CryptoLocker is a common infection people are getting that encrypts their files. The best way to combat this is to prevent it in the first place. Here are the steps to create a security policy to prevent it.
If on a domain, you will need to create a Group Policy. If a local account not joined to a domain, a Local Security Policy. So gpedit.msc or secpol.msc.
Once in there, navigate down to “Software Restriction Policies” and right click and “Create A New Policy”.
Now navigate down to “Additional Rules” – Right click and “Create New Path Rules” and add these paths and descriptions to the list:
- %AppData%*.exe – Disallowed – Prevent programs from running in AppData.
- %AppData%**.exe – Disallowed – Prevent virus payloads from executing in subfolders of AppData
- %LocalAppData%TempRar**.exe – Disallowed – Prevent un-WinRARed executables in email attachments from running in the user space
- %LocalAppData%Temp7z**.exe – Disallowed – Prevent un-7Ziped executables in email attachments from running in the user space
- %LocalAppData%Tempwz**.exe – Disallowed – Prevent un-WinZIPed executables in email attachments from running in the user space
- %LocalAppData%Temp*.zip*.exe – Disallowed – Prevent unarchived executables in email attachments from running in the user space
That’s it, users will not be allowed to run executables in those directories.
If you have a version of Windows that includes AppLocker (Pro and Enterprise Editions), follow these steps:
Run gpedit.msc or secpol.msc and navigate down to: “Application Control Policies – Applocker”
Click on the “Configure Rule Enforcement” – “Executables = Checked – and drop down = enforced”.
Now go back to the AppLocker screen and go to “Executable Rules – Right Click – and “Create New Rule”.
This brings up a wizard, select ” Next – Next – Publisher – Under browse – Select ANY executable file you can find (I chose Window Media Player (wmplayer.exe)) – Slide the bar up to “Any Publisher” – Next – Under description, type: Only run executables that are signed. – “Create”.
If this is the first time creating an AppLocker policy, Windows will want you to allow Default Rules – select “Yes”.