Endpoint Protection

 View Only
Expand all | Collapse all

Cryptolocker and ADC policies

Migration User

Migration UserOct 11, 2013 11:51 AM

Migration User

Migration UserOct 11, 2013 12:16 PM


ℬrίαηOct 11, 2013 12:36 PM

  • 1.  Cryptolocker and ADC policies

    Posted Oct 10, 2013 08:29 PM

    Hi Everyone,

    My company has been hit a couple of times by Cryptolocker recently.  The machines impacted were unfortunately not running supported AV.  We called Symantec and were given advice to restrict running exes in the application data folders (appdata for Win7).  We implemented an application policy that blocks c:\documents and settings\*\application data\*.exe and c:\users\*\appdata\*.exe.  That seems to work if the files are in the application data folder.  I wanted to update the rule to look at one folder level down from the application data folder.  So I tried c:\users\*\appdata\*\*.exe.  I only wanted to check in folders one level down, no further.  However, this rule does go further down.  For example, I want to block exes in c:\users\*\appdata\somefolder\ but not in c:\users\*\appdata\somefolder\anotherfolder\.   The rule I wrote above however blocks in "anotherfolder" too which I want to avoid. Has anyone been able to make an ADC policy work for a specific folder level when using a wildcard for an extension type like exe?  I tried adding a "\" as an escape character, but that did not help.

    Running SEP 12.1 on manager and endpoint.



  • 2.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 05:05 AM

    Have you tried to exlude %userprofile%\apppdata\*\*\*.exe in your application policy?

    (You can use %userprofile% instead of C:\users\*\)



  • 3.  RE: Cryptolocker and ADC policies
    Best Answer

    Posted Oct 11, 2013 05:47 AM
      |   view attached

    That will have the same effect as what he already has applied, in that it will continue to match any exe in any subfolder to any depth.  The aim is to limit the depth to just one subfolder.

    You can accomplish this using the regex definition of the string:


    After a bit of playing around with it, please try the below regex:


    Just remember to enable A&DC to use regex first (as per screenie).

    This should match any .exe file in the immediate subfolders of appdata (Local/LocalLow/Roaming/etc) for any user, but not the subfolders beyond that.

  • 4.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 11:51 AM

    Great solution, thumb up!

  • 5.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 12:16 PM

    I will try this and confirm.

  • 6.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 12:28 PM


    It is not quite working as hoped.  I copied the regex and got the following results:

    c:\users\myaccount\appdata\ - exe blocked

    c:\users\myaccount\appdata\somefolder\ - exe not blocked

    c:\users\myaccount\appdata\somefolder\anotherfolder - exe blocked.

    This is almost what I want except that I want the exe blocked in somefolder but not in somefolder\anotherfolder.  I will play around with it to see if I can get the right expression.


  • 7.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 12:31 PM

    Just add and remove the [^\]*\\ bits to add or remove a folder level as required

  • 8.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 12:36 PM

    very nice, thx for sharing

  • 9.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 01:11 PM

    Actually, it is working.  I made a typo.  I am experimenting a little bit and will send another reply.

  • 10.  RE: Cryptolocker and ADC policies

    Posted Oct 11, 2013 01:15 PM

    C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe worked perfectly.  I then decided to add a second regex C:\\Users\\[^\]*\\appdata\\[^\]*\.exe because I also want to block exes in c:\users\someuser\appdata\.



    C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe blocks exes in c:\users\myaccount\appdata\somefolder but not in c:\users\myaccount\somefolder\otherfolder. 

    C:\\Users\\[^\]*\\appdata\\[^\]*\.exe blocks exes in c:\users\myaccount\appdata\

    Perfect solution.  

  • 11.  RE: Cryptolocker and ADC policies

    Posted Oct 12, 2013 10:37 PM

    Configure APPLocker, take the default settings which only allow exe to run from program files and windows subdirectory. we have several custom app which i then created a hash and path rule to allow. Now of course there are some apps that need to run under appdata such as webex and we use bomgar but adding the hash on those executables allows them to run. This works a charm and if the virus is in the users profile and they try to log on it automatically kicks them out prompting a call to the help desk.

    Excellent link and comments by TXogre



  • 12.  RE: Cryptolocker and ADC policies

    Posted Oct 12, 2013 10:38 PM

    oh i forgot good luck i have benn doing restores for  3 days now.

  • 13.  RE: Cryptolocker and ADC policies

    Posted Oct 14, 2013 05:05 PM

    Just a little heads up. The Windows environment variable that spiceworks and other applocker links mention are %appdata%. In SEP this will best translate to %userprofile%appdata\roaming and not just appdata.

    Try typing in %appdata% in Run on your start meny and you´ll see what i mean.

    Just to be sure. 

    Can anyone that have been hit with cryptolocker verify if the malware is found directly under %userprofile%\appdata or is it in appdata\roaming?




  • 14.  RE: Cryptolocker and ADC policies

    Posted Oct 15, 2013 02:46 PM

    I had an instance that had created 2 random folders inside appdata\roaming, with the primary .exe as a hidden file with random name immediately inside appdata\roaming

  • 15.  RE: Cryptolocker and ADC policies

    Posted Oct 15, 2013 04:52 PM

    I decided to update my rules to look one folder down in roaming based on your post.  Thanks.

  • 16.  RE: Cryptolocker and ADC policies

    Posted Oct 23, 2013 11:25 AM

    I got some very useful advice including the regex expression and links in this thread.  I thought I would share my experience with the ADC policy in case someone decides to pursue this path.

    First of all, thanks to SMLatCST I can pinpoint the folders and subfolder level using Regex.  

    The challenge I ran into when blocking exes in "appdata" is the policy started blocking legitimate installs.  For example, java, Firefox and Adobe updates started to fail.  So I was watching the Application logs for blocked traffic and was starting to add exceptions.  However, I suspect that it will take a while to get all of the necessary exceptions in place to make the policy block bad stuff but allow good stuff to run.  I also have been looking at detected infections to see where the exes are running, using that information to tune the policy.  There is definitely a give and take with this.

    So far I have not received complaints, but some service desk personnel have been logging tickets with me to create some exceptions so that they can install tools and apps.  I have not received any reports of performance issues when the policy was pushed out.  

    Finally, I want to second the comment from Mick2009 about IPS.  I think you take alot of the power away from SEP without the IPS policy enabled.  In a previous job, I ran SEP 11 without IPS for awhile, and infection rates were really high.  I had turned it off because IPS used to have a negative performance impact on many applications and network printing.  Eventually that was resolved and when I turned IPS back on, the rebuild rate at the service desk due to infection dropped by 90%.


  • 17.  RE: Cryptolocker and ADC policies

    Posted Oct 23, 2013 11:29 AM

    Thanks, BB!  I have become a huge advocate of IPS in recent years.  Defending against threats without it is like fighting with one arm tied behind your company's back.

  • 18.  RE: Cryptolocker and ADC policies

    Posted Oct 23, 2013 11:33 AM

    Last I read from Symantec was that IPS actually stopped more threats than AV. Pretty impressive considering the threat landscape but also indicative of where it's been headed.

  • 19.  RE: Cryptolocker and ADC policies

    Posted Oct 23, 2013 11:51 AM

    Followers of this thread may be interested in this new blog post from Security Response:

    Ransomcrypt: A Thriving Menace

    and also these resources:

    Additional information about Ransomware threats

    Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

  • 20.  RE: Cryptolocker and ADC policies

    Posted Oct 30, 2013 12:58 PM

    This new article may be of interest to followers of this thread:


    Recovering Ransomlocked Files Using Built-In Windows Tools