Cryptolocker blocking group policy path rules whitelist
Posted on 2015-01-09
There are unfortunately people who create malware.
And there is MS, trying to help us by providing things like administrative logins and UAC.
And there are those who spend there time finding their way around the tools MS provides because 'they're inconvenient'
Like the fine folks at Oracle, who give us an updater executable that wants to execute in
c:\users\username\AppData\Local\Temp or %LocalAppData%\Temp if you prefer.
The fine folks from Sage Software do the same thing for their Simply Accounting updates
Those locations also happen to be amongst the locations that CryptoLocker and its ilk execute from.
So, after our brush with that, I have a GPO in place that is
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Unrestricted
Sadly however, the two unrestricted wildcard items DO NOT get to run.
And their obfuscated structure means I can't just rip them apart to get to the .msi or setup.exe
How do I alter my group policy to permit those PITA installation updates to run while still preserving the prohibition on anything else playing pattycake in the AppData sandbox?