The famous ransomware trojan known as CryptoWall does its work by downloading a malicious EXE to the user's temp directory and then running it from there. It doesn't make sense for any legitimate program to be executing from the Temp directory, so we might as well remove that option outright.
That can be accomplished with Group Policy, Software Restriction Policies specifically. Those are under Security Settings, which is accessible in MMC at secpol.msc. You might need to use the "Add Software Restriction Policies" entry on the context menu before the folder can be expanded. When that's done, create a New Path Rule under Additional Rules. Enter %TEMP% as the path and set the security level to Disallowed.
Danger: it's possible to cause great inconvenience with these policies. I am not responsible for anything you mess up. Be careful.
No comments:
Post a Comment