Recently I’ve been hearing about malware mounting ISOs as a method of bypassing AV and EDR. For example this article from Bleeping Computer - “Uptick Seen in ISO Email Attachments Delivering Malware” posted December 23rd, 2019, or DARK Reading - “ChromeLoader Malware Hijacks Browsers with ISO Files” posted May 27th, 2022.

The problem I found with these articles and many like it didn’t really offer any sort of method to protect yourself or you company from ISO mounted malware, so I went to try to find a solution myself (couldn’t be that hard right?). Turns out that if you google for “Stop Windows from Mounting ISOs” or something similar you get a bunch of MSDN articles for people trying to solve the same issue for one reason or another.

After a lot of googling I found this article on Winaero - “Remove Mount Context Menu in Windows 10” posted April 5th 2018. This article shows how to add a simple registry key under HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount called ProgramaticAccessOnly which would remove the context menu item when you right clicked an ISO. It also removed the functionality of double clicking to auto-mount ISOs. Here is the tweet from May 4th, 2022 when I figured this out:

This was great because you could put this into a Group Policy and make it so everyone was protected but administrators could still mount drives with PowerShell and the Mount-DiskImage command.

I haven’t seen malware that downloads ISOs and executes whats in them programmatically after mounting them, but I have heard that this type of malware does exist, and the above protection won’t stop that type of malware use case. So I went digging again for a more holistic approach.

After a lot of googling again, I found this post from NeighborGeek - “Error mounting ISO file - ‘Sorry, there was a problem mounting the file’” posted October 31st, 2017. In this post it described “Device Installation Restrictions” in Group Policy that were blocking ISOs from being mounted. I didn’t know how to make those settings but I found a great article on MSDN - “Manage Device installation with Group Policy” that showed me how.

After playing around with it a bit I was able to block ISOs from being mounted by double click, by context menu, and programmatically through powershell with one simple GPO:

KEY TAKEAWAY: I would highly recommend this GPO on all of your workstations / laptops. Obviously servers need ISOs a lot more (not sure it’s all that common to mount an ISO directly in the OS directly anymore instead of through virtualization software, but I definitely haven’t been a sysadmin in a while).

Here is the tweet from May 21st, 2022 once I figured it out: