Testing your CryptoLocker Group Policy

I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.

Someone asked me: “How do I know if the group policy rules are working?”

Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.

Here are the steps if doing this from a Vista / Win7 / Win8 workstation:

  1. Open up an elevated command prompt window.
    By default, it should put you into the C:\Windows\System32 folder
  2. Enter the following commands, pressing Enter after each:
    copy notepad.exe %localappdata% 
    cd %localappdata%
    notepad.exe
  3. If you receive an error message: “This program is blocked by group policy.” – then your group policy rules are working.
    Congratulations!

image

Comments

  1. I have tested and came back with the “this program is blocked…” however, how is it that if a navigate to the appdata\local folder through explorer I am able to execute notepad? does this mean i am still vulnerable?

  2. Try logging off and back on again after you’ve implemented the local security policy. Or reboot if you’ve used group policy.

Leave a Reply