CryptoPrevent is no longer based solely on Windows software restriction policies

Separated all main protection policies so they may be individually applied or removed.
Added policy to disable Windows Sidebar/Gadgets due to security vulnerabilities.
Daily updates are now for the new definitions, and a new weekly schedule will be created for application updates.
New email options for bulk premium custom installers.
Easier to install and apply protection with the free version......http://www.majorgeeks.com/files/details/cryptoprevent.html

 

Please take special note of:

◦New real-time ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!)

"if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent’s [restriction of policy] settings."

Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘, and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.

• scrfile\shell\open\command
• cplfile\shell\open\command
• piffile\shell\open\command

If using the experimental EXE/COM filter, you can also expect to see these keys:

• exefile\shell\open\command
• comfile\shell\open\command

And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand”

If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.

===================

Indeed, MBAM scans are coming up with [at least] the following two registry entries:

Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5

Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5

which must then be added to MBAM's Exclusions list.

 

For anyone using this newly designed/updated version (6.0), what's your opinion of it so far?

 

I've been using it for about a week with no problems observed. There have been no definition updates during this time. Free version, all settings at default, W7-64.

 

I think this is a very good decision on the developers part considering how many applications already block Crypto Locker without requiring updates, and also block all other threats. Why use an application that only targets Crypto Locker when there are many that will block it, and also block all other threats. Policy based software like AppGuard, and Antiexecutable software like ERP, or VoodooShield that uses whitelisting will easily block Crypto Locker. Using CryptoPrevent would be redundant. A good HIPS will also block Crypto locker. I think this is a good move on the developers part.

 

I am glad that CryptoPrevent has decided to expand it's capabilities because it has always had much more potential. I especially like the addition of the Policy Editor within the Advanced menu to easily create custom Whitelists and Blacklists.

 

CryptoPrevent v7.3.x brings some new features, more clarity on protection levels, and improved protection!

First, CryptoPrevent now supports SSL/TLS encryption and StartTLS for your SMTP server settings! This enables support for a wider variety of SMTP servers, allowing users requiring this level of encryption to configure their email alert functionality. Previously only SSL was supported. ..https://www.foolishit.com/new-cryptoprevent-v7-3-x-new-features-improved-protection/

 

Is it correct that CryptoPrevent basically tries to protect against drive-by attacks in general? So if you run ransomware yourself, it won't do any good?

 

All this sh*#T is exactly what we had in classical HIPS custom user-defined rulesets until they were abandoned and users left twisting in the wind without them for x64 systems. Can't help but feel that today's so called security software vendors are completely responsible for their demise in order to as Pete likes to make special note o in their defense, REVENUE FLOW.

The best protections we ever had was always free and never the scams that have evolved now in perpetrating their security wares for a licensing fee and leave users at the mercy of a CryptoLock or other pieces of crapware

 

Updated today to version 7.3.5 (free version) and found that I had to disable real time monitoring in MBAM and my AV for the installation to finish. The setup takes an additional few mins to complete the group policies setup. At first I thought the setup was looping, but not so. A restart was necessary for the installation to complete. Wanted to see if there were any problems regarding the support for TLS encryption in this version after having installed the latest MS updates, especially the SSL/TLS patch. No problems as yet, but will report if I come across any. NB: using default setting.

 

CryptoPrevent has been updated to v7.4.20 and available through the internal updater. Can't find a changelog.

http://www.foolishit.com/vb6-projects/cryptoprevent/

 

• v7.4.20 (April 10 2015)
  • Added: New extension rules for batch scripts and javascript files (*.JS, *.JSE) as some v3 versions of Crypto-malware are using these file types as an infection method.
  • Redesigned: Software Restriction Policy Editor to allow resizing and longer listboxes (previously some longer rules were not displayed entirely due to the short listboxes.) *fonts may appear smaller this is a known issue and will be resolved in a future update*
  • Fixed: Block Temp Extracted Executables checkbox in the Advanced interface did not apply this setting when checked.

source: http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/

 

Apparently CryptoPrevent version 8 is coming soon with a new design:

Link: http://www.foolishit.com/new-cryptoprevent-edition-coming-soon/

Coming soon to Free Edition:

• Redesigned interface to add simplicity in usage and an intuitive user interface with more detail for advanced users.

