FANDOM


DescriptionEdit

CryptoLocker is a common infection people are getting that encrypts their files. The best way to combat this is to prevent it in the first place. Here are the steps to create a security policy to prevent it. 

To ResolveEdit

1. If on a domain, you will need to create a Group Policy. If a local account not joined to a domain, a Local Security Policy. So gpedit.msc or secpol.msc. 2. Once in there, navigate down to "Software Restriction Policies" and right click and "Create A New Policy". 3. Now navigate down to "Additional Rules" - Right click and "Create New Path Rules" and add these paths and descriptions to the list:

a. %AppData%\*.exe - Disallowed - Prevent programs from running in AppData.
b. %AppData%\*\*.exe - Disallowed - Prevent virus payloads from executing in subfolders of AppData
c. %LocalAppData%\Temp\Rar*\*.exe - Disallowed - Prevent un-WinRARed executables in email attachments from running in the user space
d. %LocalAppData%\Temp\7z*\*.exe - Disallowed - Prevent un-7Ziped executables in email attachments from running in the user space
e. %LocalAppData%\Temp\wz*\*.exe - Disallowed - Prevent un-WinZIPed executables in email attachments from running in the user space
f. %LocalAppData%\Temp\*.zip\*.exe - Disallowed - Prevent unarchived executables in email attachments from running in the user space

4. That's it, users will not be allowed to run executables in those directories.

AppLockerEdit

If you have a version of Windows that includes AppLocker (Pro and Enterprise Editions), follow these steps:

1. Run gpedit.msc or secpol.msc and navigate down to: "Application Control Policies - Applocker"

2. Click on the "Configure Rule Enforcement" - "Executables = Checked - and drop down = enforced".

3. Now go back to the AppLocker screen and go to "Executable Rules - Right Click - and "Create New Rule". 

4. This brings up a wizard, select " Next - Next - Publisher - Under browse - Select ANY executable file you can find (I chose Window Media Player (wmplayer.exe)) - Slide the bar up to "Any Publisher" - Next - Under description, type: Only run executables that are signed. - "Create". 

NOTE: If this is the first time creating an AppLocker policy, Windows will want you to allow Default Rules - select "Yes". 

ReferencesEdit

http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.