Stop Malicious Files from Executing in Vulnerable Windows Folders

 Stop Malicious Files from Executing in Vulnerable Windows Folders

Despite valid countermeasures, there’s still a chance that you can get infected, for example if the malware manages to enter to your system by exploiting one of the various “temporary” folders provided by your OS to install new applications, unzipping compressed archives, store temp data and so on.

Here’s a list of the “risky” folders on a typical Windows machine:

  • C:\Windows\Temp, which is arguably the most common executable path for viruses & malwares, and all its subfolders.
  • %USERPROFILE%\AppData\Local\ and all its subfolders.
  • %USERPROFILE%\AppData\Roaming\ and all its subfolders.

Since all these folders are meant for storage and not for executables to run, finding a way to prevent potentially harmful .exe files from running from them would be a good extra layer of defense. Luckily enough, Windows (and Windows Server) allows us to do that using the Software Restriction Policies, a set of rules that can be configured using the Group Policy Editor.

To do that, search for gpedit.msc and execute it:

Navigate through Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies:

Software Restriction Policies

If there are No Software Restriction Policies Defined, as you can see in the above screenshot, right-click to the folder node and select New Software Restriction Policies in the contextual menu. Doing that will create some new subfolders; right-click to the Additional Rules, choose New Path Rule… and enter, one after another, the paths that you want to prevent executable files to run from. Make sure to put the *.exe at the end, so that you will only block executable files.

Software Restriction Policies - New Path Rule

 

I strongly suggest to block (at least) the following:

  • C:\Windows\Temp\*.exe
  • C:\Windows\Temp\*\*.exe
  • %USERPROFILE%\AppData\Local\*.exe
  • %USERPROFILE%\AppData\Local\*\*.exe
  • %USERPROFILE%\AppData\Roaming\*.exe
  • %USERPROFILE%\AppData\Roaming\*\*.exe

We can see all these rules in place by looking at the screenshot below:

Software Restriction Policies - 3

This will block most potentially unsafe executables from running, including those coming from archive attachments opened using the Windows built-in zip support.

Exceptions & exclusions

What if we want to allow some specific executable files to run in these folders? The answer is simple: just create an exception by adding an unrestricted entry, such as in the following screenshot:

Software Restriction Policies -

We sincerely hope that this article will help business owners and administrators in making their machines more secure against the most common virus, malware and ransomware threats!

If you need any help or have any questions, please do not hesitate to reach out.