Legitimate applications don't typically execute from locations such as %AppData%, %LocalAppData%, %temp% or others. Best practice is to not allow any executables to execute from these locations, as it is a typical malware bahaviour, such as ransomware
A notable behavior used by several Ransomware, including Cryptolocker, is to run its executable from %AppData%, %LocalAppData% or %%temp.
If you need specific applications to run from these locations, the best recommendation is to use the Whitelisting functionality by specifying the actual location where the executable should be allowed to run, then you will be safe.
There is a list of specific child process on Windows that as best practice you should whitelist, in order to allow functionality of several applications.
Here is a link to some of the policies I use in order to blacklist and whitelist specific directories.
I hope it helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!