I have a client that has implemented Software Restriction Policy (Applocker not an option, Not supported on the win 7 clients).
The default is to block, with various rules to allow apps.
The only one I am having issue with is:-
Access to c:\98e5308a44fd6252c1\mrtstub.exe has been restricted by your Administrator by the default software restriction policy level
The directory changes so creating a path rule is out, unless i use a wildcard, but from looking on the net it appears that some viruses use the same name, so unsure where to go.
Hash rule (as far as i know) is no good as the file being an update will change each time.
What i would like is something like an allowed publisher (applocker) but dont think that is an option in SRP.
My other option is to remove "Malicious Software Removal Tool" from the domain, but would rather not do that.
Server is 2008R2