Had to deal with my first instance of Cryptolocker yesterday at a customer site. Damnit, it is a real b*stard and the likes of Avast and Microsoft security essentials just don't pick it up so beware.
I believe that it operates by dropping an executable into the user's %APPDATA% folder, or a subfolder thereof, and then running from there.
Therefore it should be possible to prevent infection by adding Software Restriction policies that prohibit running .exe files from that folder or its subfolders. (I recently figured out that on Win 7, although you can use the old-style policy editor to do this, it won't work unless you use the "new" AppLocker wizard instead. The old-style editor works on XP.)
I think you can also do this as a domain policy on an actual Windows domain controller. We don't have one, we have a Linux box emulating an NT domain, so I have to do it on each machine, but that would be the better way to go.
Ken Dibble www.stic-cil.org _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/5.2.1.1.1.20131106091023.01db1...@pop-server.stny.rr.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
