All case studies
Security

Client software for a hardware USB malware-sanitisation device

The endpoint agent and management server that let a hardware USB-sanitisation appliance enforce itself across a fleet — no unverified drive opens.

100%of USB media verified before mount

At a glance

  • Sector: Security — removable-media (USB) control
  • Our role: We built the endpoint agent and the central management server for a hardware USB-sanitisation appliance
  • Tech: Windows service + ASP.NET Core management server (gRPC, TLS), X.509-based — fully auditable, client-owned

Challenge

The USB port is one of the oldest ways malware crosses into a secure network: a single unchecked drive, plugged into one machine, can carry an infection past every firewall. Specialist hardware can scan and clean a drive at a kiosk — but that only helps if people actually use it. Nothing stops someone bypassing the kiosk and plugging an unchecked stick straight into a workstation.

To close that gap, the cleaning cannot be optional. It has to be enforced at every endpoint — and managed across the whole fleet of machines, not configured one PC at a time.

Approach

RaulWalter built the software that turns a standalone sanitisation appliance into fleet-wide enforcement:

  • an endpoint agent — a Windows service on every protected PC that intercepts any USB mass-storage device the moment it is inserted, mounts it privately first, and refuses to expose it to the user until it has verified the appliance's detached signature and checked every file on the drive against a signed SHA-512 manifest — nothing added, changed or deleted. Anything unsigned, unknown or tampered is unmounted on the spot;
  • a central management server — an ASP.NET Core service with a web console and a gRPC interface that manages the fleet of agents and gathers their logs over TLS, keyed to each appliance's own X.509 certificate;
  • built to the client's terms: the code is fully auditable, owned by the client, and depends on nothing proprietary beyond Windows.

Outcome

On a protected PC, a USB drive simply will not open unless it has been cleaned and signed by the appliance — and is still exactly as it was signed.

  • 100% of inserted USB media verified before it is allowed to mount
  • Unsigned, unknown or tampered media blocked at the port, automatically
  • Per-file integrity — every file checked against a signed SHA-512 manifest, with private-then-public mounting so the user never touches unverified media
  • Centrally managed and logged across the fleet from a single server
  • Auditable, client-owned code, with no proprietary dependencies beyond Windows
Next case study

Making digital trust cross borders in the Western Balkans

Steering six Western Balkans economies toward mutual recognition of trust services — on the eIDAS model, as one region, toward the EU.

View