none
Does "Disable all macros except those digitally signed" protect from ransomware?

    Question

  • Hi,

    Does "Disable all macros except those digitally signed" will protect us from ransomware or should we "Disable all macros without notification? But I find the latter too restrictive though.  

    What would you advise to protect us from ransomware via setting macros in GPO?

    Thanks!

    Friday, June 3, 2016 9:58 PM

Answers

  • > are you referring to? The antivirus whitelisting or our spam filter
    > whitelisting?
     
    Neither - Application and Script Whitelisting via AppLocker or Software
    Restriction Policies. This will block almost all ransomware that tries
    to execute "whatever". For practical purposes, in most scenarios it is
    sufficient to only allow %programfiles% and %windir% where users cannot
    write.
     
    • Marked as answer by DoBongSoon Tuesday, June 7, 2016 3:43 PM
    Tuesday, June 7, 2016 2:56 PM

All replies

  • Having a current Antivirus solution installed on all network computers with updated definitions with an active scanner enabled is the best primary defense against ransomware.  That said, and on top of that, a GPO with "Disable all macros except those digitally signed" should be good enough, as malware coming down onto your systems, if it gets past antivirus defenses, in all likelihood will not be digitally signed.  I think this is about the best  you can do without getting too restrictive (i.e., disabling macros without notification).



    Best Regards, Todd Heron | Active Directory Consultant

    Monday, June 6, 2016 1:34 AM
  • > Having a current Antivirus solution installed on all network computers
    > with updated definitions with an active scanner enabled is the best
    > primary defense against ransomware.
     
    Todd I totally disagree with this statement. As new ransomware comes
    along every day, even the best AV solution will always be behind in
    signature updates.
     
    The primary defense is whitelisting, and this is true not only for
    applications, but for macros, too.
     
    > good enough, as malware coming down onto your systems, if it gets past
    > antivirus defenses, in all likelihood will not be digitally signed.
     
    I agree with that, though :)
     
    Monday, June 6, 2016 2:14 PM
  • Hi Martin,

    Thanks for your reply. Just need to clarify...

    When you say "primary defense is whitelisting" what/which whitelisting are you referring to? The antivirus whitelisting or our spam filter whitelisting?


    Monday, June 6, 2016 4:40 PM
  • Hi,

    I believe that Martin was referring to using solutions like AppLocker to specify the processes that are allowed to run on our computers.

    Here is a related article below for you:

    AppLocker: IT’s First Security Panacea?

    https://technet.microsoft.com/en-us/magazine/2009.10.geekofalltrades.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 7, 2016 3:06 AM
    Moderator
  • > are you referring to? The antivirus whitelisting or our spam filter
    > whitelisting?
     
    Neither - Application and Script Whitelisting via AppLocker or Software
    Restriction Policies. This will block almost all ransomware that tries
    to execute "whatever". For practical purposes, in most scenarios it is
    sufficient to only allow %programfiles% and %windir% where users cannot
    write.
     
    • Marked as answer by DoBongSoon Tuesday, June 7, 2016 3:43 PM
    Tuesday, June 7, 2016 2:56 PM
  • Thank you Martin and everyone who replied.  I appreciate your time on this.
    Tuesday, June 7, 2016 3:43 PM