Configuring the BadUSB Attack Prevention component

17 May 2024

ID 230866

Some malware modifies the firmware of USB devices (for example, a USB flash drive) to trick the operating system into detecting the USB device as a keyboard. As a result, when the device is connected to a computer, the malware may execute commands (for example, download other malware).

The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer.

This feature is available only if you activated Kaspersky Endpoint Security Cloud under a Kaspersky Endpoint Security Cloud Pro license.

When a USB device is connected to the computer and identified as a keyboard by the operating system, the application prompts the user to use this keyboard and enter a numerical code generated by the application. This procedure is known as keyboard authorization.

If the code has been entered correctly, the application saves the identification parameters—VID/PID of the keyboard and the number of the port to which it has been connected—in the list of authorized keyboards. Keyboard authorization does not need to be repeated when the keyboard is reconnected or after the operating system is restarted.

When the authorized keyboard is connected to a different USB port of the computer, the application shows a prompt for authorization of this keyboard again.

If the numerical code has been entered incorrectly, the application generates a new code. You can configure the number of attempts for entering the numerical code. If the numerical code is entered incorrectly several times or the keyboard authorization window is closed, the application blocks input from this keyboard. When the USB device blocking time elapses or the operating system is restarted, the application prompts the user to perform a keyboard authorization again.

The application allows use of an authorized keyboard and blocks a keyboard that has not been authorized.

To configure the BadUSB Attack Prevention component:

  1. Open Kaspersky Endpoint Security Cloud Management Console.
  2. Select the Security managementSecurity profiles section.

    The Security profiles section contains a list of security profiles configured in Kaspersky Endpoint Security Cloud.

  3. In the list, select the security profile for the devices on which you want to configure the BadUSB Attack Prevention component.
  4. Click the link with the profile name to open the security profile properties window.

    The security profile properties window displays settings available for all devices.

  5. In the Windows group, select the Security settings section.
  6. Switch the toggle button to BadUSB Attack Prevention is enabled.
  7. Click the Settings link below the BadUSB Attack Prevention is enabled toggle button.

    The BadUSB Attack Prevention component settings page opens.

  8. In Maximum number of keyboard authorization attempts (between 1 and 10), specify the maximum number of attempts that the user has to enter the numerical code generated by the application.
  9. In Timeout when reaching the maximum number of attempts (between 1 and 180 minutes), specify the number of minutes for which the application blocks a keyboard after the user enters the numerical code incorrectly the maximum number of times.
  10. Click the Save button.

After the security profile is applied, the BadUSB Attack Prevention component is enabled and configured on Windows devices.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.