CryptoPrevent is no longer based solely on Windows software restriction policies

Discussion in 'other anti-malware software' started by Dragon1952, Jun 17, 2014.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,092
    Location:
    Hollow Earth - Telos
    Separated all main protection policies so they may be individually applied or removed.
    Added policy to disable Windows Sidebar/Gadgets due to security vulnerabilities.
    Daily updates are now for the new definitions, and a new weekly schedule will be created for application updates.
    New email options for bulk premium custom installers.
    Easier to install and apply protection with the free version......http://www.majorgeeks.com/files/details/cryptoprevent.html
     
  2. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    143
    Please take special note of:

    New real-time ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!)

    "if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent’s [restriction of policy] settings."

    Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘, and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
    • scrfile\shell\open\command
    • cplfile\shell\open\command
    • piffile\shell\open\command
    If using the experimental EXE/COM filter, you can also expect to see these keys:
    • exefile\shell\open\command
    • comfile\shell\open\command
    And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand

    If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.

    ===================

    Indeed, MBAM scans are coming up with [at least] the following two registry entries:

    Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5

    Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5

    which must then be added to MBAM's Exclusions list.
     
    Last edited: Jun 18, 2014
  3. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    For anyone using this newly designed/updated version (6.0), what's your opinion of it so far?
     
  4. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    260
    Location:
    USA
    I've been using it for about a week with no problems observed. There have been no definition updates during this time. Free version, all settings at default, W7-64.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I think this is a very good decision on the developers part considering how many applications already block Crypto Locker without requiring updates, and also block all other threats. Why use an application that only targets Crypto Locker when there are many that will block it, and also block all other threats. Policy based software like AppGuard, and Antiexecutable software like ERP, or VoodooShield that uses whitelisting will easily block Crypto Locker. Using CryptoPrevent would be redundant. A good HIPS will also block Crypto locker. I think this is a good move on the developers part.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,629
    Location:
    Toronto, Canada
    I am glad that CryptoPrevent has decided to expand it's capabilities because it has always had much more potential. I especially like the addition of the Policy Editor within the Advanced menu to easily create custom Whitelists and Blacklists.
     

    Attached Files:

  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,092
    Location:
    Hollow Earth - Telos
    CryptoPrevent v7.3.x brings some new features, more clarity on protection levels, and improved protection!

    First, CryptoPrevent now supports SSL/TLS encryption and StartTLS for your SMTP server settings! This enables support for a wider variety of SMTP servers, allowing users requiring this level of encryption to configure their email alert functionality. Previously only SSL was supported. ..https://www.foolishit.com/new-cryptoprevent-v7-3-x-new-features-improved-protection/
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Is it correct that CryptoPrevent basically tries to protect against drive-by attacks in general? So if you run ransomware yourself, it won't do any good?
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    All this sh*#T is exactly what we had in classical HIPS custom user-defined rulesets until they were abandoned and users left twisting in the wind without them for x64 systems. Can't help but feel that today's so called security software vendors are completely responsible for their demise in order to as Pete likes to make special note o in their defense, REVENUE FLOW.

    The best protections we ever had was always free and never the scams that have evolved now in perpetrating their security wares for a licensing fee and leave users at the mercy of a CryptoLock or other pieces of crapware
     
  10. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    882
    Location:
    Triassic
    Updated today to version 7.3.5 (free version) and found that I had to disable real time monitoring in MBAM and my AV for the installation to finish. The setup takes an additional few mins to complete the group policies setup. At first I thought the setup was looping, but not so. A restart was necessary for the installation to complete. Wanted to see if there were any problems regarding the support for TLS encryption in this version after having installed the latest MS updates, especially the SSL/TLS patch. No problems as yet, but will report if I come across any. NB: using default setting.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
  12. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    • v7.4.20 (April 10 2015)
      • Added: New extension rules for batch scripts and javascript files (*.JS, *.JSE) as some v3 versions of Crypto-malware are using these file types as an infection method.
      • Redesigned: Software Restriction Policy Editor to allow resizing and longer listboxes (previously some longer rules were not displayed entirely due to the short listboxes.) *fonts may appear smaller this is a known issue and will be resolved in a future update*
      • Fixed: Block Temp Extracted Executables checkbox in the Advanced interface did not apply this setting when checked.

    source: http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,629
    Location:
    Toronto, Canada
    Apparently CryptoPrevent version 8 is coming soon with a new design:

    Link: http://www.foolishit.com/new-cryptoprevent-edition-coming-soon/


    Coming soon to Free Edition:

    • Redesigned interface to add simplicity in usage and an intuitive user interface with more detail for advanced users.

