locked
Script to look for EXE in APPDATA and LOCALAPPDATA RRS feed

  • Question

  • In response to the latest ransom virus', I created a Software Restriction Policy to prevent EXE's from executing at the root of the following two locations.

    %appdata% and %localappdata%

    I would like to search for any EXE's only at the root of the two locations noted above for 400 User profiles on our server.

    Any suggestions on a script to do this?

    Thanks

    Ron

    • Moved by Bill_Stewart Tuesday, July 21, 2015 9:56 PM Poor quality question/shows no research effort
    Sunday, May 24, 2015 4:58 PM

All replies

  • Your AV software should. protect and remove anything in that location.

    To delete those you can use a GP Preference ahich would be easies and best. Just crete a GPP that removes all EXEs from those locations.

    Post in GP forum for help.


    \_(ツ)_/

    Sunday, May 24, 2015 5:14 PM
  • Here is a discussion of why your remedy will not work against "ransomware"

    https://www.youtube.com/watch?v=0xqoOUf4nmc&feature=youtu.be


    \_(ツ)_/

    Sunday, May 24, 2015 5:24 PM
  • TeslaCrypt has been dropping EXE's at appdata and localappdata.

    The SRP is to prevent the EXE from running, but not from dropping at appdata and localappdata.

    I'm hoping for a script to see if any EXE has been dropped if that makes sense.

    Ron

    Sunday, May 24, 2015 5:44 PM
  • TeslaCrypt has been dropping EXE's at appdata and localappdata.

    The SRP is to prevent the EXE from running, but not from dropping at appdata and localappdata.

    I'm hoping for a script to see if any EXE has been dropped if that makes sense.

    Ron

    Group Policy has two mechanisms too block creation of files in locations.   The GP people can help you.


    \_(ツ)_/

    Sunday, May 24, 2015 8:32 PM