Coming soon to Premium Edition:

• New ‘QuickAccess’ system tray app to easily access frequently used features!
• New ‘Terminate Non-Essential Processes’ on-demand option to forcibly close all unnecessary programs that are not essential to Windows. This gives you the ability to close malicious pop-ups without executing malicious code potentially in the ‘close’ button (big red X in the top right corner of the window) or by using the Windows Task Manager and having to determine what ‘process’ the program is in the list.

Coming soon to Bulk/Resale Edition:

• Centrally manage and remotely deploy updated configurations!!!

 

FWIW CryptoPrevent Premium Edition is currently on sale:

http://www.foolishit.com/cryptoprevent-malware-prevention/

 

I don't really understand the fuzz about this tool. It will try to protect you from ransomware delivered by drive-by attacks. But what if you open/download the malware yourself? Then it can't help you, or am I missing something?

 

Sadly what is never said is that a user that keeps both UAC (even at the lowest level) and System Restore enabled has nothing to fear from Ransomware Encryptors. I did a video demonstrating this protection versus different types of encryptors (including Fortress, which encrypts executables).

For any interested, google "Ransomware Encryptors vs UAC and System Restore".

 

By enabling System Restore on non-C drives.

 

It protects by preventing executables from running from the locations typically used by crypto-ransomware, for instance %appdata%

https://www.youtube.com/watch?v=M4dNuZYGgMM

The above link is for a video demoing an older version of CryptoPrevent, but you will get the idea. AFAICT the user cannot run any executable from protected locations that isn't white-listed.

 

Is this only for CryptoLocker specifically or is this a general prevention for all crypto malwares?

 

https://www.foolishit.com/cryptoprevent-malware-prevention-2/general-faq/

"Will this protect against other ‘Crypto’ type ransomware such as CryptoDefense, CryptoWall, etc., and their newer v2/v3 and future variants??

There are a number of new CryptoLocker clones emerging that can also be prevented by CryptoPrevent. The majority of these are protected against by default protections in their older versions, but newer variants are coming out that can only be stopped by the Maximum Protection + Program Filtering (BETA) option, which uses a definitions based system to keep current with known malware threats. This is however a “BETA” which means it is not fully tested on all platforms. Also note this option is not available with the portable edition of CryptoPrevent.


The newer variants require the Max Protection + Program Filtering BETA because most of this stuff has figured out how to get around the original “Software Restriction Policy” based protections provided by CryptoPrevent at the Max and lower levels. It is the Program Filtering component that protects against these threats by using a pseudo-real-time filter that is definitions based."

 

https://www.youtube.com/watch?v=9VhZGa-NP0w

If only people would stop and actually evaluate UAC prompts then maybe Yes The advantage of blocking via software restriction policy is the user is forced to stop and go through the effort of undoing the CryptoPrevent protections.

 

UAC prompts really don't come into play with Encryptors as very few (none?) require elevated privilege; if you saw the video none of the 14 or so unique types of encryptors (that were at the times the video was made in the Wild) when executed resulted in a UAC prompt. For this class of malware UAC is essential only as it will prevent the malware from deleting the System Restore Points.

What is rather irritating for me is that although both the lay and tech press gleefully cover any new instance of Ransomware, I have never seen any comment that Windows already comes with native protection against them- and certainly no one pushing a product will bring this up.

 

Good posting, cruelsister.

So, i guess execution control (whitelisting, anti-exe) + file/folder permissions (e.g., Secure Folders) + separate data partition + turning on System Restore for that non-system partition + UAC/LUA to protect SR, should make any known crypto-infection a non-issue to worry, even for a noob.

Any ideas (@anyone)

a) how often files/folders get shadow-copied (automatically on creation/modification? - hopefully not...)?
b) actual file size : backed up file size ratio (=>optimal disk space to be assigned to SR for a non-system partition for "only restoring previous versions of files")?

PS. Maybe turning off SR for a system partition, while turning it on for any data partition, will become the new security trend...