Windows Temp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows Temp

L2 Linker

Is it a good practice to block executables from running from C:\Windows\Temp Folder?

 

Is there the chance of blocking legitamate apps trying to run ?

6 REPLIES 6

Hi @Alex_Gomez

 

Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware

A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp.

 

If you need specific applications to run from these locations, the best recommendation is to use the Whitelisting functionality by specifying the actual location where the executable should be allowed to run, then you will be safe.

 

There is a list of specific child process on Windows that as best practice you should whitelist, in order to allow functionality of several applications.

 

Here is a link to some of the policies I use in order to blacklist and whitelist specific directories.

https://www.dropbox.com/sh/0e9e64aj6cxaqqh/AACiUd6I4RVKUbhHhn5IiiTla?dl=0 

 

I hope it helps,

Thanks @acc6d0b3610eec313831f7900fdbd235 with the link to those Policies.. whats the best way to import them or view them ?

Hi @Alex_Gomez

In order to import the rules you go to Policies > Exploit > Import Rules in the ESM console as per the screenshot below:

Import-Rules.JPG

 As for viewing the rules, you can use any editor such as Notepad++, Notepad or Wordpad because it is only a .XML file.

 

I hope this helps.

 

 

 

I'm seeing this when i try importing 

 

Error.png

All Good now was able to import..!!

 

Cheers

Thanks for sharing the policy files.

 

Dennis

  • 4755 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!