GPO: CryptoLocker Block

1 minute read

Description:

CryptoLocker is a common infection people are getting that encrypts their files. The best way to combat this is to prevent it in the first place. Here are the steps to create a security policy to prevent it.

To Resolve:

  1. If on a domain, you will need to create a Group Policy. If a local account not joined to a domain, a Local Security Policy. So gpedit.msc or secpol.msc.

  2. Once in there, navigate down to “Software Restriction Policies” and right click and “Create A New Policy”.

  3. Now navigate down to “Additional Rules” – Right click and “Create New Path Rules” and add these paths and descriptions to the list:

    • %AppData%*.exe – Disallowed – Prevent programs from running in AppData.
    • %AppData%**.exe – Disallowed – Prevent virus payloads from executing in subfolders of AppData
    • %LocalAppData%TempRar**.exe – Disallowed – Prevent un-WinRARed executables in email attachments from running in the user space
    • %LocalAppData%Temp7z**.exe – Disallowed – Prevent un-7Ziped executables in email attachments from running in the user space
    • %LocalAppData%Tempwz**.exe – Disallowed – Prevent un-WinZIPed executables in email attachments from running in the user space
    • %LocalAppData%Temp*.zip*.exe – Disallowed – Prevent unarchived executables in email attachments from running in the user space
  4. That’s it, users will not be allowed to run executables in those directories.

If you have a version of Windows that includes AppLocker (Pro and Enterprise Editions), follow these steps:

  1. Run gpedit.msc or secpol.msc and navigate down to: “Application Control Policies – Applocker”

  2. Click on the “Configure Rule Enforcement” – “Executables = Checked – and drop down = enforced”.

  3. Now go back to the AppLocker screen and go to “Executable Rules – Right Click – and “Create New Rule”.

  4. This brings up a wizard, select ” Next – Next – Publisher – Under browse – Select ANY executable file you can find (I chose Window Media Player (wmplayer.exe)) – Slide the bar up to “Any Publisher” – Next – Under description, type: Only run executables that are signed. – “Create”.

  5. If this is the first time creating an AppLocker policy, Windows will want you to allow Default Rules – select “Yes”.