You can create a "file access control" rule which will give you control to deny any or all applications that you define from reading/writing to removable device. In the file access control rule box, define "@removable" file set in the "on any of these files:" This includes USB storage devices. Check out the existing default windows file sets in CSAMC v5.x which are predefined to stop executables on removable media.