Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft planning to scrap Software Restriction Policies... feedback this!


  • Please log in to reply
No replies to this topic

#1 urbanriot

urbanriot

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 12 June 2018 - 06:28 PM

Bleeping Computer has some great advice to block ransomware by using Software Restriction Policies, found in group policies, something that any user with Windows 7 / 8 / 10 Professional has been able to do for years:

https://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent

 

Basically you can entirely block the execution of executables in various folders like

C:\Users\%username%\Appdata\Local\*.exe

C:\Users\%username%\Appdata\Local\*.scr

C:\Users\%username%\Appdata\Roaming\*.exe

etc.. 

 

Unfortunately Microsoft has the unfortunate news that they may remove this functionality in a future update:

https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-1803-removed-features

 

"Instead of using the Software Restriction Policies through Group Policy, you can use AppLocker or Windows Defender Application Control to control which apps users can access and what code can run in the kernel."

 

"If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app."

 

As someone who extensively utilizes the following list with excellent results, I'd suggest feedbacking:

 

%AppData%\*.exe
%AppData%\*.scr
%AppData%\*\*.exe
%AppData%\*\*.scr
%AppData%\*\*\*.scr
%AppData%\*\*\*\*.scr
%LocalAppData%\*.exe
%LocalAppData%\*.scr
%LocalAppData%\Google\Chrome\User Data\Default\Extensions\*\*\*.exe
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*.exe
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*.scr
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*\*.exe
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*\*.scr
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*\*.vbs
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\*\*\*\*.wsf
%ProgramData%\*.exe
%ProgramData%\*\*.exe
%ProgramFiles%\Google\Desktop
%Temp%\*.zip\*.exe
%Temp%\*.zip\*.hta
%Temp%\*.zip\*.scr
%Temp%\*.zip\*.vbs
%Temp%\*.zip\*.wsf
%Temp%\7z*\*.exe
%Temp%\7z*\*.hta
%Temp%\7z*\*.scr
%Temp%\Rar*\*.exe
%Temp%\Rar*\*.hta
%Temp%\Rar*\*.scr
%Temp%\wz*\*.exe
%Temp%\wz*\*.scr
%UserProfile%\*.exe
%UserProfile%\*.scr
%appdata%\Microsoft\Internet Explorer\UserData\*\*.exe
%appdata%\Microsoft\Internet Explorer\UserData\Low\*.exe
%appdata%\Microsoft\Internet Explorer\UserData\Low\*\*.exe
%appdata%\Microsoft\Windows\Start Menu\Programs\*\*.exe
%appdata%\Microsoft\Windows\Start Menu\Programs\*\*.hta
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*.exe
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*.js
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*.vbs
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*\*.exe
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*\*.js
%localappdata%\Microsoft\Windows\INetCache\Content.Outlook\*\*\*.vbs
%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\*\*\*.bat
%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\*\*\*.cmd
%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\*\*\*.exe
%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\*\*\*.js
%localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\*\*\*.vbs
%localappdata%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*.exe
%localappdata%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\*\*.scr
%userprofile%\Downloads\*\*.scr
%userprofile%\Downloads\*\*.vbs
%userprofile%\Downloads\*\*.wsf
%userprofile%\Start Menu\Programs\Startup\*.exe
%userprofile%\Start Menu\Programs\Startup\*.hta
C:\$RECYCLE.BIN\*.exe
C:\$RECYCLE.BIN\*.scr
C:\$RECYCLE.BIN\*\*.exe

Some of those might look like duplicates due to junctions but they're not!

 



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users