CryptoPrevent is no longer based solely on Windows software restriction policies

Discussion in 'other anti-malware software' started by Dragon1952, Jun 17, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree with that 100%. That is just asking for trouble. Also, I'm starting to think that maybe this particular ransomware isn't as widespread as it was initially thought to be.
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I just checked the white-list in CryptoPrevent and see executables for LastPass and 7+ Taskbar Tweaker in %appdata% and %userprofile%, but nothing in ProgramData. There are in fact quite a few executables in my C:\ProgramData folder, however they don't look like primary EXEs for starting applications.

    The infected MineCraft game download does look like the culprit in most of the reported instances, but there have been a few users who said they never downloaded it. Assuming they aren't forgetting there must be other attack vectors. Of course if you have kids they sometimes constitute an attack vector :cool: (no unkindness meant to children per se).
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Or wives. :isay:
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Ah, we must tread carefully :ninja: And by the way, where is v8 of CryptoPrevent?
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Good question. Ever since they stated that v8 was "Coming soon", I haven't seen much else about it. No expected date or anything that I am aware of. I'll check their forums to see if there is any beta testing going on for it.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Maybe after this newest Locker attack they decided to gather from analysis available and make additional modifications. Since it's taken this long they just as well cover any new possibilities while folks are waiting anyway
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    According to this poster over at bleepingcomputer.com, malware came via a download from this domain:

    This is in my history. Its an uploaded link that's suppose to be mc1.8. If you download it, its a .js file.
    DONT GET THIS UNLESS YOU KNOW WHAT YOURE DOING PLEASE!


    *Link to malware removed as per forum rules

    https://www.wilderssecurity.com/threads/should-we-do-a-security-competition.304658/page-2#post-1915286

    Very possible other downloads from that domain were also infected.
     
    Last edited by a moderator: May 28, 2015
  8. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    I had to go back to the default setting. I tried the highest setting for a month and I think it may have caused a problem with an incremental backing not running properly. There is a warning that indicates that this might happen with that setting so this is not a gripe. Looking forward to seeing the next build.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also saw a recent posting from someone who said they downloaded the Minecraft game months ago, never installed it, but still got infected. He says he used a "safe" download site.

    Looking more and more as if the payload was somehow associated with the download; perhaps a redirect to a site and then exploit loaded?
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Awesome, thanks for finding and sharing these screenshots.

    I see that there is an option there now regarding CryptoPrevent QuickAccess which I would assume enables some kind of system tray icon functionality. That's good because it's something I thought it needed a while back to enable/disable protection easily from the system tray.

    The interface looks well organized and tidy. I'm curious about that Folder Watch tab.

    I used CryptoPrevent only briefly a year or so back in testing. I have always thought of CryptoPrevent as very similar to Simple Software-restriction Policy or even PGS as well. Power users who want more granular control would be more likely to use SSRP or similar. But I think where CryptoPrevent shines is that it has been designed from the beginning to be very easy for those everyday regular computer users who don't understand security as much and in that sense is more "set it and forget it" type of program. Or even some computer techs or well versed security folks can easily (and quickly) put this on users machines or family members machines, etc. and therefore doesn't take too much time or thought into it.

    I would definitely recommend CryptoPrevent for users who don't need the granular control or who don't want to put as much time or thought into their setup. Although it does still have some granular control as well with it's built in Software Restriction Policy Editor and a few other areas. I don't use CryptoPrevent myself, but it is great to have choice out there and it's also nice to see it's continued development.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Woot! Thanks for the heads up on CP version 8 upcoming. Useful improvements to be sure.

    Folder Watch (Real-Time) is of special interest for me too. In EQS classical HIPS you could always set a Rule to alert at anytime that ANY folder in ANY directory was being created and suspend that action long enough to trace back what was wanting to produce that action. Or simply Default Deny on any potential newly created folders. Useful feature.
     
    Last edited: Jun 15, 2015
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Warning!!!

