When I put on Malware Discovery and Basic Malware Analysis training I am always asked "Isn't there a simple way to stop things like Crypto Ransomeware that keeps infecting my users, friends, family, kids and wife"?
Actually there is and it is FREE with Windows! Thank you Microsoft for not including this feature with ALL versions of Windows. ;-(
It is available only if you have Windows Professional, Ultimate, Enterprise or MSDN versions, sorry, Windows Home and Starter versions do not have the Local Security Policies console needed to configure it. But this IS a reason to upgrade your computers to Pro or Ultimate for sure.
So how do you use it to block malicious software like Crypto Ransomeware?
First things first. You need to understand this is a manual configuration on each computer, you can automate it using Group Policy for domain attached systems.
Second, you need to understand that this method will block everything from running in the Users directory space and that you must poke holes to allow what is needed and what you want to run. But there is an easy way to gather this information once a block occurs.
So what is it? "Software Restriction Policies" (SWRP) is found in the Local Security Policy Console which is found under:
- Control Panel - Administrative Tools - Local Security Policies
Enforcement:
This is where the roles of the users are defined that you will grant access. These are not adjustable, just select the one you want when you create a rule.
Designated File Types:
This is where you can add or delete file types, but some file types are not supported like driver .SYS files.
Trusted Publishers:
This is where you can trust certain publishers like Microsoft, Google and other companies who sign their software with a certificate. You must manually go find the file you want to trust and select the part(s) or levels of the publisher info you want to trust. This is manual and not very friendly as the same company can/will sign their software many different ways.
Additional Rules:
This is where you should spend most of your time, especially if you want SWRP to be easy and fast.There are four rules:
- New Certificate Rule
- New Hash Rule
- New Network Zone Rule
- New Path Rule
Spend most of your time with the "New Path Rule". This is where you will create a BLOCK ALL rule and then poke holes to allow ONLY what you want to allow to execute.
The first rule you want to make is to BLOCK ALL for the path:
- C:\Users\*
This will block execution of any executable in the C:\Users directory structure. Once an existing program tries to update itself, like Google Chrome, you will get an error on the screen if it is a GUI based install or update. If it is a background process then you won't see anything.
But wait, there is a Log entry registered each time a failure occurs and this makes it easy to populate your New Path Rules!
Open up Event Viewer and the "Application" Log and filter the log for Event ID 866.
These log entries will give you what you need to create a "New Path Rule", all you do is copy the path of the failure.
Then you will create a "New Path Rule" by right clicking on the "Additional Rules" item or in the window and select "New Path Rule" and paste the copied path from Event ID 866 and that is it. Of course select "Unrestricted" so the program can run and save the entry. Repeat this for each program you want to allow to run.
Take a minute and look at the path and make it generic to users (C:\Users\*\AppData\Local\Adobe) and versions of the software. Some software uses a directory name that matches the version (GTM\1251\update\install.exe) so as it updates the one level of the directory (1251) will change with each new version. You don't want to keep adding similar rules, just use a wildcard "*" in place of any username or version (GTM\*\update\install.exe) to make it work for everyone and every version.
Of course you can use the wildcard to further refine the rule to your liking. But be careful! You don't want to make a wildcard entry that will allow bad software to run due to an odd .tmp file path name that opens up the whole directory to allow any file to execute. Some installers use random named files with a .tmp extension that you will have to craft a rule for. Make the rule as specific as needed to protect odd things from being able to run in that location. Here is an example of several "New Path Rules".
If you play with this on your system, you will find this will work fairly well in blocking odd programs from infecting your system. Of course TEST your rules by dropping a known .EXE, maybe renamed to "malware_test.exe" for effect into a directory under C:\Users and try to execute it. You should see a message like the following letting you know the rules are working.
Check your Application Log for Event ID 866 to see the blocked file.
Now you have a way to block some typical commodity malware for your users, family, friends, children and anyone else that asks you for help. Below are some more articles to help give you ideas.
Happy Hunting.
TechNet article on using Software Restriction Policies
TechNet article on Software Restriction Policies
TechNet article on using Software Restriction Policies
Another article on Software Restriction Policies
#InfoSec #MalwareSucks