4 Replies Latest reply on Apr 28, 2016 2:25 PM by youngs

    Applying policies to block ramsomware and effects on AppData installed applications


      I have followed some Intel recommendations by creating policies to block ramsomwares like CryptoLocker, TeslaCrypt and Locky.  These policies are very agressive in preventing from running .exe that are local in a user profile (eg AppData folder).  To the point that I had to disable them because users couldn't run some applications, and other sys admins were upset that they couldn't even run an installer from the user Desktop anymore (easily fixed by telling them to copy and run them anywhere else on the local drive except the Users folders).


      Examples of such applications that install the .exe in AppData are Google Chrome, Citrix Receiver and DropBox.  


      Would the best practice in this case be to create a GPO to move the applications in C:\Program Files or to define exclusions to allow them to remain in the AppData folder of the user?


      If the latter is recommended, is there a list of executable names I could copy and paste in my policies?


      Any other suggestions are welcomed.