To manually create Software Restriction Policies you need to do it within the Local Security Policy Editor or Group Policy Editor. If you are a home user you should create these policies using the Local Security Policy editor. If you are on a domain, then your domain administrator should use the Group Policy Editor. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor, you will see a screen similar to the one below.
If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.
Block CTB Locker executable in %AppData%
Path: %AppData%\*.exeBlock CTB Locker executable in %LocalAppData%
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Path if using Windows XP: %UserProfile%\Local Settings\*.exeBlock Zbot executable in %AppData%
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Path: %AppData%\*\*.exeBlock Zbot executable in %LocalAppData%
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exeBlock executables run from archive attachments opened with WinRAR:
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exeBlock executables run from archive attachments opened with 7zip:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exeBlock executables run from archive attachments opened with WinZip:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exeBlock executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
You can see an event log entry and alert showing an executable being blocked:
How to allow specific applications to run when using Software Restriction Policies
If you use Software Restriction Policies, or CryptoPrevent, to block CTB Locker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.