Is it a good practice to block executables from running from C:\Windows\Temp Folder?
Is there the chance of blocking legitamate apps trying to run ?
Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware
A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp.
If you need specific applications to run from these locations, the best recommendation is to use the Whitelisting functionality by specifying the actual location where the executable should be allowed to run, then you will be safe.
There is a list of specific child process on Windows that as best practice you should whitelist, in order to allow functionality of several applications.
Here is a link to some of the policies I use in order to blacklist and whitelist specific directories.
I hope it helps,
In order to import the rules you go to Policies > Exploit > Import Rules in the ESM console as per the screenshot below:
As for viewing the rules, you can use any editor such as Notepad++, Notepad or Wordpad because it is only a .XML file.
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!