gbhall
Posts: 2,419 +77
It is my belief that we are approaching a crisis point in Windows malware infestations. Recently I helped someone who found all the standard document types encrypted with two-factor encryption, along with a demand for payment to decrypt them (CryptoLocker malware). The only help I could offer was how not to have that happen again by setting a Group Policy to deny executables in %appdata%. This is done in software restriction policies of the local security policy.
Now %appdata% typically is c:\users\username\appdata\roaming and can be written to by anything or anybody - it's for data after all - but nothing stops programs silently installing and executing from there as well. Hence the need for a software restriction policy - details http://windowssecrets.com/newsletter/cryptolocker-a-particularly-pernicious-virus/
It is also wise to use UAC on level 1 to 3 http://en.wikipedia.org/wiki/User_Account_Control so every non-system application puts up a warning and you have to click to allow it to happen. That prevents most software installed in any place from running without you knowing. The problem is, UAC is a very blunt tool, and I would like to have certain programs I often use (for example backups) operate as white-listed programs so I don't have the irritation of the screen dimming and having to approve every time I use them.
How do I do that ? UAC and local security policy seem to be two independant things.
Now %appdata% typically is c:\users\username\appdata\roaming and can be written to by anything or anybody - it's for data after all - but nothing stops programs silently installing and executing from there as well. Hence the need for a software restriction policy - details http://windowssecrets.com/newsletter/cryptolocker-a-particularly-pernicious-virus/
It is also wise to use UAC on level 1 to 3 http://en.wikipedia.org/wiki/User_Account_Control so every non-system application puts up a warning and you have to click to allow it to happen. That prevents most software installed in any place from running without you knowing. The problem is, UAC is a very blunt tool, and I would like to have certain programs I often use (for example backups) operate as white-listed programs so I don't have the irritation of the screen dimming and having to approve every time I use them.
How do I do that ? UAC and local security policy seem to be two independant things.