Recently I’ve been hearing about malware mounting ISOs as a method of bypassing AV and EDR. For example this article from Bleeping Computer - “Uptick Seen in ISO Email Attachments Delivering Malware” posted December 23rd, 2019, or DARK Reading - “ChromeLoader Malware Hijacks Browsers with ISO Files” posted May 27th, 2022.
The problem I found with these articles and many like it didn’t really offer any sort of method to protect yourself or you company from ISO mounted malware, so I went to try to find a solution myself (couldn’t be that hard right?). Turns out that if you google for “Stop Windows from Mounting ISOs” or something similar you get a bunch of MSDN articles for people trying to solve the same issue for one reason or another.
After a lot of googling I found this article on Winaero - “Remove Mount Context Menu in Windows 10” posted April 5th 2018. This article shows how to add a simple registry key under HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount called ProgramaticAccessOnly which would remove the context menu item when you right clicked an ISO. It also removed the functionality of double clicking to auto-mount ISOs. Here is the tweet from May 4th, 2022 when I figured this out:
For those that are dealing with ISO based malware downloads, might I suggest the following solution: https://t.co/2SHxqQFCTG
— Rob Fuller (@mubix) May 4, 2022
Basically add "ProgrammaticAccessOnly" to HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount as a REG_SZ
This can be done at a GPO level :)
This was great because you could put this into a Group Policy and make it so everyone was protected but administrators could still mount drives with PowerShell and the Mount-DiskImage command.
I haven’t seen malware that downloads ISOs and executes whats in them programmatically after mounting them, but I have heard that this type of malware does exist, and the above protection won’t stop that type of malware use case. So I went digging again for a more holistic approach.
After a lot of googling again, I found this post from NeighborGeek - “Error mounting ISO file - ‘Sorry, there was a problem mounting the file’” posted October 31st, 2017. In this post it described “Device Installation Restrictions” in Group Policy that were blocking ISOs from being mounted. I didn’t know how to make those settings but I found a great article on MSDN - “Manage Device installation with Group Policy” that showed me how.
After playing around with it a bit I was able to block ISOs from being mounted by double click, by context menu, and programmatically through powershell with one simple GPO:
KEY TAKEAWAY: I would highly recommend this GPO on all of your workstations / laptops. Obviously servers need ISOs a lot more (not sure it’s all that common to mount an ISO directly in the OS directly anymore instead of through virtualization software, but I definitely haven’t been a sysadmin in a while).
Here is the tweet from May 21st, 2022 once I figured it out:
After some conversations about this fix, I wanted to look for something more wholistic. Something that would stop both double click, right click mount, and scripted mounting from powershell, etc. So I found this:https://t.co/5ABmw1acIK
— Rob Fuller (@mubix) May 21, 2022
which led me here:https://t.co/2at7IhOhTthttps://t.co/xP5IZhwcNK