So I’m here today in Houston at HouSecCon.
Listening to Michael Gough he had a fantastic idea. It’s near impossible to retrain the end user from double-clicking. Rather we need to be smart and disassociate the malicious filetype with the underlying engine running it. This was done OOTB with .ps1 files. We should just do the same with all the other file types. This can be done via group policy. For home users, this is not possible. So…I wrote a script to do this for you. Feel free to download it here.
@echo off
echo ” ____ ”
echo ” | _ \ __ _ _ __ ___ ___ _ __ _____ ____ _ _ __ ___ ”
echo ” | |_) / _` | ‘_ \/ __|/ _ \| ‘_ ` _ \ \ /\ / / _` | ‘__/ _ \ ”
echo ” | _ < (_| | | | \__ \ (_) | | | | | \ V V / (_| | | | __/ ”
echo ” |_|_\_\__,_|_| |_|___/\___/|_| |_| |_|\_/\_/ \__,_|_| \___| ”
echo ” | __ )| | ___ ___| | _____ _ __ ”
echo ” | _ \| |/ _ \ / __| |/ / _ \ ‘__| ”
echo ” | |_) | | (_) | (__| < __/ | ”
echo ” |____/|_|\___/ \___|_|\_\___|_| ”
echo ” By: Andy Thompson”
echo ” www.MeteorMusic.com”
echo ” @R41nM4kr”assoc .js=poss_bad
assoc .jse=poss_bad
assoc .wsf=poss_bad
assoc .wsh=poss_bad
assoc .hte=poss_bad
assoc .lng=poss_bad
assoc .ps1=poss_bad
assoc .cmd=poss_bad
assoc .bat=poss_bad
assoc .vbs=poss_bad
assoc .vbe=poss_bad
ftype poss_bad=c:\Program Files\Windows NT\Accessories\wordpad.exe %1echo “Done! Have a great day!”
pause