Disable Server 2008 TCP Chimney Offload

This content is 4 years old. Technology changes with time. Keep that in mind as you read this article.

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

TCP Chimney Offload is available in all versions of Windows Server 2008 and Windows Vista. Both TCP/IPv4 connections and TCP/IPv6 connections can be offloaded if the network adapter supports this feature.

Disable TCP Chimney Offload from command line:

netsh int tcp set global chimney=enabled

The above command disables TCP Chimney Offload for the operating system.

CryptoLocker Software Restriction Policies

This content is 5 years old. Technology changes with time. Keep that in mind as you read this article.

Identification of Cryptolocker

Location of CryptoLocker binaries:

  • %AppData%<random>.exe
  • %LocalAppData%<random>.exe

If the malware has executed, one or more of the following registry keys will be present:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker_<version>
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce *CryptoLocker
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun <Random>

Containing CryptoLocker

Stop the binaries from executing by applying GPO to block the following:

  • %appdata%*.exe
  • %appdata%**.exe
  • %localappdata%*.exe
  • %localappdata%**.exe

It is also possible to stop execution by creating a Software Restriction Policy (SRP).

Below are SRP rules to assist in blocking CryptoLocker. You may have to tweak some of these rules for your environment.

———–

Block CryptoLocker executable in %AppData%

Path: %AppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%.

Path if using Windows XP: %UserProfile%Local Settings*.exe
Path if using Windows Vista/7/8: %LocalAppData%*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block executable run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%Local SettingsTempRar**.exe
Path if using Windows Vista/7/8: %LocalAppData%TempRar**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executable run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%Local SettingsTemp7z**.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp7z**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executable run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%Local SettingsTempwz**.exe
Path if using Windows Vista/7/8: %LocalAppData%Tempwz**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executable run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%Local SettingsTemp*.zip*.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp*.zip*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

———–

Identifying if your system has already begun encrypting files:

The following PowerShell script will list all files that are currently encrypted on the local system. To execute this, run PowerShell as administrator and paste the following code:

(Get-Item HKCU:SoftwareCryptoLockerFiles).GetValueNames().Replace(?,) | Out-File CryptoLockerFiles.txt -Encoding unicode