LISTSERV 16.0 - MSUNAG Archives

I have not used the approach described in the Cryptlocker Warning.pdf, but I know about some applications that run from AppData subdirectories not affected, and one for MSU users that would be affected by the %temp% recommendation described.

I have checked two applications that I know run from %AppData% subdirectories. Neither one has executables that would be blocked by the %AppData% restrictions published in the Cryptlocker Warning PDF, but that is because both applications have subfolders under their app directory, so %AppData%\*\*.exe does not reach those executables. The two applications I checked are Juniper Setup Client (v7.4.0) and Vidyo Desktop. The Juniper Setup Client executables are in "%AppData%\Juniper Networks\Setup Client\" and the Vidyo Desktop executables are in "%AppData%\Vidyo\Vidyo Desktop\" on XP and in "%LocalAppData%\Vidyo\Vidyo Desktop\" on Windows 7.

Note that the neoNCSetup.exe for Juniper Networks Network Connect installation (from https://vpn.msu.edu) runs from %temp%.

The recommendations in Cryptlocker Warning.pdf are a little disappointing. 1) They don't offer a .adm or .admx Group Policy template and they don't mention templates so we don't know if the possibility has been eliminated. 2) I have seen viruses downloaded by a non-admin user run from "%AllUsersProfile%\Application Data\" on XP, and I wouldn't be surprised if the same thing is possible in Windows 7.

At one time, the Skype install was smart enough to install at the user level when run by a non-admin user, but I have not checked the directory level at which the executables run.

-Stefan

On 11/7/2013 10:39, Al Puzzuoli wrote:

[log in to unmask]" type="cite">

Hi everyone,

Curious as to whether any of you have taken the approach described in the attached PDF of preventing executables in %AppData% from running? I’ve justcreated a GPO as outlined in that document and am testing it on my own machine. So far, nothing appears to be breaking, and I can’t think of many vital apps that this would disrupt. I figure I can easily whitelist the few I might find that actually do break. Are there any disadvantages I might be missing to this approach?

Thanks,

Al