Virus always gives us a headache. Generally, we take measures such as installing anti-virus software and patching the system to prevent computer viruses. In Windows XP, setting Software Restriction Policies can also prevent viruses.
A Software Restriction policy is an integral part of a local security policy. This policy allows administrators to identify a specified file or a certain type of file by setting corresponding rules, at the same time, the corresponding security level is granted to these files to allow or restrict the running of these files. After a user logs on to the system, the Software Restriction Policy automatically acts on the user. If the self-starting file is identified as not allowed by the rules, or the user tries to run the file as not allowed, will fail to run. With this mechanism, we can prevent viruses of known names or types.
In Software Restriction Policies, there are four types of rules used to identify files. The priority of the rules is as follows:
Hash rule: uses the hash algorithm to calculate the hash of a specified file and uniquely identifies the file as long as the file content remains unchanged, neither move nor rename will affect the rule. This rule applies to all executable code.
Certificate Rules: Use the signature certificate associated with the file to identify the file. This rule applies to scripts and Windows Installation packages.
Path rules: use the file path to identify the file. The path here can be a complete file name, a type of file and path expressed as a wildcard. Once the path is changed or the file is renamed, the rule becomes invalid.
Internet region rule: identifies an Internet region downloaded by an application. This rule is mainly used for installation packages in Windows.
The file security level is divided into two types: "Not Allowed" and "not limited", where "Not Allowed" will prohibit the program running, regardless of the user's permissions; "unrestricted" allows users to run programs based on their permissions.
The Software Restriction Policy is usually used to prevent viruses. The file security level must be set to "not allowed ". The following example describes how to create rules.
1. Prevent known file name viruses, such as shock wave viruses
The shock wave virus copies itself, and the virus file is saved in the Windows directory (assuming Windows XP system directory is Windows Firewall, and the virus file name is avserve.exe.
Because the name of the virus file is known, you can create a path rule or a hash rule to identify the file. The procedure is as follows:
1. log on to the system as an administrator or a member of the Administrator group and run secpol in the "run" section of the "Start" menu. run the msc command to start the Local Security Policy Editor, expand "Security Settings", click "Software Restriction Policy", or run gpedit in "run" of the "Start" menu. run the msc command to start the Group Policy Editor. Expand "Local Computer" policy "," computer settings "," Windows Settings ", and" Security Settings "in sequence ", click "Software Restriction policy.
2. to access the "Software Restriction Policy" for the first time, the administrator needs to manually create a policy. Right-click the "Software Restriction Policy" and choose "create policy ", under "Software Restriction Policy", "Security Level" and "other rules" are added. Right-click "other rules, select "New Path rule" in the shortcut menu, as shown in 1.
3. in the "New Path rule" window, enter "C: Windowsavserve.exe" in the "path", or click "Browse" to specify the file, select "Not Allowed" in the "Security Level" drop-down list. If necessary, enter some comments about the rule in the "Description" area, and click "OK", as shown in figure 2.
4. You can see that a rule of path type is added to the List on the right pane, as shown in 3.
To create a hash rule for the virus file, you only need to select "new hash rule" from the shortcut menu in step 2, and in the "New hash rule" window, click Browse to select the specified file and select the security level that is not allowed.
The hash rule requires that the specified file be accessible, that is, the computer has a virus and the file is not cleared. The path rule can prevent viruses from being infected. Once infected, the specified virus file does not run.
2. Prevent the use of Visual BasicScript (VBS) to write worms
By specifying a rule path marked with a wildcard, you can disable the running of all VBS files in your computer, so that you can prevent worms written in the Visual Basic Script (VBS) language.
The procedure is similar to the preceding procedure for creating a path rule. You only need to enter "*. VBS" in "path" in step 3 ".
Disabling the running of all VBS files will also disable the running of some VBS files compiled by local users. To avoid this situation, you can create a hash rule or a path rule for the specified file name for these VBS files, or use the user's signature certificate to sign and authenticate their VBS files, and then develop the corresponding certificate rules, in these Rules, the security level should be set to "unlimited ". Because these rules have a higher priority than path rules identified by wildcards, The VBS files identified by these rules can eventually run without restrictions during policy processing.
3. Set the target object of the policy
To prevent viruses, you need to apply the policy to all users. By default, the policy applies to all users, including administrators. To view and set the application scope of a policy, you must set the "force" attribute of the Software Restriction policy. The method is as follows:
1. Go to the Local Policy Editor or Group Policy Editor and click "Software Restriction Policy". The "force" project is displayed in the right pane;
2. Double-click "force". If the current user range is "all users except the local administrator", select "all users" and click "OK", as shown in figure 4.
The above describes two methods to prevent viruses by Using Software Restriction Policies. Of course, this method is limited for the types of viruses that can be prevented, at the same time, the Administrator is required to understand the virus information and set reasonable rules for the virus, which requires a certain amount of maintenance work. In addition, it is necessary to be clear that this method cannot truly clear the virus from the computer, this function only prevents virus attacks by disabling the running of virus programs. However, this method can be used as an auxiliary form to prevent viruses. In some cases, it can achieve better results. In the face of increasingly rampant computer viruses, we will ultimately rely on installing anti-virus software to block system vulnerabilities and improve system robustness.