Using Group Policy to block malwares and ransomwares
Like Evolution, attackers are able to keep adapting to changing environment to create smarter viruses, malwares and ransomwares. And security companies are always trying to catch up, especially in dealing with zero day attacks.
The best protection is physical isolation - air gap defense. But this comes with a huge inconvenient to the end users, affecting their productivity. Not to mention high cost to companies in distributing two set of PCs for each user, where one is connected to the internet and isolated from the intranet, and another is connected to the intranet and isolated from the internet.
Striking a balance, we make use of Group Policy to block all executable files downloaded from the internet from executing in all known locations. The most obvious location is the download folder, and the temp folder for compress file to get uncompressed. Do not forget the hidden application data folders under the user profile as well, often used to install app to bypass the required administrator permission.
Under Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies: Additional Rules:
Disallowed all these locations from running exe files:
Beside exe files, you may also want to block these known harmful file extensions as well: bat, com, com1, dll, js, java, jar, jse, lnk, pif, reg, scf, scr, vbs, vbe, ps1, sh, ws, fla, msi, wsfch, hta, thmx, ocx, cmd, xpi, wmz, themepack.
You should also block known ransomware location and filename. For example, wannacry randomware is known to store under Windows folder as mssecsvc.exe. So add this into the Group Policy as well:
Warning: Do note that blocking the application data folder from executables may affect some software installation from working properly. There are many work arounds, such as excluding administrators from this restriction or adding exclusion folders from known installation folder names etc.