Solved

CryptoLocker Virus

Posted on 2013-11-12
4
492 Views
Last Modified: 2013-12-07
There are some great tools available to help fight .exe's using group policy, according to ThirdTier (thank you) I followed their writeup which .exe's to block in GP to prevent CryptoLocker from taking over data, which are:

Path: %AppData%\*.exe
Path: %AppData%\*\*.exe
Path: %Temp%\Rar*\*.exe
Path: %Temp%\7z*\*.exe
Path: %Temp%\wz*\*.exe
Path: %Temp%\*.zip\*.exe

My question, I have allot of users using 3rd party apps, what is the best way to allow certain .exe's from executing without running risk of CryptoLocker or other .exe's that are hazardous.
0
Comment
Question by:WORKS2011
4 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 350 total points
ID: 39642586
If you read all the stuff that comes with the Third Tier paper, the idea there is that it blocks all all executables in certain locations. Locations where executables wouldn't normally run anyways, such as from places where mail clients save attachments or web browsers store info.

Legitimate 3rd party programs usually install into the "program files" directory and in ciata/win7/win8, standard users don't have write access to this folder, so it is much more do it is to get socially engineered into launching fake code.

If you follow the third tier guidance, including not letting every user be an administrator, legit programs will work fine because they will exist in a path not listed above. This just blocks the "suspicious" locations where code would never normally run from.
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 100 total points
ID: 39642612
You can restrict access to application from execution using Software Restriction Policies
You select a path and deny access or select an application and much more

Have a look  - http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 50 total points
ID: 39642825
+1 for cgaliher. In addition: applocker offers logging. When blocking, it produces certain events in its own log. Since we can attach tasks to events (even deploy those tasks using group policy preferences), you can setup mails whenever anything is blocked. Not only interesting for cryptolocker awareness but more for applocker false-positives.
0
 
LVL 17

Author Comment

by:WORKS2011
ID: 39643353
Thank you for the great feedback, love EE!!! Specifically Spotify (yeah I know it's not business but I like to keep my clients happy) won't launch on several computers. I don't believe it installs itself in the Program Files folder rather it launches each time connects to the internet then closes out (uninstalls) after closing.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question