FatDex - Disable .exes from running inside any user %appdata% direc...

1 de 4

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-insid...

Search

Pages
Cast
Extra
Process
About

Categories
blogroll (10)
comic (208)
IT (36)
movie review (34)

Calendar
June 2014
M T W T F S S
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
Mar
Previous Next
Jun01

Disable .exes from running inside any user %appdata% directory GPO
by Dexter on June 1, 2014 at 22:00
Posted In: IT
The Cryptolocker virus out there in the wild and Ive seen it happen on a few computers and its certainly not pretty. The details are sorrid, but in a nutshell what happens
is a crytolocker virus gets onto your computer, locks all your pertinent files and demands a ransom amount so you can get your files back. Those who pay the ones
delivering the virus will become more bold and will start demanding more money.
What can you do to protect your company?
Create some Group Policies to lock down likely places for Malware / Spyware / Grayware / Cryptodefense and other likely .exe programs from running:
Open up Group Policy and create new GPO
Title this policy Disable .exe from %appdata% and click OK
Right click on this policy and select Edit
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies
Right click on Software Restriction Policies and click on New Software Restriction Policies
Right click on Additional Rules and click on New Path rule and then enter the following
information and then click OK
Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData (Win 7)
Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Dont allow executables from AppData subfolders (Win 7)
Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)
Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)
Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

29/09/2016 08:26

FatDex - Disable .exes from running inside any user %appdata% direc...

2 de 4

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-insid...

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)
The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe

Create your new path rules as seen above

Your final selections should look like the above. Make sure to apply the GPO to the proper OU once done.

*Update Feb 02, 2016*

I spent some time on a conference call with some Malwarebytes reps, Ive been test driving a beta version thats now available to the public.
Introducing Malwarebytes Anti-Ransomware
As I understand, the good folks at MalwareBytes will be conglomerating all their products: Anti-Malware, Anti-Ransomware, Anti-Malware, and Anti-Exploit into one
nice big runtime. (date not yet announced).

Tags: computer, Cryptolocker, Group Policy, how-to, Virus, Windows Server 2008

Discussion (9)
[ Comments RSS ]

1.
thepede
April 3, 2015 at 10:49 | #
I see that this is good for blocking programs from running from those locations and we seem to be specifically pointing out Executables.
My question is: what about .msi files and other types of installers? Would I have to do the same thing for each path but with a *.msi?

29/09/2016 08:26

FatDex - Disable .exes from running inside any user %appdata% direc...

3 de 4

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-insid...

2.
thepede
April 3, 2015 at 10:50 | #
Now that Im thinking about it, that usually unpacks files and puts it in a temporary folder (often %appdata%) which I guess would normally do so with a .exe?
Your thoughts would be appreciated.

3.
arqs
April 8, 2015 at 02:42 | #
great tutorial to avoid cryptolocker scam
thank you!

4.
Dexter
February 1, 2016 at 20:45 | #
@thepede. Youre absolutely right, you would need *.msis for those exact same paths. Keep in mind some software installer packages can be extracted (.exe) with
something like 7zip to the desktop and run the setup.exe.

5.
sipirili
February 10, 2016 at 12:24 | #
Great info! Just what I was looking for. Unfortunately, upon testing I can still run .exes. I made sure that the policy is being applied and still no dice. Any
suggestions?
Thanks!

6.
Bill
February 16, 2016 at 12:03 | #
Be careful here, as youre still allowing exes three sub folders under appdata.
%localAppData%\a\a\cryptowall.exe
Check out this guide for whitelisting apps.
http://mechbgon.com/srp/
Also, the NSAs guide is useful.
https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

7.
John
March 29, 2016 at 17:55 | #
Two questions:
1) Would a generic \Temp\*\*.exe cover those Zip/7-Zip/Rar/WinZip lines? If not, wouldnt the 7-Zip, Rar and WinZip need to be *.ext\*.exe, e.g.,
%localAppData%\Temp\*.Rar\*.exe
2)%AppData% seems to be used by other versions of Windows, as well. Shouldnt similiar rules for sub-folders and archive formats be employed?

8.
John
March 30, 2016 at 10:05 | #
One other comment, to address the .msi question (and maybe the permutations of sub-folders), The Designated File Types has many file types, including .exe and
.msi. Could we just simply have policies for these two paths:
%localAppData%
%AppData%

9.

29/09/2016 08:26

FatDex - Disable .exes from running inside any user %appdata% direc...

4 de 4

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-insid...

EM
May 5, 2016 at 15:50 | #
Great article thanks

Comment

NAME Get a Gravatar

EMAIL
Website URL
Prove you\'re not a robot: *
Time limit is exhausted. Please reload CAPTCHA.

5 + three =

Archives
Archives

Latest Comics
Project Deliverables
How every I.T problem is solved
Blue Screens and Spam Pg21
Blue Screens and Spam Pg20
Blue Screens and Spam Pg19

Fatdex RSS
GPO enable VSS in Win 7 June 5, 2014
GPO add corporate picture to your AD logon account June 4, 2014
Disable .exes from running inside any user %appdata% directory GPO June 2, 2014
Editing Office 2013 installs via Group Policy March 12, 2014
How to get Green ticks on Google Drive back January 3, 2014
Handy App of the Day: SearchMyFiles October 25, 2013
Configuring NPS on Server 2012 with Cisco WLC: Part 2 October 25, 2013
Configuring NPS on Server 2012 with Cisco WLC: Part 1 September 23, 2013
Microsoft KB2670838 the EVIL update September 13, 2013
Project Deliverables June 13, 2013
2003-2014 FatDex | Powered by WordPress with ComicPress | Subscribe: RSS | Back to Top

29/09/2016 08:26