    Whatever you do, don't install this! I have been having a few issues with my PC lately and yesterday ran SFC /scannow. OMG! Tons of my WIN 7 files were hosed. Many that could not be repaired. So I did a system restore prior to when I installed this gpedit.msc "fix" and still the files were hosed. So I had to go back to an image backup I did a month prior to that and just got done reinstalling everything. Ran SFC /scannow and all my files are OK. :)

    This crap is malware.
     
  14. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    Really?

    All it does is make the security policies visible - so they can be configured - in home versions of Windows.

    It doesn't change any Windows settings.

    gpedit.msc CANNOT hose your Windows 7 operating system files.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well, my CPS.log file was like 7 MB and it flagged a ton of GPEdit files.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the heads up.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Not sure what you're seeing. I installed gpedit on Windows 7 Home Premium x64 and SFC /scannow only flags those specific files.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It is possible the gpedit.msc fix was not the culprit. I did have a few win 7 crashes in the timeframe in question. Possible one of those auto repairs hosed something. Really never saw so many corrupt OS files. The kicker was WIN 7 ran fine for the most part so I never suspected anything was amiss.
     
  19. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    I agree the Group Policy editor is not the culprit.

    It can only set security policies and should NOT alter any other settings in Windows.

    That's not what's it designed for.

    I'm running it with no issues on Windows 7 Home Premium.
     
  20. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    well here is my feedback.

    Basically the non SRP protections work, e.g. I get a prompt when changing my time zone.

    But all the SRP based stuff fails, (yes I do reboot), the app thinks it has the policies installed as it shows in its internal editor, but when I manually check SRP none of the rules are installed.

    The only other security software I have is nod32 AV, so is it possible thats blocking the SRP stuff been added? If i disable nod32 temporarily and try to activate the SRP rules it still fails.

    Also with the BETA mode activated, I had issues on startup, some startup apps like vistaswitcher started prompting for UAC approval when they dont normally need it.
     
  21. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    still fails when hips disabled.
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    "Where are the software restriction policies?"

    "The policies are not visible in the policy editor as they were not created by the group policy editor. You can view the policies from within CryptoPrevent itself. More info in the FAQ."

    http://oldforums.foolishit.com/viewtopic.php?f=34&t=2265
     
  23. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    When I hit the test button it says test failed, and policies are not working. Yes I have rebooted (many times)

    Also I find that odd what you saying that they wont be visible in policy editor, because if I add policies manually without the policy editor, the policy editor can still see them.

    Also to add I have done manual tests, I can run executables in the locations listed.

    Further update it seems any disallow rules I add via the policy editor also dont work.

    Even default deny doesnt work.

    any ideas?

    Further update, it is partially working on a limited user account, but not on my normal account (SRP is set to include administrators).,
     

    Attached Files:

    Last edited: Aug 6, 2015
  24. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Ok so here is where I am (maybe I should make new thread?)

    As normal user account, (some) policies added via policy editor work.
    As administrator no policies work even when all users is enforced.
    All policies added via cryptoprevent do not work on any users. I wonder if i am the only person who has tried to test this rather than assuming they just work.

    Obviously something isnt working right on my rig given I need to be a normal user for SRP to work at all. Also that certian paths dont work at all even when I add via policy editor, e.g. if i add F:\Drivers and reboot to make sure sticks, I can still run programs from that path as any user. But it does work e.g. if I apply to C:\ProgramData, so its hit and miss.

    I think SRP is considered obsolete and not even supported by microsoft in vista+.

    Applocker works properly, so I am manually putting all cryptoprevent rules on that, and will email the app dev's to use that instead of SRP.

    As for using a normal user account it isnt that bad so I might stick with it, the issue been tho some apps dont like it, will try to find workarounds e.g. precision X wont auto start but I think I can start it via task scheduler instead so may be ok.

    Decided sod it, just done a default deny config with applocker so all these paths are covered now anyway :)
     
    Last edited: Aug 6, 2015
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    To be clear the statement I posted was made by the developer not myself; that's why it's in quotes and why I linked to the original thread. You might want to contact him for support. FWIW when I click the test button in CryptoPrevent it says all policies applied, and that's when I'm logged in with an Admin account.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.