- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-05-2017 09:19 PM
Is it a good practice to block executables from running from C:\Windows\Temp Folder?
Is there the chance of blocking legitamate apps trying to run ?
05-11-2017 06:48 PM
Hi @Alex_Gomez
Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware
A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp.
If you need specific applications to run from these locations, the best recommendation is to use the Whitelisting functionality by specifying the actual location where the executable should be allowed to run, then you will be safe.
There is a list of specific child process on Windows that as best practice you should whitelist, in order to allow functionality of several applications.
Here is a link to some of the policies I use in order to blacklist and whitelist specific directories.
https://www.dropbox.com/sh/0e9e64aj6cxaqqh/AACiUd6I4RVKUbhHhn5IiiTla?dl=0
I hope it helps,
05-11-2017 08:49 PM
Thanks @acc6d0b3610eec313831f7900fdbd235 with the link to those Policies.. whats the best way to import them or view them ?
05-11-2017 09:21 PM - edited 05-11-2017 09:21 PM
Hi @Alex_Gomez
In order to import the rules you go to Policies > Exploit > Import Rules in the ESM console as per the screenshot below:
As for viewing the rules, you can use any editor such as Notepad++, Notepad or Wordpad because it is only a .XML file.
I hope this helps.
05-11-2017 09:28 PM
I'm seeing this when i try importing
05-11-2017 09:42 PM
All Good now was able to import..!!
Cheers
02-26-2018 01:10 PM
Thanks for sharing the policy files.
Dennis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!