Tutorial Cryptolocker virus protection

Petrovic

Level 63
Trusted
Joined
Apr 25, 2013
Messages
5,279
#1
You have probably already heard about very well known type of virus called “Cryptolocker“.
Each day you can heard about new variant of Cryptolocker virus and based from my experience I can say that Antivirus vendors just can’t keep up with this kind of threat, because once downloaded Cryptolocker virus changes .exe file names and hashes so it is really hard to track it down.

Following recommendations will help you to protect your PC or your network from a Cryptolocker virus.

  1. Do not use non-supported Operating System like Windows XP. Although you’ll be more protected using this guide, even if you use an outdated OS like Windows XP, we strongly recommend you to move forward and upgrade to a newer operating system. Microsoft no longer provides security updates or technical support for Windows XP.
  2. Use good Anti-Virus software protection and make sure your virus definitions are up to date.
  3. Use a third party Firewall or Windows Firewall.
  4. Use Windows User Account Control (UAC) in Admin approval mode. When the system or you initiates an .exe file it will ask you for consent or for a password if you are logged on as a standard user.
  5. Always work under Windows standard user account. Let Windows ask you for administrative credentials each time you try to install something.
Although above mentioned methods will help you have a better protection, it won’t necessarily protect you from one of the Cryptolocker variants.

In order to prevent cryptolocker virus from activating and therefore start with the encryption of your files here’s what you can do if you are using Windows Professional or Enterprise versions of Microsoft Operating System.

Open local policy editor by running gpedit.msc and navigate to:

Computer Configuration | Windows Settings | Security Settings | Software Restriction Policies

From the action menu or using a right click select “New Software Restriction Policies”

Select Additional Rules and in the right pane right click and choose to create a New Path Rule.

Now add each of the following rules and set Security Level to “Disallowed“:

%AppData%\*.exe
%AppData%\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
%USERPROFILE%\Appdata\*.exe
%USERPROFILE%\Appdata\*\*.exe
%USERPROFILE%\Appdata\LocalLow\*.exe
%USERPROFILE%\Appdata\LocalLow\*\*.exe

Once you’re done you should get this result:

cryptolocker.png


Close policy editor and restart your machine.

With this policy in place you will prevent starting of executable files from directories that Cryptolocker mostly use.

If you work in a corporate environment you can link above created policy to your domain and thus prevent Cryptolocker from running.
Source
 
Joined
Jan 14, 2016
Messages
479
OS
Windows 7
Antivirus
Kaspersky
#2
This is a sure cut block of any .exe files from these directories.

What about legitimate programs which have executable files in these locations for eg., uTorrent, IDM auto-update, ICC dasher, Youtube downloader, etc. , what will happen to them? These are the ones that i know about, there are many programs which have some executable files in these directories.

Is there any way to exclude some folders or files?
If there is a way, please share.


EDIT: I think you forgot to add one point: Backup.
 
Last edited:

Av Gurus

Level 29
Trusted
AV-Tester
Joined
Sep 22, 2014
Messages
1,806
OS
Windows 10
#3
You can add Path to the .exe you wish to exclude and just change the Security Level to “Unrestricted“.
For some programs works for others don't.

Clipboard01.png
 
Last edited:

Similar Threads

Similar Threads

Forgot your password?