 |
 |
I have not used the approach described in the Cryptlocker Warning.pdf, but I know about some applications that run from AppData subdirectories not affected, and one for MSU users that would be affected by the %temp% recommendation described. I have checked two applications that I know run from %AppData% subdirectories. Neither one has executables that would be blocked by the %AppData% restrictions published in the Cryptlocker Warning PDF, but that is because both applications have subfolders under their app directory, so %AppData%\*\*.exe does not reach those executables. The two applications I checked are Juniper Setup Client (v7.4.0) and Vidyo Desktop. The Juniper Setup Client executables are in "%AppData%\Juniper Networks\Setup Client\" and the Vidyo Desktop executables are in "%AppData%\Vidyo\Vidyo Desktop\" on XP and in "%LocalAppData%\Vidyo\Vidyo Desktop\" on Windows 7. Note that the neoNCSetup.exe for Juniper Networks Network Connect installation (from https://vpn.msu.edu) runs from %temp%. The recommendations in Cryptlocker Warning.pdf are a little disappointing. 1) They don't offer a .adm or .admx Group Policy template and they don't mention templates so we don't know if the possibility has been eliminated. 2) I have seen viruses downloaded by a non-admin user run from "%AllUsersProfile%\Application Data\" on XP, and I wouldn't be surprised if the same thing is possible in Windows 7. At one time, the Skype install was smart enough to install at the user level when run by a non-admin user, but I have not checked the directory level at which the executables run. -Stefan On 11/7/2013 10:39, Al Puzzuoli wrote: > > Hi everyone, > > Curious as to whether any of you have taken the approach described in the > attached PDF of preventing executables in %AppData% from running? I've > justcreated a GPO as outlined in that document and am testing it on my own > machine. So far, nothing appears to be breaking, and I can't think of many > vital apps that this would disrupt. I figure I can easily whitelist the few I > might find that actually do break. Are there any disadvantages I might be > missing to this approach? > > Thanks, > > Al >