I have followed some Intel recommendations by creating policies to block ramsomwares like CryptoLocker, TeslaCrypt and Locky. These policies are very agressive in preventing from running .exe that are local in a user profile (eg AppData folder). To the point that I had to disable them because users couldn't run some applications, and other sys admins were upset that they couldn't even run an installer from the user Desktop anymore (easily fixed by telling them to copy and run them anywhere else on the local drive except the Users folders).
Examples of such applications that install the .exe in AppData are Google Chrome, Citrix Receiver and DropBox.
Would the best practice in this case be to create a GPO to move the applications in C:\Program Files or to define exclusions to allow them to remain in the AppData folder of the user?
If the latter is recommended, is there a list of executable names I could copy and paste in my policies?
Any other suggestions are welcomed.
I don't want to whitelist all the applications a user has installed, only the ones that are installed without administrator privileges and intervention like Google Chrome.
Depending on which product your using to do this I would suggest putting it in a reporting only mode then gather the applications over a week period of time and adjust the policy to exclude the ones you want.. Every business / user will have different apps that are installed without administrator privileges... be hard for someone to provide a list.
I know with their HIPS product depending on policies and levels of protection you can have them report (ex. High blocks, Medium reports), If its VSE and its a user defined policy set it to report only first then block once you gather the applications.