Software Restriction Policies to Prevent Ransomware

Software Restriction Policies top stop executables from running within a compressed file (example from http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent):

GPO -> User Configuration/Windows Settings/Security Settings/Software Restriction Policies

Block executables run from archive attachments opened with WinRAR:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened .

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

Repeat the steps above for each executable extension desired below (test installations of main programs prior to deployment to production):

  • APPLICATION
  • BAT
  • BIN
  • CMD
  • COM
  • CPL
  • DOC
  • DOCM
  • DOTM
  • EXE
  • GADGET
  • HTA
  • INF
  • INS
  • INX
  • ISU
  • JAR
  • JOB
  • JS
  • JSE
  • LNK
  • MSC
  • MSH
  • MSH1
  • MSH1XML
  • MSH2
  • MSH2XML
  • MSHXML
  • PAF
  • PIF
  • POTM
  • PPAM
  • PPSM
  • PPT
  • PPTM
  • PS1
  • PS1XML
  • PS2
  • PS2XML
  • PSC1
  • PSC2
  • REG
  • RGS
  • SCF
  • SCR
  • SCT
  • SHB
  • SHS
  • SLDM
  • U3P
  • URL
  • VB
  • VBE
  • VBS
  • VBSCRIPT
  • WS
  • WSC
  • WSF
  • WSH
  • XLAM
  • XLS
  • XLSM
  • XLTM

Resources:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent

https://technet.microsoft.com/en-us/library/hh994606.aspx

http://pcsupport.about.com/od/tipstricks/a/execfileext.htm

http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/

Leave a Reply

%d bloggers like this: