When responding to large-scale malware infections in the enterprise setting, system administrators and security personnel often need to quickly dampen the spread of malicious software within the environment. Once the organization determines the key properties of the malicious executable, how can it contain it without merely waiting for the antivirus vendor to issue a new signature? AppLocker, which is built into Windows 7 and Windows Server 2008 R2, can be of help.
AppLocker for Malware Incident Response
AppLocker is a feature of the recent Windows client and server OS versions that allows organizations to enforce application whitelisting and blacklisting rules, controlling which programs may run. You can use Group Policy and Microsoft Management Console (MMC) to define and enforce AppLocker policies across the enterprise.
Though AppLocker can be used in several scenarios and supports a number of configuration options, I’d like to explore how enterprises can use this tool to block the execution of a known malicious executable. Being able to do this in a centralized manner is especially helpful when the organization is containing a malware infection pandemic, and wishes to dampen the spread of the malware specimen as part of the incident response process.
In this scenario, the organization might start by defining default AppLocker rules to allow applications to run by default from the approved locations. It’s best to implement this before the incident occurs, so that the enterprise can validate that legitimate user applications will not be prohibited from running. The default rules that AppLocker generates are a good starting point.
To define default AppLocker rules, use MMC to navigate to the Security Settings > Application Control Policies > AppLocker > Executable Rules in the desired Group Policy object. You can then right-click on Executable Rules and select Create Default Rules, which will allow regular users to run applications from the Windows and Program Files folders and Administrators to run everything. You can customize these rules, as necessary:
Next, define explicit rules to block a particular malicious program from running. The program can be designated based on the signature of its publisher, the file’s location or its hash. To create a new rule, right-click on Executable Rules and select Create New Rules… Then follow the wizard to define a “Deny” action and specify the identifying characteristics of the malicious executable that needs to be blocked:
The new rule will be added to the listing, as shown by MMC:
The AppLocker configuration will be automatically distributed across the enterprise using Active Directory based on the organization’s Group Policy settings. To define a large number of rules, consider using a PowerShell script.
AppLocker Blocking Malware from Running
Once the Group Policy settings propagate, AppLocker will be able to block the designated malicious executable from running:
The user will see the pop-up above when he or she attempts to run the prohibited program. In addition, Windows will create a corresponding entry in the system’s event log:
The Role of Blacklisting in Malware Incident Response
Tools that provide application blacklisting capabilities can be used to block a known malicious program from running, helping slow down the malware specimen’s propagation to contain the infection. AppLocker is a convenient option for enterprises using Active Directory and Group Policy with newer versions of Windows operating systems. Commercial whitelisting/blacklisting products can be used in a similar capacity, and will probably provide additional flexibility and convenience.
If deploying AppLocker in the manner outlined above, please note that I simplified the configuration steps to describe the workflow at a high level. Be sure to read Microsoft’s AppLocker documentation and test the tool prior to activating it in a production setting.