Andrew Davis
asked on
Software Restriction Policy allow mrtstub.exe
I have a client that has implemented Software Restriction Policy (Applocker not an option, Not supported on the win 7 clients).
The default is to block, with various rules to allow apps.
The only one I am having issue with is:-
Access to c:\98e5308a44fd6252c1\mrts tub.exe has been restricted by your Administrator by the default software restriction policy level
The directory changes so creating a path rule is out, unless i use a wildcard, but from looking on the net it appears that some viruses use the same name, so unsure where to go.
Hash rule (as far as i know) is no good as the file being an update will change each time.
What i would like is something like an allowed publisher (applocker) but dont think that is an option in SRP.
My other option is to remove "Malicious Software Removal Tool" from the domain, but would rather not do that.
Server is 2008R2
Any suggestions?
Cheers
Andrew
The default is to block, with various rules to allow apps.
The only one I am having issue with is:-
Access to c:\98e5308a44fd6252c1\mrts
The directory changes so creating a path rule is out, unless i use a wildcard, but from looking on the net it appears that some viruses use the same name, so unsure where to go.
Hash rule (as far as i know) is no good as the file being an update will change each time.
What i would like is something like an allowed publisher (applocker) but dont think that is an option in SRP.
My other option is to remove "Malicious Software Removal Tool" from the domain, but would rather not do that.
Server is 2008R2
Any suggestions?
Cheers
Andrew
ASKER
Thanks but that would be even worse than just creating a wildcard entry for the directory.
Thanks for looking though.
Cheers
Andrew
Thanks for looking though.
Cheers
Andrew
Haha no worries. I didn't think it would be helpful but hey.. worth a shot in case you didn't know about it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Maybe an option..?