    Coming soon to Premium Edition:

    • New ‘QuickAccess’ system tray app to easily access frequently used features!
    • New ‘Terminate Non-Essential Processes’ on-demand option to forcibly close all unnecessary programs that are not essential to Windows. This gives you the ability to close malicious pop-ups without executing malicious code potentially in the ‘close’ button (big red X in the top right corner of the window) or by using the Windows Task Manager and having to determine what ‘process’ the program is in the list.

    Coming soon to Bulk/Resale Edition:
    • Centrally manage and remotely deploy updated configurations!!!
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I don't really understand the fuzz about this tool. It will try to protect you from ransomware delivered by drive-by attacks. But what if you open/download the malware yourself? Then it can't help you, or am I missing something?
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Sadly what is never said is that a user that keeps both UAC (even at the lowest level) and System Restore enabled has nothing to fear from Ransomware Encryptors. I did a video demonstrating this protection versus different types of encryptors (including Fortress, which encrypts executables).

    For any interested, google "Ransomware Encryptors vs UAC and System Restore".
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    How is system restore going to help protect files on non c: drives?
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    By enabling System Restore on non-C drives.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Ah. Interesting, but no thanks.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    It protects by preventing executables from running from the locations typically used by crypto-ransomware, for instance %appdata%

    https://www.youtube.com/watch?v=M4dNuZYGgMM

    The above link is for a video demoing an older version of CryptoPrevent, but you will get the idea. AFAICT the user cannot run any executable from protected locations that isn't white-listed.
     
  21. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Is this only for CryptoLocker specifically or is this a general prevention for all crypto malwares?
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    https://www.foolishit.com/cryptoprevent-malware-prevention-2/general-faq/

    "Will this protect against other ‘Crypto’ type ransomware such as CryptoDefense, CryptoWall, etc., and their newer v2/v3 and future variants??

    There are a number of new CryptoLocker clones emerging that can also be prevented by CryptoPrevent. The majority of these are protected against by default protections in their older versions, but newer variants are coming out that can only be stopped by the Maximum Protection + Program Filtering (BETA) option, which uses a definitions based system to keep current with known malware threats. This is however a “BETA” which means it is not fully tested on all platforms. Also note this option is not available with the portable edition of CryptoPrevent.


    The newer variants require the Max Protection + Program Filtering BETA because most of this stuff has figured out how to get around the original “Software Restriction Policy” based protections provided by CryptoPrevent at the Max and lower levels. It is the Program Filtering component that protects against these threats by using a pseudo-real-time filter that is definitions based."
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    https://www.youtube.com/watch?v=9VhZGa-NP0w

    If only people would stop and actually evaluate UAC prompts then maybe Yes :) The advantage of blocking via software restriction policy is the user is forced to stop and go through the effort of undoing the CryptoPrevent protections.
     
    Last edited by a moderator: May 17, 2015
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    UAC prompts really don't come into play with Encryptors as very few (none?) require elevated privilege; if you saw the video none of the 14 or so unique types of encryptors (that were at the times the video was made in the Wild) when executed resulted in a UAC prompt. For this class of malware UAC is essential only as it will prevent the malware from deleting the System Restore Points.

    What is rather irritating for me is that although both the lay and tech press gleefully cover any new instance of Ransomware, I have never seen any comment that Windows already comes with native protection against them- and certainly no one pushing a product will bring this up.
     
  25. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Good posting, cruelsister.

    So, i guess execution control (whitelisting, anti-exe) + file/folder permissions (e.g., Secure Folders) + separate data partition + turning on System Restore for that non-system partition + UAC/LUA to protect SR, should make any known crypto-infection a non-issue to worry, even for a noob.

    Any ideas (@anyone)

    a) how often files/folders get shadow-copied (automatically on creation/modification? - hopefully not...)?
    b) actual file size : backed up file size ratio (=>optimal disk space to be assigned to SR for a non-system partition for "only restoring previous versions of files")?

    PS. Maybe turning off SR for a system partition, while turning it on for any data partition, will become the new security trend...
     
Loading...