Testing your CryptoLocker Group Policy

I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.

Someone asked me: “How do I know if the group policy rules are working?”

Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.

Here are the steps if doing this from a Vista / Win7 / Win8 workstation:

  1. Open up an elevated command prompt window.
    By default, it should put you into the C:\Windows\System32 folder
  2. Enter the following commands, pressing Enter after each:
    copy notepad.exe %localappdata% 
    cd %localappdata%
    notepad.exe
  3. If you receive an error message: “This program is blocked by group policy.” – then your group policy rules are working.
    Congratulations!

image

Comments

  1. I have tested and came back with the “this program is blocked…” however, how is it that if a navigate to the appdata\local folder through explorer I am able to execute notepad? does this mean i am still vulnerable?

  2. Try logging off and back on again after you’ve implemented the local security policy. Or reboot if you’ve used group policy.

Leave a Reply

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

If you agree to these terms, please click here.