This forum is closed. Thank you for your contributions.

Sign in

Microsoft.com

Microsoft

Remove From My Forums

Script to look for EXE in APPDATA and LOCALAPPDATA

Question
0

Sign in to vote
In response to the latest ransom virus', I created a Software Restriction Policy to prevent EXE's from executing at the root of the following two locations.

%appdata% and %localappdata%

I would like to search for any EXE's only at the root of the two locations noted above for 400 User profiles on our server.

Any suggestions on a script to do this?

Thanks

Ron
- Moved by Bill_Stewart Tuesday, July 21, 2015 9:56 PM Poor quality question/shows no research effort
Sunday, May 24, 2015 4:58 PM

All replies

0

Sign in to vote

Your AV software should. protect and remove anything in that location.

To delete those you can use a GP Preference ahich would be easies and best. Just crete a GPP that removes all EXEs from those locations.

Post in GP forum for help.

\_(ツ)_/

Sunday, May 24, 2015 5:14 PM
0

Sign in to vote

Here is a discussion of why your remedy will not work against "ransomware"

https://www.youtube.com/watch?v=0xqoOUf4nmc&feature=youtu.be

\_(ツ)_/

Sunday, May 24, 2015 5:24 PM
0

Sign in to vote

TeslaCrypt has been dropping EXE's at appdata and localappdata.

The SRP is to prevent the EXE from running, but not from dropping at appdata and localappdata.

I'm hoping for a script to see if any EXE has been dropped if that makes sense.

Ron

Sunday, May 24, 2015 5:44 PM
0

Sign in to vote

TeslaCrypt has been dropping EXE's at appdata and localappdata.

The SRP is to prevent the EXE from running, but not from dropping at appdata and localappdata.

I'm hoping for a script to see if any EXE has been dropped if that makes sense.

Ron

Group Policy has two mechanisms too block creation of files in locations. The GP people can help you.

\_(ツ)_/

Sunday, May 24, 2015 8:32 PM