Endpoint Protection

Hi Everyone,

My company has been hit a couple of times by Cryptolocker recently.  The machines impacted were unfortunately not running supported AV.  We called Symantec and were given advice to restrict running exes in the application data folders (appdata for Win7).  We implemented an application policy that blocks c:\documents and settings\*\application data\*.exe and c:\users\*\appdata\*.exe.  That seems to work if the files are in the application data folder.  I wanted to update the rule to look at one folder level down from the application data folder.  So I tried c:\users\*\appdata\*\*.exe.  I only wanted to check in folders one level down, no further.  However, this rule does go further down.  For example, I want to block exes in c:\users\*\appdata\somefolder\ but not in c:\users\*\appdata\somefolder\anotherfolder\.   The rule I wrote above however blocks in "anotherfolder" too which I want to avoid. Has anyone been able to make an ADC policy work for a specific folder level when using a wildcard for an extension type like exe?  I tried adding a "\" as an escape character, but that did not help.

Running SEP 12.1 on manager and endpoint.

Bob

Have you tried to exlude %userprofile%\apppdata\*\*\*.exe in your application policy?

(You can use %userprofile% instead of C:\users\*\)

Torb

That will have the same effect as what he already has applied, in that it will continue to match any exe in any subfolder to any depth.  The aim is to limit the depth to just one subfolder.

You can accomplish this using the regex definition of the string:

http://www.symantec.com/docs/TECH131541

After a bit of playing around with it, please try the below regex:

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe

Just remember to enable A&DC to use regex first (as per screenie).

This should match any .exe file in the immediate subfolders of appdata (Local/LocalLow/Roaming/etc) for any user, but not the subfolders beyond that.

Great solution, thumb up!

I will try this and confirm.

Hi,

It is not quite working as hoped.  I copied the regex and got the following results:

c:\users\myaccount\appdata\ - exe blocked

c:\users\myaccount\appdata\somefolder\ - exe not blocked

c:\users\myaccount\appdata\somefolder\anotherfolder - exe blocked.

This is almost what I want except that I want the exe blocked in somefolder but not in somefolder\anotherfolder.  I will play around with it to see if I can get the right expression.

Thanks.

Just add and remove the [^\]*\\ bits to add or remove a folder level as required

very nice, thx for sharing

Actually, it is working.  I made a typo.  I am experimenting a little bit and will send another reply.

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe worked perfectly.  I then decided to add a second regex C:\\Users\\[^\]*\\appdata\\[^\]*\.exe because I also want to block exes in c:\users\someuser\appdata\.

Summary:

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe blocks exes in c:\users\myaccount\appdata\somefolder but not in c:\users\myaccount\somefolder\otherfolder. 

C:\\Users\\[^\]*\\appdata\\[^\]*\.exe blocks exes in c:\users\myaccount\appdata\

Perfect solution.  

Configure APPLocker, take the default settings which only allow exe to run from program files and windows subdirectory. we have several custom app which i then created a hash and path rule to allow. Now of course there are some apps that need to run under appdata such as webex and we use bomgar but adding the hash on those executables allows them to run. This works a charm and if the virus is in the users profile and they try to log on it automatically kicks them out prompting a call to the help desk.

Excellent link and comments by TXogre

http://community.spiceworks.com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder

oh i forgot good luck i have benn doing restores for  3 days now.

Just a little heads up. The Windows environment variable that spiceworks and other applocker links mention are %appdata%. In SEP this will best translate to %userprofile%appdata\roaming and not just appdata.

Try typing in %appdata% in Run on your start meny and you´ll see what i mean.

Just to be sure. 

Can anyone that have been hit with cryptolocker verify if the malware is found directly under %userprofile%\appdata or is it in appdata\roaming?

Torb

I had an instance that had created 2 random folders inside appdata\roaming, with the primary .exe as a hidden file with random name immediately inside appdata\roaming

I decided to update my rules to look one folder down in roaming based on your post.  Thanks.

I got some very useful advice including the regex expression and links in this thread.  I thought I would share my experience with the ADC policy in case someone decides to pursue this path.

First of all, thanks to SMLatCST I can pinpoint the folders and subfolder level using Regex.  

The challenge I ran into when blocking exes in "appdata" is the policy started blocking legitimate installs.  For example, java, Firefox and Adobe updates started to fail.  So I was watching the Application logs for blocked traffic and was starting to add exceptions.  However, I suspect that it will take a while to get all of the necessary exceptions in place to make the policy block bad stuff but allow good stuff to run.  I also have been looking at detected infections to see where the exes are running, using that information to tune the policy.  There is definitely a give and take with this.

So far I have not received complaints, but some service desk personnel have been logging tickets with me to create some exceptions so that they can install tools and apps.  I have not received any reports of performance issues when the policy was pushed out.  

Finally, I want to second the comment from Mick2009 about IPS.  I think you take alot of the power away from SEP without the IPS policy enabled.  In a previous job, I ran SEP 11 without IPS for awhile, and infection rates were really high.  I had turned it off because IPS used to have a negative performance impact on many applications and network printing.  Eventually that was resolved and when I turned IPS back on, the rebuild rate at the service desk due to infection dropped by 90%.

BB 

Thanks, BB!  I have become a huge advocate of IPS in recent years.  Defending against threats without it is like fighting with one arm tied behind your company's back.

Last I read from Symantec was that IPS actually stopped more threats than AV. Pretty impressive considering the threat landscape but also indicative of where it's been headed.

Followers of this thread may be interested in this new blog post from Security Response:

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

and also these resources:

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

This new article may be of interest to followers of this thread:

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools