I've been wanting to ask this one since it is related to the GPCode weakness,
Is the rule GPCode Killer>\RPC Control\protected_storage still applicable to the new build 2131?
I already applied "?:\*" and "\Device\KsecDD" in the Protected Files and Folders.
We'll in general those are all workarounds and malware code dependant, only "?:\*" will guard all your files if the malware is sandboxed.
The others will only block specific samples with specific tricks, and that is when the AV doesn't have a sig for it already.