I did both, can’t hurt. But just perfc will work based on the way the ransomware is creating the file.
“BTW, lot of other sites recommend creating a file "perfc" (no extension), and this page recommends "perfc.dat". Perhaps I should create both, just to be sure ..” From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Wednesday, June 28, 2017 9:40 AM To: [email protected] Subject: Re: [NTSysADM] Using GPP to fight Petya On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: I will ground my son who wrote that. It should be ‘replace’. That will create it or replace it. OK, I will change that option ... Now, why you are not seeing it in gpresult I dunno. You ran the gpresult as a local admin? I did. I rebooted (luckily it's a test server), and the file showed up. Even though I had done a "gpupdate /force /target:computer", specifically to avoid rebooting ... There are other test VMs in that same OU, I will check those ... BTW, lot of other sites recommend creating a file "perfc" (no extension), and this page recommends "perfc.dat". Perhaps I should create both, just to be sure ... From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael Leone Sent: Wednesday, June 28, 2017 9:13 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Using GPP to fight Petya So I'm confused. Looking at this page: https://www.binarydefense.com/petya-ransomware-without-fluff/ Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if this file exists, the malware stops (yes, I know that there will be a variant Real Soon Now that avoids this). So I made this change: Computer\Preferences\Windows Settings\Files And followed the web page ("update", copy windowsupdate.log to c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I keep around for this purpose. Doing Group Policy Modeling Wizard, I see this being applied as a setting to my test VM. Yet when I go an look in c:\windows, I don't see the file.Nor do I see that setting in "gpresult /r /v". What have I done wrong?
