6

How can I block all executables in %APPDATA%?

I've read for CryptoLocker this is a good policy: 

C:\Users\User\AppData\Roaming\*\*.exe

But that apparently won't protect more than one layer deep.

But what's to stop someone from going another layer deep like C:\Users\User\AppData\Roaming\dir\dir\trojan.exe

Is it possible to create a policy that blocks every exe in appdata no matter how deep?

How do you handle these issues? Thanks

test
  • 317
  • 1
  • 3
  • 7

2 Answers2

4

As per Microsoft's guidance on GPO Software Restriction:

http://technet.microsoft.com/en-us/library/bb457006.aspx

Path Rules

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.

Using Environment Variables in Path Rules.

A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment.

Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing.

Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples:

•"\\DC-??\login$" matches \\DC-01\login$, \\DC-02\login$

•"*\Windows" matches C:\Windows, D:\Windows, E:\Windows

•"c:\win*" matches c:\winnt, c:\windows, c:\windir

So since a user can just redefine where %APPDATA% points to, consider using the APPDATA environment variable in your path rule, instead of the actual fully-qualified file system path.

More documentation:

The following examples show instances of applying environment variables to a path rule:

• “%UserProfile%” matches C:\Documents and Settings\User and all subfolders under this directory.

• “%ProgramFiles%\Application” matches C:\Program Files\Application and all subfolders under this directory.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
1

Just tested this. Even when using %APPDATA% instead of a direct system path, unless you make a rule per each sub folder (/asterix/, /asterix/asterix/, /asterix/asterix/asterix/) and so on for how ever deep you want it to go, windows will stop enforcing when it goes past the depth you defined.

I tested this by putting a self contained auto clicker into the AppData/roaming directory, and then tested it by adding a folder and moving the exe deeper into the file structure. After going past 3 levels deep, as defined in the Local security policy, Windows allowed the auto clicker to run.

Ad-Man-Gamer
  • 11
  • 1
  • In 2022, with Windows 10 21H2, I cannot confirm your finding. I just tested it, and it worked as expected on my machine. But please note that my rule pattern was `c:\folder1\folder2`, not `c:\folder1\folder2\*.exe`. As far as I understand, Microsoft guarantees only the first one to include subfolders. I didn't test the second one. – Binarus Oct 02 '22 at 08:16