Thank you all. I am suggesting we look for another vendor that does not use the AppData directory as we don't have AppLocker up yet. Once we get AppLocker rolling we will entertain published programs in AppData. But not until then.
From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, April 11, 2017 10:23 AM To: [email protected] Subject: RE: [NTSysADM] Running exe from APPDATA..TEMP directory Notice: This email is from an outside source. Please do not open any attachments, click on any hyperlinks, or respond without first confirming the authenticity of the email. While we are on this subject, don't forget to block scripts from running in appdata also. Seeing a fair amount of VBS inside word docs targeting that directory tree. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bud Durland Sent: Tuesday, April 11, 2017 10:22 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Running exe from APPDATA..TEMP directory Vendors like to run from %appdata% because any user can put files there; no need to get corporate IT (or permission) to install the app. Bud Durland | Director of Information Technology Direct: 518.324.4850 | Cell: 518.726.0967 | Fax: 518.561.0017 | [email protected]<mailto:[email protected]> 1 Plant St., Plattsburgh, NY 12901 Website<http://www.mrpcap.com/> | Twitter<https://www.twitter.com/weatherchem> | LinkedIn<https://www.linkedin.com/company/mold-rite-plastics-inc.?trk=biz-companies-cym> | YouTube<https://www.youtube.com/user/wreichheld> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Monday, April 10, 2017 10:25 To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Running exe from APPDATA..TEMP directory Have a vendor that want so run his app from the APPDATA..TEMP directory. I have a GPO that denied .exe from running there or subfolders of there. Any reason I should allow this? I have the exact folder and program name but it's opening up an exception to my rule?? Any thoughts? David McSpadden System Administrator Indiana Members Credit Union P: 317.554.8190 [Description: Description: imcu email icon]<http://imcu.com/> [Description: Description: facebook email icon] <https://www.facebook.com/IndianaMembersCU> [Description: Description: twitter email icon] <https://twitter.com/IndMembersCU> [Description: Description: email logo] [http://www.amuletsolutions.com/images/mcp.gif]<http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjFztf-tePJAhXK5iYKHcPtAxEQjRwIBw&url=http://www.amuletsolutions.com/awards.aspx&bvm=bv.110151844,d.amc&psig=AFQjCNHkrx8CednTEOOq4zUxYyrRUGzUsg&ust=1450459757284499> This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. ________________________________ NOTE -- This message contains legally privileged and confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Thank you. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
