Protecting Against Crypto Malware
Right-click on Software Restriction Policies and choose “New Software Restriction Policy”. You’ll now have a few more subfolders. Right-click “Additional Rules” and select “New Path Rule”.
Configure the Path Rule as shown below. This will block all .js files from executing on the machine. Note: this doesn’t include within the web-browser, which while not immune from say a zero-day, is much less of a risk than executing a script directly on the machine.
Click “OK”, then make sure to apply the GPO to an OU that contains the computer accounts you wish to protect. Alternatively you can apply this to the root of your domain, to configure every machine in the environment.
Software Restriction Policies are great for blacklisting malware from running in common locations. An example would be to create a new Path Rule to block “%TEMP%\*.exe” and “%TEMP%\*\*.exe”, or even “%USERPROFILE%\*.exe” and “%USERPROFILE%\*\*.exe”, as well as whatever other file extensions you think are appropriate. Be careful though; unless you know with 100% certainty that no legitimate programs need to run from the TEMP or USERPROFILE folders you may unknowingly block something needed which causes the usual panic amongst end users.