GPO: CryptoLocker Block

1 minute read

Description:

CryptoLocker is a common infection people are getting that encrypts their files. The best way to combat this is to prevent it in the first place. Here are the steps to create a security policy to prevent it.

To Resolve:

  1. If on a domain, you will need to create a Group Policy. If a local account not joined to a domain, a Local Security Policy. So gpedit.msc or secpol.msc.

  2. Once in there, navigate down to “Software Restriction Policies” and right click and “Create A New Policy”.

  3. Now navigate down to “Additional Rules” => Right click and “Create New Path Rules” and add these paths and descriptions to the list:

    • %AppData%*.exe => Disallowed => Prevent programs from running in AppData.
    • %AppData%**.exe => Disallowed => Prevent virus payloads from executing in subfolders of AppData
    • %LocalAppData%\Temp\Rar\*.exe => Disallowed => Prevent un-WinRARed executables in email attachments from running in the user space
    • %LocalAppData%\Temp\7z\*.exe => Disallowed => Prevent un-7Ziped executables in email attachments from running in the user space
    • %LocalAppData%\Temp\wz*.exe => Disallowed => Prevent un-WinZIPed executables in email attachments from running in the user space
    • %LocalAppData%\Temp\*.zip\*.exe => Disallowed => Prevent unarchived executables in email attachments from running in the user space

  4. That’s it, users will not be allowed to run executables in those directories.

If you have a version of Windows that includes AppLocker (Pro and Enterprise Editions), follow these steps:

  1. Run gpedit.msc or secpol.msc and navigate down to: “Application Control Policies => Applocker”

  2. Click on the “Configure Rule Enforcement” => “Executables = Checked => and drop down = enforced”.

  3. Now go back to the AppLocker screen and go to “Executable Rules => Right Click => and “Create New Rule”.

  4. This brings up a wizard, select ” Next => Next => Publisher => Under browse => Select ANY executable file you can find (I chose Window Media Player (wmplayer.exe)) => Slide the bar up to “Any Publisher” => Next => Under description, type: Only run executables that are signed. => “Create”.

  5. If this is the first time creating an AppLocker policy, Windows will want you to allow Default Rules => select “Yes”.

Comments

You May Also Enjoy