Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #1 
In our fight against Cryptolocker I'm applying a GPO that prevents running a EXE file in (among others) the %LOCALAPPDATA% folder.

But, it seems that we have business applications that also run in that folder. Those applications should not be blocked.

Is it possible to make exceptions for some EXE files in the GPO ?

Something like this:
GPO "Ransomware Prevention" : Windows Settings / Security Settings / Software Restriction Policies / Additional Rules
- Path Rule : %LOCALAPPDATA%\*.exe = Disallowed
- Path Rule : %LOCALAPPDATA%\test.exe = Basic User (=allowed)

Where test.exe is our business application not to be blocked.


(to be fair, I found those suggestions in the Ransomware Prevention Kit from http://www.thirdtier.net/ransomware-prevention-kit/  . And no, I have no connection whatsoever with this site.)

__________________
Pieter Demeulemeester
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #2 
Be interested to hear if/ when you get it working.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 530
Reply with quote  #3 
http://www.howtogeek.com/180803/how-to-block-an-application-or-.exe-from-running-in-windows/

That site shows a way to block apps from running by using the registry. It also has a link, to use group policy.

For a workstation, I use MJ Reg Watcher which locks the registry. It's not ready for large networks but I thought that I would mention it.

http://www.jacobsm.com/mjsoft.htm#rgwtchr
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #4 
@wobble_wobble, I'll post the results.
@Donoli, Thanks for the comment.

Still searching if it is possible to make exceptions in a Software Restriction Policy. I have to do some reading.

__________________
Pieter Demeulemeester
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #5 

Quote:
Originally Posted by wobble_wobble
Be interested to hear if/ when you get it working.


Based on the advises I found in the Ransonware Prevention Kit (http://www.thirdtier.net) I made a GPO to prevent executing EXE is several folders. See the attached PDF for a list of folders I added.


Seems like blocking *.exe and then adding calc.exe does just what I wanted. Easy and simple. Don't know why that didn't worked in the first place.


 
Attached Files
pdf RansomwarePrevention.pdf (182.65 KB, 10 views)


__________________
Pieter Demeulemeester

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 832
Reply with quote  #6 
Thanks - will try it out
__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #7 
Quote:
Originally Posted by Pieter


Based on the advises I found in the Ransonware Prevention Kit (http://www.thirdtier.net) I made a GPO to prevent executing EXE is several folders. See the attached PDF for a list of folders I added.

Seems like blocking *.exe and then adding calc.exe does just what I wanted. Easy and simple. Don't know why that didn't worked in the first place.



__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.