Block malware with Windows Firewall and Group Policies
A lot of malware uses common tools built into Windows for downloading payloads from remote servers. (Image Copyright Sophos Labs)
Many of Antivirus and intrusion detection systems can block these kind of activities but similar protection can be done for no additional costs with Group Policy & Windows Firewall. Blocking PowerShell and other tools from connecting to public IP addresses. Keep in mind some developers might use these tools.
As always test policy first with small batch of computers.
Go to Scope and select These IP addresses under Remote IP address.
Repeat adding rest of the public IP ranges:
1.0.0.0 – 9.255.255.255
11.0.0.0 – 126.255.255.255
129.0.0.0 – 169.253.255.255
169.255.0.0 – 172.15.255.255
172.32.0.0 – 191.0.1.255
192.0.3.0 – 192.88.98.255
192.88.100.0 – 192.167.255.255
192.169.0.0 – 198.17.255.255
198.20.0.0 – 223.255.255.255
Save rule and add another for 64Bit version of PowerShell.
Continue blocking following software:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
%SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe
%windir%\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
%windir%\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe
%SystemRoot%\System32\wscript.exe
%SystemRoot%\SysWOW64\wscript.exe
%SystemRoot%\System32\cscript.exe
%SystemRoot%\SysWOW64\cscript.exe
%SystemRoot%\System32\mshta.exe
%SystemRoot%\SysWOW64\mshta.exe
%SystemRoot%\System32\regsvr32.exe
%SystemRoot%\SysWOW64\regsvr32.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\SysWOW64\rundll32.exe
That’s it. Few easy firewall rules can make a big difference.
Thank you this is a great idea.