Blocking ISO mounting

Recently I’ve been hearing about malware mounting ISOs as a method of bypassing AV and EDR. For example this article from Bleeping Computer – “Uptick Seen in ISO Email Attachments Delivering Malware” posted December 23rd, 2019, or DARK Reading – “ChromeLoader Malware Hijacks Browsers with ISO Files” posted May 27th, 2022.

The problem I found with these articles and many like it didn’t really offer any sort of method to protect yourself or you company from ISO mounted malware, so I went to try to find a solution myself (couldn’t be that hard right?). Turns out that if you google for “Stop Windows from Mounting ISOs” or something similar you get a bunch of MSDN articles for people trying to solve the same issue for one reason or another.

After a lot of googling I found this article on Winaero – “Remove Mount Context Menu in Windows 10” posted April 5th 2018. This article shows how to add a simple registry key under HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount called ProgramaticAccessOnly which would remove the context menu item when you right clicked an ISO. It also removed the functionality of double clicking to auto-mount ISOs. Here is the tweet from May 4th, 2022 when I figured this out:

For those that are dealing with ISO based malware downloads, might I suggest the following solution: https://t.co/2SHxqQFCTG

Basically add "ProgrammaticAccessOnly" to HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount as a REG_SZ

This can be done at a GPO level 🙂

— Rob Fuller (@mubix) May 4, 2022

This was great because you could put this into a Group Policy and make it so everyone was protected but administrators could still mount drives with PowerShell and the Mount-DiskImage command.

I haven’t seen of malware that downloads ISOs and executes whats in them programmatically after mounting them, then this protection won’t stop it. I have heard that this type of malware does exist, so I went digging again for a more holistic approach.

After a lot of googling again, I found this post from NeighborGeek – “Error mounting ISO file – ‘Sorry, there was a problem mounting the file’” posted October 31st, 2017. In this post it described “Device Installation Restrictions” in Group Policy that were blocking ISOs from being mounted. I didn’t know how to make those settings but I found a great article on MSDN – “Manage Device installation with Group Policy” that showed me how.

After playing around with it a bit I was able to block ISOs from being mounted by double click, by context menu, and programmatically through powershell with one simple GPO:

KEY TAKEAWAY: I would highly recommend this GPO on all of your workstations / laptops. Obviously servers need ISOs a lot more (not sure it’s all that common to mount an ISO directly in the OS directly anymore instead of through virtualization software, but I definitely haven’t been a sysadmin in a while).

Here is the tweet from May 21st, 2022 once I figured it out:

After some conversations about this fix, I wanted to look for something more wholistic. Something that would stop both double click, right click mount, and scripted mounting from powershell, etc. So I found this:https://t.co/5ABmw1acIK
which led me here:https://t.co/2at7IhOhTt https://t.co/xP5IZhwcNK

— Rob Fuller (@mubix) May 21, 2022

*** This is a Security Bloggers Network syndicated blog from Posts on malicious.link authored by Posts on malicious.link. Read the original post at: https://malicious.link/post/2022/blocking-iso-mounting/