Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Policies doubts after Malware Removal Tools


  • Please log in to reply
1 reply to this topic

#1 Pchecoandres

Pchecoandres

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 11 January 2015 - 11:50 PM

Hey Guys,

 

I Follow the 

CryptoLocker Ransomware Information Guide and FAQ

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#decrypt

and set the security policies to avoid CryptoLocker attack my computer which are these 

 

Block CryptoLocker executable in %AppData%

Path: %AppData%\*.exe 
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block Zbot executable in %AppData%

Path: %AppData%\*\*.exe 
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block Zbot executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

But now I can't run several .exes of my PC, that is known as stated in the thread but the procedures to fix that doesn't work which is this one 

 

How to allow specific applications to run when using Software Restriction Policies

If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.

Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.

 

unrestricted-policy.jpg

 

Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.

 

Help please for example I put %Appdata%\utorrent.exe - Unrestricted and still I get the message when I try to open utorrent.exe "This program is blocked by group policy"

 

Thanks in advance

 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 13 January 2015 - 11:29 AM

Instead of playing with the Local Group Policy Editor manually to set these GPOs, you should just download and use the free version of CryptoPrevent that will do everything for you and also offers you various options when it comes to the "thightness" of the settings.

https://www.foolishit.com/vb6-projects/cryptoprevent/

This tool was created following Lawrence Abram's instructions you just followed, plus some custom made rules, so you'll be good if you use it.

Edited by Aura., 13 January 2015 - 11:29 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users