Petrovic Posted February 15, 2016 Share Posted February 15, 2016 You have probably already heard about very well known type of virus called “Cryptolocker“. Each day you can heard about new variant of Cryptolocker virus and based from my experience I can say that Antivirus vendors just can’t keep up with this kind of threat, because once downloaded Cryptolocker virus changes .exe file names and hashes so it is really hard to track it down. Following recommendations will help you to protect your PC or your network from a Cryptolocker virus. Do not use non-supported Operating System like Windows XP. Although you’ll be more protected using this guide, even if you use an outdated OS like Windows XP, we strongly recommend you to move forward and upgrade to a newer operating system. Microsoft no longer provides security updates or technical support for Windows XP. Use good Anti-Virus software protection and make sure your virus definitions are up to date. Use a third party Firewall or Windows Firewall. Use Windows User Account Control (UAC) in Admin approval mode. When the system or you initiates an .exe file it will ask you for consent or for a password if you are logged on as a standard user. Always work under Windows standard user account. Let Windows ask you for administrative credentials each time you try to install something. Although above mentioned methods will help you have a better protection, it won’t necessarily protect you from one of the Cryptolocker variants. In order to prevent cryptolocker virus from activating and therefore start with the encryption of your files here’s what you can do if you are using Windows Professional or Enterprise versions of Microsoft Operating System. Open local policy editor by running gpedit.msc and navigate to: Computer Configuration | Windows Settings | Security Settings | Software Restriction Policies From the action menu or using a right click select “New Software Restriction Policies” Select Additional Rules and in the right pane right click and choose to create a New Path Rule. Now add each of the following rules and set Security Level to “Disallowed“: %AppData%\*.exe %AppData%\*\*.exe %LocalAppData%\*.exe %LocalAppData%\*\*.exe %USERPROFILE%\Appdata\*.exe %USERPROFILE%\Appdata\*\*.exe %USERPROFILE%\Appdata\LocalLow\*.exe %USERPROFILE%\Appdata\LocalLow\*\*.exe Once you’re done you should get this result: Close policy editor and restart your machine. With this policy in place you will prevent starting of executable files from directories that Cryptolocker mostly use. If you work in a corporate environment you can link above created policy to your domain and thus prevent Cryptolocker from running. Article source Link to comment Share on other sites More sharing options...
straycat19 Posted February 15, 2016 Share Posted February 15, 2016 I have been doing this for many years and have tried encouraging people to do this to their machines. However I also add the Windows\Temp folder to the list since 'old' exploits run from it. Additionally you can get the free version of CryptoPrevent from FoolishIT and also run it on your system. I do not have any AV software on my computer since it is fairly useless in this day and age. I do use a standalone firewall that includes HIPS and there are several free ones you can get. Now for the one item the article above fails to mention. When you block the appdata folder you also block all your software updates and many installers which either download to a sub folder of appdata or extract an installation file/folder to the appdata folder. Since they won't run you either have to find the installation/update files and move them somewhere else, and when that doesn't work (and it doesn't sometimes) your only recourse is to go back into the policy editor and change everyone of the disallow settings to allow, install the software, and then go change them back. I was going to write a script to do it (that is change the settings) but this is a security issue and I prefer to do it manually because scripts can fail. Link to comment Share on other sites More sharing options...
eurobyn Posted February 15, 2016 Share Posted February 15, 2016 i use cryptoprevent. this does the job. Link to comment Share on other sites More sharing options...
straycat19 Posted February 15, 2016 Share Posted February 15, 2016 You can also get a kit that has a lot of suggestions, scripts and information for a small donation from http://www.thirdtier.net/ransomware-prevention-kit/ My Software Restriction Policy, in additon to the keys in the article above, also has restrictions on running winzip and winrar executables from the appdata folder. Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client. Block CryptoLocker executable in %AppData% Path: %AppData%\*.exe Security Level: Disallowed Description: Don't allow executables to run from %AppData%. Block CryptoLocker executable in %LocalAppData% Path if using Windows XP: %UserProfile%\Local Settings\*.exe Path if using Windows Vista/7/8: %LocalAppData%\*.exe Security Level: Disallowed Description: Don't allow executables to run from %AppData%. Block Zbot executable in %AppData% Path: %AppData%\*\*.exe Security Level: Disallowed Description: Don't allow executables to run from immediate subfolders of %AppData%. Block Zbot executable in %LocalAppData% Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe Security Level: Disallowed Description: Don't allow executables to run from immediate subfolders of %AppData%. Block executables run from archive attachments opened with WinRAR: Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with WinRAR. Block executables run from archive attachments opened with 7zip: Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with 7zip. Block executables run from archive attachments opened with WinZip: Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened with WinZip. Block executables run from archive attachments opened using Windows built-in Zip support: Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe Security Level: Disallowed Description: Block executables run from archive attachments opened using Windows built-in Zip support. Link to comment Share on other sites More sharing options...
Ghazi Posted February 16, 2016 Share Posted February 16, 2016 Using a user script for creating these rules will make a more easier to apply these to many computers. Also what is the best way to allow a specific exe to run. I allowed a software by creating a hash rule. But is there a better way to do this. Will adding a software to run compromise my security settings for that folder Link to comment Share on other sites More sharing options...
perlinpinpin Posted February 17, 2016 Share Posted February 17, 2016 To Straycat19 : "I do use a standalone firewall that includes HIPS". I am like many's with a AV soft, but I see this last years it is useless. Can you provide details about the firewall you have or give advice ? Thank you. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.