Cryptolocker virus protection

<p>You have probably already heard about very well known type of virus called &&num;8220&semi;<strong>Cryptolocker<&sol;strong>&&num;8220&semi;&period;<br &sol;>&NewLine;Each day you can heard about new variant of Cryptolocker virus and based from my experience I can say that Antivirus vendors just can&&num;8217&semi;t keep up with this kind of threat&comma; because once downloaded Cryptolocker virus changes &period;exe file names and hashes so it is really hard to track it down&period;<&sol;p>&NewLine;<p>Following recommendations will help you to protect your PC or your network from a Cryptolocker virus&period;<&sol;p>&NewLine;<ol>&NewLine;<li><span style&equals;"text-decoration&colon; underline&semi;">Do not use non-supported Operating System<&sol;span> like Windows XP&period; Although you&&num;8217&semi;ll be more protected using this guide&comma; even if you use an outdated OS like Windows XP&comma; we strongly recommend you to move forward and upgrade to a newer operating system&period; Microsoft no longer provides security updates or technical support for Windows XP&period;<&sol;li>&NewLine;<li><span style&equals;"text-decoration&colon; underline&semi;">Use good Anti-Virus software protection<&sol;span> and make sure your virus definitions are up to date&period;<&sol;li>&NewLine;<li>Use a<span style&equals;"text-decoration&colon; underline&semi;"> third party Firewall or Windows Firewall<&sol;span>&period;<&sol;li>&NewLine;<li>Use <span style&equals;"text-decoration&colon; underline&semi;">Windows User Account Control &lpar;UAC&rpar;<&sol;span> in Admin approval mode&period; When the system or you initiates an &period;exe file it will ask you for consent or for a password if you are logged on as a standard user&period;<&sol;li>&NewLine;<li>Always work under <span style&equals;"text-decoration&colon; underline&semi;">Windows standard user account<&sol;span>&period; Let Windows ask you for administrative credentials each time you try to install something&period;<&sol;li>&NewLine;<&sol;ol>&NewLine;<p>Although above mentioned methods will help you have a better protection&comma; it won&&num;8217&semi;t necessarily protect you from one of the Cryptolocker variants&period;<&sol;p>&NewLine;<p>In order to prevent cryptolocker virus from activating and therefore start with the encryption of your files here&&num;8217&semi;s what you can do <strong>if<&sol;strong> you are using Windows Professional or Enterprise versions of Microsoft Operating System&period;<&excl;--more--><&sol;p>&NewLine;<p>Open local policy editor by running <strong>gpedit&period;msc<&sol;strong> and navigate to&colon;<&sol;p>&NewLine;<p><strong>Computer Configuration &vert; Windows Settings &vert; Security Settings &vert; Software Restriction Policies<&sol;strong><&sol;p>&NewLine;<p>From the action menu or using a right click select &&num;8220&semi;<strong>New Software Restriction Policies<&sol;strong>&&num;8221&semi;<&sol;p>&NewLine;<p>Select <strong>Additional Rules<&sol;strong> and in the right pane right click and choose to create a <strong>New Path Rule<&sol;strong>&period;<&sol;p>&NewLine;<p>Now add each of the following rules and set Security Level to &&num;8220&semi;<strong>Disallowed<&sol;strong>&&num;8220&semi;&colon;<&sol;p>&NewLine;<p><strong>&percnt;AppData&percnt;&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;AppData&percnt;&bsol;&ast;&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;LocalAppData&percnt;&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;LocalAppData&percnt;&bsol;&ast;&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong><span style&equals;"color&colon; &num;ff0000&semi;"><b>&percnt;USERPROFILE&percnt;&bsol;&ast;&bsol;&ast;&period;exe<&sol;b><&sol;span><br &sol;>&NewLine;<span style&equals;"color&colon; &num;ff0000&semi;"><b>&percnt;USERPROFILE&percnt;&bsol;&ast;&period;exe<&sol;b><&sol;span><br &sol;>&NewLine;<&sol;strong><&sol;p>&NewLine;<p><span style&equals;"text-decoration&colon; underline&semi;">Update&colon; We had to add complete User Profile folder to this policy&comma; because the virus was using other folders than Appdata folder&period;<&sol;span><&sol;p>&NewLine;<p><strong>&percnt;USERPROFILE&percnt;&bsol;Appdata&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;USERPROFILE&percnt;&bsol;Appdata&bsol;&ast;&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;USERPROFILE&percnt;&bsol;Appdata&bsol;LocalLow&bsol;&ast;&period;exe<&sol;strong><br &sol;>&NewLine;<strong>&percnt;USERPROFILE&percnt;&bsol;Appdata&bsol;LocalLow&bsol;&ast;&bsol;&ast;&period;exe<&sol;strong><&sol;p>&NewLine;<p>Once you&&num;8217&semi;re done you should get this result&colon;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;wp-content&sol;uploads&sol;2016&sol;02&sol;cryptolocker&period;png" rel&equals;"attachment wp-att-1727"><img class&equals;"alignnone size-full wp-image-1727" src&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;wp-content&sol;uploads&sol;2016&sol;02&sol;cryptolocker&period;png" alt&equals;"cryptolocker" width&equals;"605" height&equals;"219" &sol;><&sol;a><&sol;p>&NewLine;<p>Close policy editor and restart your machine&period;<&sol;p>&NewLine;<p>With this policy in place you will prevent starting of  executable files from directories that Cryptolocker mostly use&period;<&sol;p>&NewLine;<p>If you work in a corporate environment you can link above created policy to your domain and thus prevent Cryptolocker from running&period;<&sol;p>&NewLine;<p>Configure SmartScreen protection using Group Policy&period;  We have a tutorial on how to configure Smartscreen <a href&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;security&sol;configure-smartscreen-via-gpo&sol;">HERE<&sol;a>&period;<&sol;p>&NewLine;<p>Feel free to leave your comments and suggestions&period;<&sol;p>&NewLine;