I discovered AppLocker 3 years ago it has been a total game changer for us. Through the use of this Group Policy feature we have not had to clean up a single malware infection across 500 Windows 7 machines in over 3 years. This is in contrast to having to cleanup 3-5 infections per week, some of those involving a complete reimaging of the machine.

AppLocker, free and safe download. AppLocker latest version: Prevent access to programs of your choice. Windows 7; Windows 8; Downloads 408K Total downloads. Hi Br4tt3, Aoccrding to Technical Documentation for Windows 7 and Windows Server 2008 R2, rule conditions are properties of files that AppLocker uses to enforce rules.

Nov 19, 2009 Downloads; Training; Support Windows Client Sign. In Which versions of Windows 7 is AppLocker available? Windows 7 IT Pro >Windows 7. Download AppLocker 1.3. Secure any app with this useful tool.

Prior to AppLocker we had users with limited/non-admin rights and anti-virus/anti-malware software running on all machines with supposed real-time protection. Even with those limitations and software that was supposed to block it the users still managed to infect them via consenting to running executables presented to them by compromised and/or malicious websites. It took about 15 minutes to setup and then it 5-30 minutes here and there for the first few weeks to troubleshoot and create exceptions for some applications. After that initial process of implementing appropriate exceptions and workarounds I rarely have to touch my rules. Here’s a decent video overview of AppLocker for those who aren't familiar: Here's a list of requirements: Here's an overview of our current rules: It’s a very simple set of rules that is almost completely transparent to our users. Install Mplayer Debian Wheezy Repositories here. My philosophy is not to explicitly deny anything and only use “Allow” rules with exceptions due to the fact that deny rules cannot be overridden further down the line. The main rule is to “Allow Executables Only Outside of User Profile”.

This is an “Allow” rule under “Executable Rules” with a path of “*” (i.e. Allow everything) followed by “%OSdrive% Users *” in the exceptions list on the “Exceptions” tab. This rule blocks any executable that the user tries to execute from within their, or any other user’s, profile.

In most cases the user has no business launching any executable that lives in their profile and this is how most malware injects itself. They end up at a malicious site which presents the user with a false error message (Or something along those lines) and then is presented with a prompt to download/run an executable which they of course run. That executable goes into their downloads folder or%temp% (i.e.

C: users username AppData Local Temp) and is executed. Block the execution and you block the malware before it has any chance to compromise the machine. At that point you’ll need to make exceptions and workarounds for legitimate applications that you want to allow to run from the users’ profiles. Some examples of these are Google Chrome, Citrix GoTo Meeting, Dropbox, Cisco AnyConnect VPN client, MS Lync, MyAT&T, WebEx, etc.

It sounds a bit daunting but I’ve got a set of 14 rules that didn’t take long to implement and allows just about everything that a user would have a legitimate business need for. Most of these exceptions are based on software publisher so that you can allow all executables signed by GOOGLE INC, CISCO SYSTEMS, INC., etc. Without having to make individual exceptions for each application by Google or Cisco. With some applications, such as Chrome, you can actually install them into a more “normal’ location such as Program Files/Program Files(x86) and avoid needing an exception.

Edited 10/17/15 to add step 9 which permits the built in Packaged Apps to run under Windows 8,8.1 and 10. Next, 'Allow' for 'Everyone (These are the defaults), Next, Select 'Path', Next, type * in the 'Path' field (Allowing executables anywhere), Next. On the Exceptions step select 'path' from the 'Add Exception' dropdown then click 'Add', click Browse, enter%OSdrive% Users * into the path field and click OK.

Side note: My original thought was to use the%userprofile% environment variable here but there are only a subset of the environment variables available through GPO/AppLocker and that's not one of them.%osdrive% users * was the next best thing I could come up with and works fine. At this point you've broken 99% of future malware attempts but you've also broken a number of random legitimate programs that run from within the user's profile such as Chrome, GotoMeeting, etc.

The best option here is if the executables are signed you can create publisher rules. So, you can create a rule that allows anything signed by Google, Citrix Cisco, etc. So that you don't have to deal with each and every program that those trusted publishers release. Create a new rule based on an executable you want to allow and after you select the appropriate executable you can crank up the slider to the 'Publisher' level.