Free, almost perfect, malware protection with GPO App Locker

Status
Not open for further replies.

Terry Ganzi

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
Introduction
I discovered AppLocker 3 years ago it has been a total game changer for us. Through the use of this Group Policy feature we have not had to clean up a single malware infection across 500 Windows 7 machines in over 3 years. This is in contrast to having to cleanup 3-5 infections per week, some of those involving a complete reimaging of the machine. Prior to AppLocker we had users with limited/non-admin rights and anti-virus/anti-malware software running on all machines with supposed real-time protection. Even with those limitations and software that was supposed to block it the users still managed to infect them via consenting to running executables presented to them by compromised and/or malicious websites..

It took about 15 minutes to setup and then it 5-30 minutes here and there for the first few weeks to troubleshoot and create exceptions for some applications. After that initial process of implementing appropriate exceptions and workarounds I rarely have to touch my rules.

Here’s a decent video overview of AppLocker for those who aren't familiar:


Here's a list of requirements:
http://technet.microsoft.com/en-us/library/ee424382.aspx

Here's an overview of our current rules:
It’s a very simple set of rules that is almost completely transparent to our users. My philosophy is not to explicitly deny anything and only use “Allow” rules with exceptions due to the fact that deny rules cannot be overridden further down the line. The main rule is to “Allow Executables Only Outside of User Profile”. This is an “Allow” rule under “Executable Rules” with a path of “*” (i.e. allow everything) followed by “%OSdrive%\Users\*” in the exceptions list on the “Exceptions” tab. This rule blocks any executable that the user tries to execute from within their, or any other user’s, profile. In most cases the user has no business launching any executable that lives in their profile and this is how most malware injects itself. They end up at a malicious site which presents the user with a false error message (Or something along those lines) and then is presented with a prompt to download/run an executable which they of course run. That executable goes into their downloads folder or %temp% (i.e. c:\users\username\AppData\Local\Temp) and is executed. Block the execution and you block the malware before it has any chance to compromise the machine.

At that point you’ll need to make exceptions and workarounds for legitimate applications that you want to allow to run from the users’ profiles. Some examples of these are Google Chrome, Citrix GoTo Meeting, Dropbox, Cisco AnyConnect VPN client, MS Lync, MyAT&T, WebEx, etc. It sounds a bit daunting but I’ve got a set of 14 rules that didn’t take long to implement and allows just about everything that a user would have a legitimate business need for. Most of these exceptions are based on software publisher so that you can allow all executables signed by GOOGLE INC, CISCO SYSTEMS, INC., etc. without having to make individual exceptions for each application by Google or Cisco. With some applications, such as Chrome, you can actually install them into a more “normal’ location such as Program Files/Program Files(x86) and avoid needing an exception.

Steps (8 total)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top