Build your own ransomware blocker with NoVirusThanks File System Protector

[Batu69]

 

Constantly in the headlines, ransomware is the menace of the moment, and even the best antivirus engines can’t guarantee to keep you safe. NoVirusThanks File System Protector can help by restricting access to particular folders and file types, ensuring only trusted applications gets to open or modify your files.

 

You could create a rule which blocks any process from accessing the C:\Locked folder, for instance. Or you might just stop processes modifying all files in that location, or perhaps a specific file type.

 

An Exclusion system defines trusted applications which aren’t affected by this, so you might have one rule blocking access to *.JPG files, and an exclusion for your regular image editor or viewer.

 

Setting this up is more complicated than you might expect, because there’s no rule creation GUI, just an "Edit Rules" button. Click this, a plain text file opens in your default editor, and you must enter new rules manually.

 

While this isn’t exactly convenient, there are sample rules in the file, and they’re not difficult to understand. Here’s a one-line example.

 

[%OPER%: DENY_WRITE] [%PROC%: *] [%FILE%: C:\ProtectedFiles\*.txt]

You can probably figure out the basics immediately: the rule is blocking writes, by all processes, to files matching the mask C:\ProtectedFiles\*.txt.

Copy and paste that, replace the final path with something like C:\Locked\*.*, save the file, and immediately you’ve blocked any attempt to modify files in the C:\Locked folder.

 

The Exclusion system allows creating super-applications which aren’t affected by any of this. These rules are also stored in a text file, although they’re much simpler, and are essentially just the process name.

 

*\notepad.exe

This would allow Notepad to open any file, even in a locked folder.

NoVirusThanks File System Protector needs to be used with care. Accidentally block access to some key system or application folder and you could cause some major problems.

 

But if you’re cautious, use the program with just a few well-thought-out rules, you’ll get a handy extra layer of protection for your most important files and folders.

 

NoVirusThanks File System Protector is a freeware application for Windows Vista and later.

 

Article source

[straycat19]

This is probably fine if you don't have many programs on your system, but quickly becomes convoluted and time consuming if you 70-80 programs like I do.  And it doesn't protect everything because you can't block everything with it.  Using a little technical knowledge, you know that all the bad things that can happen to a system are initiated out of the %appdata% folder. By blocking that entire folder from running any programs using a group policy object you have easily and effectively protected your entire system.  Even newer type malware that resides in memory has to have a program run that puts it there and that program is in the appdata folder. So if it can't run then the malware cannot be installed.  Same is true of ransomware or any other type of malware.  If there are other locations that need to be blocked, such as the c:\windows\temp folder, that is easy to do also.  Much easier than trying to create all the rules it would take to protect a system using System Protector.