Strategy to monitor and securing %APPDATA% folder and the %TEMP% folder on the system to prevent Ransomware ?

Posted on 2016-09-07
Last Modified: 2016-09-29
Hi All,

Can anyone here please share some strategy for securing the %APPDATA% folder and the %TEMP% folder on your workstation / File Server ?

Because I believe the two common areas where the ransomware typically executes from are thetwo flders above.
Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files.

but how ?
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 29

Assisted Solution

by:Olaf Doschke
Olaf Doschke earned 50 total points (awarded by participants)
ID: 41787426
LVL 16

Assisted Solution

by:Shaik M. Sajid
Shaik M. Sajid earned 50 total points (awarded by participants)
ID: 41787436
most of the ransom wares are spreading over E-mail attachments, hence you have to train users not to open unsolicited emails, keep up to date antivirus, anti malware definitions, and do not assign local users administrative privileges so it'll not effect to all files on the system.

all the best
LVL 63

Accepted Solution

btan earned 250 total points (awarded by participants)
ID: 41787652
Application whitelisting like use of applocker can actually restricted the authorized to run based on Publisher, Path or File hash rule. There are also possibly to avoid false positive that you may set the enforcement mode on the relevant rule collection to Audit only so that AppLocker does not block any application for the present time. Subsequently, once you are ready after a period of monitoring that there is really no such need to have appl running or certain does run at those folder you can change the enforcement mode to Enforce rules with the right rule in place and roll out as GPO policy.

For note - though it is true those folder are "hot favorite" for malware and like, it can also break and cause false positive (inconveniences to your users), so do the audit mode shared earlier first. Also consider whitelist other appl most likely browser and cloud based storage used in machine like Dropbox and Chrome that run from AppData folder itself. include blocking places like C:\temp, C:\ProgramData, Recycle Bin and other writable folders which you really do not want it to be tampered unless it is your whitelisted appl.

We know it is not foolproof on such preventive approach. Other means to augment include
a) Preventive/Detective
- Cryptoprevent or SecureAPlus - same as Applocker but like intuitive to include ready package to block those common vulnerable location
- Anti Ransomware software such as MalwareByte AntiRansomware, and WinPatrol WinAntiRansom which they would have behavioral rule to alert on sighting such anomalous activities.
- Audit rule on object changes can be done but it is non-trivial if you do not have SIEM or some log correlation to set that alarm on such events.

b) Deterrence - Setting up Decoy folder or equv such that Ransomware does its recursive encryption of file etc but on a fake folder and files. This allow time for the other detection mechanism to kick in to alert (hopefully). One example is from TrapX Cryptotrap.
Ransomware - Can it be prevented?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
ID: 41789849
You can also add BD Antiransomware, although not configurable, it does monitor those folders.  And I also + cryptoprevent.   Those are endpoint solutions though.  There are ways to do this using GPOs as well.  And some software firms have solutions that can be implemented both at the endpoint and at the firewall ( and come to mind).
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 50 total points (awarded by participants)
ID: 41790361
The reason those areas exist is to allow legitimate programs to run.  If you try and lock them down, you'll stop this.  It's kinda like trying to prevent a household robbery by filling the entire house with concrete.  It would work, but...

Better to do as above, work on the perimeter security, don't leave any "windows" open, and keep tested backup copies of all secure data.
LVL 63

Assisted Solution

btan earned 250 total points (awarded by participants)
ID: 41790550
Indeed we need layered defence but even then taking worst case Endpoint is the last line of defence - imagine user just use a usb  portable drive that is infected and AV did not detect it. All defence layers are important.

You may configure your machine accordingly to reduce (not prevent) chances of ransomware infection. E.g. use it to mitigate ransomware by blocking executable not signed, in places ransomware like:

<users profile>\AppData\Local\Temp
<users profile>\AppData\Local\Temp\*
<users profile>\AppData\Local\Temp\*\*

For Windows machine, you can consider EMET (Enhanced Mitigation Experience Toolkit). It protects Windows computers against cyber attacks & unknown exploits. It detects and blocks exploitation techniques that are commonly used to exploit memory corruption vulnerabilities. It augment existing AV and host FW to prevent exploits from dropping Trojan, but if you click open a file, it will not be able to help.

HitmanPro.Alert is another free Ransomware Protection & Browser Intrusion Detection Tool.
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points (awarded by participants)
ID: 41790551
Hitmanpro.alert is an excellent solution which I like so much I purchased. EMET is an excellent solution,  but the defaults are fairly restrictive.

Author Comment

by:Senior IT System Engineer
ID: 41790572

Does EMET is also freeware that can be downloaded from: ?
LVL 63

Assisted Solution

btan earned 250 total points (awarded by participants)
ID: 41790602
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points (awarded by participants)
ID: 41792627
The best backup plan is good clean backups of data. Monitoring the %temp% file locations themselves isn't going to save you at all. As stated above, the best way to prevent is to train users not to click on attachments, and to NEVER enable macros in office documents. Very few people actually need macros ever in their life time. EMET is a great defense for many new exploits that AV vendors don't have a detection for. Ransomware only works because no one has followed what I consider to be the number one BEST PRACTICE since computers became popular, have good backups!
Another best practice that is biting people in the a** is permissions on file shares. If your users don't need access to folders x, y and z, make sure they can't access those folders. Ransomware is looking at mapped drives and file shares, your registry keeps a very detailed log of previous files, share and paths that your users have been. Make sure you have backup's of all you vital data.
LVL 63

Expert Comment

ID: 41821336
as shared by experts

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Determining the an SCCM package name from the Package ID
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question