drive as soon as it is plugged in. This can be achieved using a combination of PowerShell and Windows Event Triggers. Here's a high-level overview of the steps:

Create a PowerShell script that triggers a Windows Defender scan of the removable device. The command for initiating a scan is Start-MpScan -ScanType CustomScan -ScanPath <path to removable drive>.

Create a Windows Event Trigger that is triggered when a device is connected to a USB port. The event ID for this is 2003.

Configure the Windows Event Trigger to run the PowerShell script created in step 1 when the event is triggered.

This approach will allow you to scan the removable device as soon as it is plugged in, without requiring manual intervention from the user. However, it does require some technical expertise to implement, and it may not be foolproof against all types of malware. It's also worth noting that using a third-party antivirus solution that offers this capability may be a more robust solution in the long run.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.