cancel
Showing results for 
Search instead for 
Did you mean: 
idji
Level 7
Report Inappropriate Content
Message 1 of 5

Applying policies to block ramsomware and effects on AppData installed applications

I have followed some Intel recommendations by creating policies to block ramsomwares like CryptoLocker, TeslaCrypt and Locky.  These policies are very agressive in preventing from running .exe that are local in a user profile (eg AppData folder).  To the point that I had to disable them because users couldn't run some applications, and other sys admins were upset that they couldn't even run an installer from the user Desktop anymore (easily fixed by telling them to copy and run them anywhere else on the local drive except the Users folders).

Examples of such applications that install the .exe in AppData are Google Chrome, Citrix Receiver and DropBox.  

Would the best practice in this case be to create a GPO to move the applications in C:\Program Files or to define exclusions to allow them to remain in the AppData folder of the user?

If the latter is recommended, is there a list of executable names I could copy and paste in my policies?

Any other suggestions are welcomed.

Thanks

4 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 5

Re: Applying policies to block ramsomware and effects on AppData installed applications

Moved provisionally to ePO for faster handling

---

Peter

Moderator

Re: Applying policies to block ramsomware and effects on AppData installed applications

Hi , whoa, that's a big task to whitelist all application that the users want to use ?

That's a good question by the way. I'm also interested to know what other has to say.

idji
Level 7
Report Inappropriate Content
Message 4 of 5

Re: Applying policies to block ramsomware and effects on AppData installed applications

I don't want to whitelist all the applications a user has installed, only the ones that are installed without administrator privileges and intervention like Google Chrome.

youngs
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Applying policies to block ramsomware and effects on AppData installed applications

Depending on which product your using to do this I would suggest putting it in a reporting only mode then gather the applications over a week period of time and adjust the policy to exclude the ones you want..   Every business / user will have different apps that are installed without administrator privileges... be hard for someone to provide a list.

I know with their HIPS product depending on policies and levels of protection you can have them report (ex.  High blocks, Medium reports), If its VSE and its a user defined policy set it to report only first then block once you gather the applications.

Scott