Software Restriction Policies to Prevent Ransomware

Software Restriction Policies stop executables from running within a compressed file 

GPO -> User Configuration/Windows Settings/Security Settings/Software Restriction Policies

Block executables run from archive attachments opened with WinRAR:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened .

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

You have two options for setting software restriction policies.  Default permit or default disallowed.  How you go from there is up to you.  These instructions are following the default permit and specifying exactly what to disallow.

You can use the Designated file types and remove the *.exe from the paths above and make sure all of the file extensions below are added:

 

  • APPLICATION
  • BAT
  • BIN
  • CMD
  • COM
  • CPL
  • DOC
  • DOCM
  • DOTM
  • EXE
  • GADGET
  • HTA
  • INF
  • INS
  • INX
  • ISU
  • JAR
  • JOB
  • JS
  • JSE
  • LNK
  • MSC
  • MSH
  • MSH1
  • MSH1XML
  • MSH2
  • MSH2XML
  • MSHXML
  • PAF
  • PIF
  • POTM
  • PPAM
  • PPSM
  • PPT
  • PPTM
  • PS1
  • PS1XML
  • PS2
  • PS2XML
  • PSC1
  • PSC2
  • REG
  • RGS
  • SCF
  • SCR
  • SCT
  • SHB
  • SHS
  • SLDM
  • U3P
  • URL
  • VB
  • VBE
  • VBS
  • VBSCRIPT
  • WS
  • WSC
  • WSF
  • WSH
  • XLAM
  • XLS
  • XLSM
  • XLTM

Resources:

(example from http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent):

How to Prevent Ransomware Infections

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent

https://technet.microsoft.com/en-us/library/hh994606.aspx

http://pcsupport.about.com/od/tipstricks/a/execfileext.htm

http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/

Leave a Reply

%d bloggers like this: