CryptoPrevent is no longer based solely on Windows software restriction policies

Discussion in 'other anti-malware software' started by Dragon1952, Jun 17, 2014.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    another quick update the app seems to work fine on win10.

    So I guess SRP is just broken on my win7 rig somehow.

    I will install it on my win7 laptop and see what happens there.
     
  2. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well stated. And this is one of the main reasons I'm not yet ready to migrate to x64, despite even having a machine now with 16 GB of RAM running at 1866 Mhz. I use that setup only for gaming.

    If one would just take the time to set the rules once for each app with a classic HIPS they wouldn't have to mess around with all this other stuff.

    Also SRP & Applocker rules can be created to defeat this stuff, no software required.
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Some new goodness coming for CryptoPrevent:

    "CryptoPrevent Update released v7.4.21 (Email Sending Fix)

    While it’s not the upcoming v8 update, we released a minor revision to v7 of CryptoPrevent yesterday! There was an issue for some users where sending emails would not work. With this update that issue has been resolved and all SRP block messages should receive an email alert if you have them configured. If you are using automatic updates this version will be downloaded and updated automatically.


    We are currently targeting the end of this week to have a beta of CryptoPrevent v8 so everyone can add to the testing to make sure everything is working as expected if not better for the full release push. Keep an eye on our blog posts to get more information when that is available and how to get it/report any issues you may find!"
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    It's been for quite some time now (once again) like let's let the bad guys turn it all loose in the field then we will build to suit. I say Bah!! formulate once again in addition to the other great apps around a granite virtual foolproof solid classical HIPS for those who will take the time to fine tune it and the malware threats are DONE. It will still make security businesses plenty of scratch such as annual license fees and all the other poke and grab offers to the rest of the masses.in order to draw in the uninterested or others who are simply just not up to it.
     
  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    In regards to my earlier post the cuplrit is applocker, when applocker is enabled srp is auto disabled, they both cannot run together.

    On this machine i decided to manually add the SRP rules cryptoprevent creates to applocker alongside my existing rules since applocker I think is better due to able to use hashes.

    I still dont use the BETA feature tho as it causes weird behaviour.

    Also interesting advice regarding HIPS, would be cool if people shared their manual HIPS configurations. (eset one's especially).

    I think applocker is the best protection, followed by SRP and then followed by HIPS for file execution whitelisting, however HIPS is probably a good layer to have on top of SRP/Applocker.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Below are my Eset HIPS rules.

    Note that Eset retail ver. HIPS does not support wildcards i.e. "*" in file names e.g. *.exe, *.scr, etc.. So your only option available is "start a new application." I have tested that this does work for exe's that are disguised such as somename.scr, etc.. Actually, if Eset ever gets off their butt and allows filename wildcarding, then a rule can be added to actually block file creation in the directories where ransomware downloads to. Additionally, I have Eset rules to block script e.g. cmd, java, wscript execution of apps in %AppData% and %Windows%\Temp directories.

    Rule 1 - Ask rule for file changes to where image backups are stored
    Eset_Crypto_1.png

    Rule 1 continued - Ask rule for executable startup in temp directories
    Eset_Crypto_2.png

    Rule 2 - ask rule to monitor shadow volume and associated like program usage
    Eset_Crypto_3.png
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    No sign yet of the v8 beta of CryptoPrevent and no revised release date on the website. Since it was promised for release in mid November it's a little disappointing :thumbd:
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    thanks itman
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    You're not the only one who's been waiting. And the waiting once again just drags on more.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Maybe they got hit by ransomware ;)
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    The problem I have is not knowing if v8 is just a UI overhaul or if protection is also being improved. If it's the latter then it doesn't inspire confidence that they are so slow to implement improvements.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some new details: https://www.foolishit.com/2016/02/cryptoprevent-version-8-pre-release-sale/

     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. It's been taking quite a while for version 8, it seems. Although now that the blog mentions a 100% code re-write, I can understand the delay now.
     
  15. guest

    guest Guest

    Does it worth the purchase? 12$ lifetime license.
    It just protect against Cryptoware or it does something else? It is indicated for home pc's or only for servers?
    I guess it has exactly the same scope than Malwarebytes Anti-Ransomware
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    CryptoPrevent protects by placing restrictions on the folders crypto-malware uses to execute, in other words it uses SRP (software restriction policies). Regarding the scope of protection this is from the FAQ page:

    "Will this protect against other malware?
    YES! A LOT of trojan based malware out there utilizes the same infection tactics and launch point locations as CryptoLocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behavior. Additionally new SRP rules to the existing protection system, plus new protection types (and definition updates) integrated into CryptoPrevent […]"


    https://www.foolishit.com/faq_category/cryptoprevent-main/

    I use CryptoPrevent together with HitmanPro.Alert, which has an active protection against Crypro-ransomeware.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Ditto. Hope they stay compatible. See this post.
     
  18. guest

    guest Guest

    There are any incompatibility or annoyance while installing new software or executing it due to the fact on how Cryptoprevent restricts different folders and enable new policies?

    I read that the free version doesn't allow you edit the settings, does this means that you can't change anything or at least you can change the general security settings like:
    http://i1-win.softpedia-static.com/screenshots/CryptoPrevent_1.png
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    One difference between the free and paid versions of CryptoPrevent v7 is automatic updates. For more info see here:

    https://www.foolishit.com/cryptoprevent-malware-prevention/

    Depending on the protection level you set it may be necessary to temporarily disable CryptoPrevent protection to install new software. I use the "default" setting and have not needed to disable it. The Maximum Protection level says "this option may prevent legitimate software from installing/uninstalling and should be disabled..." (temporarily).

    I suggest installing the free version so you can see how it works.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Agree. I also use the default setting, and it has always been silent - no 'annoyances'.
     
  21. guest

    guest Guest

    I have installed it but I don't see any process running in the background.
    It's everything fine and the program just change windows policies so it doesn't require a process?
    then what it does with the definitions (like av definitions)?
     
  22. With Software Restriction Policies it is also possible to add hash rules. So maybe these 'definitions' are hash based block rules of the latest ransomware?

    upload_2016-2-11_11-4-32.png
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Why would you use CryptoPrevent when you could use anti-exe like EXE Radar? I never understood all the hype. Are there any advantages?
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hmm ... probably not. I had CryptoPrevent installed before I came across ERP.
     
  25. guest

    guest Guest

    Maybe because the anti exe's are a pain... tons of popups
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.