I'll repeat my question from above - instead of making all these deny rules for user-areas and temp folders (what for ex. Cryptoprevent actually does), won't it be as secure to set the Security level in SRP to "disallowed" by default and then create allow rules for the software that needs to run from these areas.
So...maybe we should come back to the ThreatFire that offers protection against files with a suspicious double extension? Back to topick...how do you consider sandbox and LV protection? I have some doubts because such apps isolate only specific areas of system or mostly only system disk...not every do it on other reachable disks that are reachable for malware. Waht about files on other disk? If malware that is running in sandbox...or on virtual mode...encrypts files in other locations are they able to revert previous good version? If I'm using SD, TTF, WTF in virtual mode on system disk only for example, I think my files in other locations would be lost...but I don't know how is it with Sbie?...if some "out-off-system disk" files are corrupted, they are able to be healthy again?
Right, which is what I've done. The policy set is default deny (Disallowed). Those rules you see in the ss show whitelisted path entries, alhtough in a few cases i've whitelisted directory paths.
Thanks for the illustrations, Rich! Noteworthy as well, as described in the link below, the trojan also contacts the attacker's server to obtain the public key and bitcoin address, so an outbound control firewall should stop this comms, although of course with proper protection mechanisms in place, things should not reach this point in the first place. -http://labs.bitdefender.com/2013/10/cryptolocker-ransomware-makes-a-bitcoin-wallet-per-victim/
In addition to all of the mentioned protection methods, users of Panda Cloud can add whatever files they wish protected from ransomware to the Data Shield.
You are welcome! I clicked on your link but nothing happens. Regarding SRP mentioned by several: configured correctly, SRP should block any unauthorized executable from running. From the computer -- could be email attachment, USB, etc: [screenshot courtesy of Wilders member tlu] ---- rich
A number of users of our free DNS service were infected with the malware (we’ll show some simple stats later on). OpenDNS customers using Umbrella are protected against losing their valuable data to Cryptolocker because we successfully cut off the outbound communication initiated by the malware for retrieving the encryption key.....http://labs.umbrella.com/2013/11/05...al&utm_campaign=cryptolocker-remains-at-large
I was reminded last evening that using the old GRC Leaktest, people can test to see if their firewall blocks unauthorized programs from connecting out: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-81#entry3191424 It's an executable designed to connect out back to the GRC.com web server. If the firewall denies outbound access to unauthorized programs, then: ---- rich
Those double extension issues reminds me of WormGuard ... Oh, how I wished that DCS wasn't ever gone down and that their progs were further developped... Oh those days ... Back to topic.
Can't say for anything before 7, but 7 and 8 have a built-in system imaging tool. It's basic but does its job just fine in backup and restore system image. I also had a pretty good experience with Macrium Reflect and AX64, just be sure to pick the right WinPE for recovery media. For personal files, I prefer to backup manually. If you are using XP Pro, it's just as easy as typing gpedit.msc in the search bar. Then see this: http://www.mechbgon.com/srp/ If XP Home, then see this: https://www.wilderssecurity.com/showpost.php?p=2300080&postcount=131 @SRP talks Say, what if the whitelisted programs being hijacked? Do all malware need to execute first before doing anything at all? @Double extension talks You can just configure Windows to show multiple file extensions.
Exploits run inside the browser and from there can inject into other processes. Both browser and other processes already run.
That would expose the trick as used in the CryptoLocker exploit. There are other ways of using the double extension trick, but that is getting off topic from what the current exploit is doing. ---- rich
Beware: CryptoLocker Ransomware Ups the Ante! http://www.davescomputertips.com/beware-cryptolocker-ransomware-ups-the-ante/
Would it work to "double up" on cryptolocker protection? I.E use HMP.Alert 2.5 and Cryptoprevent at the same time or would this not help at all?
Good question. I am using Panda Cloud which has the Data Shield feature that they say will protect whatever files you put there from ransomware. I also installed CryptoPrevent as it adds SRP rules with its function. There are no obvious signs of conflict, but I do wonder if they may not degrade the effectiveness of each other.
Why not? CryptoPrevent *should* prevent the infection in the first place -- if not HMP.Alert should prevent the encryption from taking place. The two will definitely not conflict with each other as HMP.Alert installs a driver to monitor for and block the encryption, while CryptoPrevent just installs policies to block offending apps via Group Policy.
Thanks, i added cryptoprevent back on my system along with HMP.alrt 2.5. Feeling like i got my basis coverered against this infection now
