Windows – How to block .exe files in vulnerable folders from running with Software Restriction Policies Prevents the run of Virus and Malware executable files from Windows Temp, AppData and User Profile folders using the built-in Software Restriction Policies

Top 6 PC Basic Tricks and Tweaks for Computer Users

As you probably already know, the best way to shield your machine against malware threats is to protect the TCP layer accesses with a good Firewall and having a great AntiVirus & AntiMalware software installed, such as BitDefender and MalwareBytes (both free for personal use). For further info about how to protect your system against them, I strongly suggest to read this post.

Despite these valid countermeasures, there’s still a chance that you can get infected, for example if the malware manages to enter to your system by exploiting one of the various “temporary” folders provided by your OS to install new applications, unzipping compressed archives, store temp data and so on.

Here’s a list of the “risky” folders on a typical Windows machine:

  • C:\Windows\Temp, which is arguably the most common executable path for viruses & malwares, and all its subfolders.
  • %USERPROFILE%\AppData\Local\ and all its subfolders.
  • %USERPROFILE%\AppData\Roaming\ and all its subfolders.

Since all these folders are meant for storage and not for executables to run, finding a way to prevent potentially harmful .exe files from running from them would definitely be a good extra layer of defence. Luckily enough, Windows (and Windows Server) allows us to do that using the Software Restriction Policies, a set of rules that can be configured using the Group Policy Editor.

To do that, search for gpedit.msc and execute it:

Windows - How to block .exe files in vulnerable folders from running with Software Restriction Policies

Navigate through Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies:

Windows - How to block .exe files in vulnerable folders from running with Software Restriction Policies

If there are No Software Restriction Policies Defined, as you can see in the above screenshot, right-click to the folder node and select New Software Restriction Policies in the contextual menu. Doing that will create some new subfolders; right-click to the Additional Rules, choose New Path Rule… and enter, one after another, the paths that you want to prevent executable files to run from. Make sure to put the *.exe at the end, so that you will only block executable files.

Windows - How to block .exe files in vulnerable folders from running with Software Restriction Policies

I strongly suggest to block (at least) the following:

  • C:\Windows\Temp\*.exe
  • C:\Windows\Temp\*\*.exe
  • %USERPROFILE%\AppData\Local\*.exe
  • %USERPROFILE%\AppData\Local\*\*.exe
  • %USERPROFILE%\AppData\Roaming\*.exe
  • %USERPROFILE%\AppData\Roaming\*\*.exe

We can see all these rules in place by looking at the screenshot below:

Windows - How to block .exe files in vulnerable folders from running with Software Restriction Policies

This will block most potentially unsafe executables from running, including those coming from archive attachments opened using the Windows built-in zip support.

Exceptions & exclusions

What if we want to allow some specific executable files to run in these folders? The answer is simple: just create an exception by adding an unrestricted entry, such as in the following screenshot:

Windows - How to block .exe files in vulnerable folders from running with Software Restriction Policies

That’s about it: I sincerely hope that this post will help users, enthusiasts and administrators in making their machines more secure against the most common virus, malware and ransomware threats!

 

RELATED POSTS

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies.

View all posts by Ryan