Can We Prevent Virus, Malware, Ransomware Just With GROUP POLICY EDITOR (GPO) SETTINGS?

[Reza Shamsudin 2]

I do not support this kind of understanding, but some of our IT Support at Malaysia advising people:

Quote

DON'T NEED TO USE ANTIVIRUS. JUST USE WINDOWS GROUP POLICY EDITOR (GPO) SETTINGS TO PREVENT VIRUS, MALWARE, RANSOMWARE ATTACK.

For some of us, IT Support DON'T TRUST with just GPO SETTINGS will make your Windows Operating System is safe from attacked by viruses, malware & Ransomware.

What do you think guys?

Can we prevent those cyber attack with just only with WINDOWS GPO SETTINGS?

 

 

[itman 1,659]

Ref.: https://technet.microsoft.com/en-us/library/cc960657.aspx

GPO and its counterpart SRP, software restriction policies, are in my opinion designed to restrict end user endpoint activity. For example, GPO can be configured to only allow admins registry access.

Malware on the other hand can employ a number of ways to escalate privileges and get access to whatever system areas it needs to infect an end user's PC or the entire internal network. This is especially true for advanced persistent threats(APT).

Enterprise security protection involves protecting primarily at the network access gateways and secondly within the internal network. Therefore, enterprise endpoint security protection supplemented with network security appliance protection is a must.   

Edited March 29, 2017 by itman

[Reza Shamsudin 2]

4 minutes ago, itman said:

Ref.: https://technet.microsoft.com/en-us/library/cc960657.aspx

GPO and its counterpart SRP, software restriction policies, are in my opinion designed to restrict end user endpoint activity. For example, GPO can be configured to only allow admins registry access.

Malware on the other hand can employ a number of ways to escalate privileges and get access to whatever system areas it needs to infect an end user's PC. This is especially true for advanced persistent threats(APT).

Enterprise security protection involves protecting primarily at the network access gateways and secondly within the internal network. Therefore, enterprise endpoint security protection supplemented with network security appliance protection is a must.   

So from Mr. Itman replied, meaning even with the GPO settings, computer users still must have an Antivirus Protection for their Windows OS right?

I have already tested Cerber Ransomware on my experiment Laptop.

Just using "Standard User" Account in Windows (No Administrator Permission).

Cerber Ransomware run freely without worrying Administrator permission.

For me if just WIndows Policies, Group Policies Setting in Windows is not enough.

They must have Antivirus Protection on their Windows Operating System to counter viruses, malware & ransomware attack

[itman 1,659]

10 hours ago, Reza Shamsudin said:

have already tested Cerber Ransomware on my experiment Laptop.

Just using "Standard User" Account in Windows (No Administrator Permission).

Cerber Ransomware run freely without worrying Administrator permission.

Yes. Ransomware works just fine on a standard user account. The only restriction is that it's limited to encrypting files associated with the standard user account. However, there is nothing to stop the  payload from containing multiple malware; one of which could elevate privileges.

Also I suspect the argument is being made that GPO plus Windows Defender is adequate protection against ransomware. Advise applicable concerns check out  AV Lab reports on WD's protection against ransomware. It is absolutely dismal scoring last place in all recent tests I have viewed.

Edited March 29, 2017 by itman

[itman 1,659]

I don't know where Eset stands on rolling out built-in HIPS rules for ransomware for their endpoint solution. I know it was in process but don't know if it has been implemented yet. If not, make sure your endpoints are employing the HIPS rules noted here: http://support.eset.com/kb6119/

[Reza Shamsudin 2]

11 hours ago, itman said:

I don't know where Eset stands on rolling out built-in HIPS rules for ransomware for their endpoint solution. I know it was in process but don't know if it has been implemented yet. If not, make sure your endpoints are employing the HIPS rules noted here: hxxp://support.eset.com/kb6119/

Thank you ITMan. How effecient is Eset HIPS? Is there any ready template for this HIPS Rules?

[itman 1,659]

2 hours ago, Reza Shamsudin said:

Thank you ITMan. How effecient is Eset HIPS? Is there any ready template for this HIPS Rules?

Not sure about a template. You might ask in the Endpoint forum section.

Did you mean effective vs. "efficient?"

Also, you should read this "best practices" article by Eset on preventing ransomware: http://support.eset.com/kb3433/

[jdashn 12]

All i know is that Applocker (setup via GPO) at our organization has saved us more times than eset (though i'm confident eset would have caught the infection after install) by preventing the running of executable files within the users profile folders (with some exceptions). It took some setup, and exceptions need to be made for certain software, but we've not had a major infection since it's implementation. I suspect if you keep scripts and exe's from running it's hard for them to escalate privileges

Then again i'm not going to give up my AV. 

[itman 1,659]

11 minutes ago, jdashn said:

All i know is that Applocker (setup via GPO) at our organization has saved us more times than eset (though i'm confident eset would have caught the infection after install) by preventing the running of executable files within the users profile folders (with some exceptions). It took some setup, and exceptions need to be made for certain software, but we've not had a major infection since it's implementation. I suspect if you keep scripts and exe's from running it's hard for them to escalate privileges

Then again i'm not going to give up my AV. 

Smart move not giving up on your AV

There have been a number of past and present AppLocker bypasses. I posted links to a few below:

http://www.csoonline.com/article/3060242/security/researcher-uses-regsvr32-function-to-bypass-applocker.html

https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html

https://www.rapid7.com/db/modules/exploit/windows/local/applocker_bypass

https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

http://seclists.org/fulldisclosure/2017/Mar/69

 

[Reza Shamsudin 2]

Thank you jdashn & itman for the opinion. For me yes, the setting under Windows/Software Policies do help in viruses, malware, ransomware prevention.

But the Windows/Software Policies can't take over the job had been done by the Antivirus for so long protecting the computer users.

[Reza Shamsudin 2]

On 3/30/2017 at 8:55 PM, itman said:

Not sure about a template. You might ask in the Endpoint forum section.

Did you mean effective vs. "efficient?"

Also, you should read this "best practices" article by Eset on preventing ransomware: hxxp://support.eset.com/kb3433/

Ok itman, I will ask from there. thank you anyway