CryptoLocker is a common infection people are getting that encrypts their files. The best way to combat this is to prevent it in the first place. Here are the steps to create a security policy to prevent it.
1. If on a domain, you will need to create a Group Policy. If a local account not joined to a domain, a Local Security Policy. So gpedit.msc or secpol.msc. 2. Once in there, navigate down to "Software Restriction Policies" and right click and "Create A New Policy". 3. Now navigate down to "Additional Rules" - Right click and "Create New Path Rules" and add these paths and descriptions to the list:
- a. %AppData%\*.exe - Disallowed - Prevent programs from running in AppData.
- b. %AppData%\*\*.exe - Disallowed - Prevent virus payloads from executing in subfolders of AppData
- c. %LocalAppData%\Temp\Rar*\*.exe - Disallowed - Prevent un-WinRARed executables in email attachments from running in the user space
- d. %LocalAppData%\Temp\7z*\*.exe - Disallowed - Prevent un-7Ziped executables in email attachments from running in the user space
- e. %LocalAppData%\Temp\wz*\*.exe - Disallowed - Prevent un-WinZIPed executables in email attachments from running in the user space
- f. %LocalAppData%\Temp\*.zip\*.exe - Disallowed - Prevent unarchived executables in email attachments from running in the user space
4. That's it, users will not be allowed to run executables in those directories.
If you have a version of Windows that includes AppLocker (Pro and Enterprise Editions), follow these steps:
1. Run gpedit.msc or secpol.msc and navigate down to: "Application Control Policies - Applocker"
2. Click on the "Configure Rule Enforcement" - "Executables = Checked - and drop down = enforced".
3. Now go back to the AppLocker screen and go to "Executable Rules - Right Click - and "Create New Rule".
4. This brings up a wizard, select " Next - Next - Publisher - Under browse - Select ANY executable file you can find (I chose Window Media Player (wmplayer.exe)) - Slide the bar up to "Any Publisher" - Next - Under description, type: Only run executables that are signed. - "Create".
NOTE: If this is the first time creating an AppLocker policy, Windows will want you to allow Default Rules - select "Yes".