CrytoPrevent

Discussion in 'other software & services' started by clubhouse1, Dec 26, 2013.

Thread Status:
Not open for further replies.
  1. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK
    Not sure where this belongs or if it is a already a part of many others arsenal...

    Anyway.....

    Current Version: 4.3

    CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.

    Incidentally, due to the way that CryptoPrevent works, it actually protects against a wide variety of malware, not just Cryptolocker!




    Prevention Methodology

    CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is somewhere between 150 and 200+ rules depending on the OS and options selected, not including whitelisting! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! Executables now protected against (starting with v2.6) are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard:

    %appdata% / %localappdata% / Recycle Bin - These locations are used by Cryptolocker and other malware as launch points.

    %appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
    %localappdata% (and on Windows XP, any first-level subdirectories in there.) NOTE beginning with v2.2, any time %localappdata% is referred to on this page, it also refers to %userprofile%\Local Settings\Application data on Windows XP, where %localappdata% is not an actual environment variable.
    The All Users application data and local settings\application data paths on XP.
    The Recycle Bin on all drives, and multiple nested subfolders.

    %userprofile% / %programdata% / Startup Folder

    the %userprofile% and %programdata% paths (no nested subfolders.)
    the Startup folder located in the Start menu > All Programs > Startup

    Fake File Extension Executables: (ex. document.docx.exe)

    *.x.y where:
    x = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4
    y = exe, com, scr, and pif.
    with v4.1, now includes RLO (Right to Left Override) exploit protection.

    Temp Extracted Executables in Archive Files:

    %temp%\rar* directories
    %temp%\7z* directories
    %temp%\wz* directories
    %temp%\*.zip directories

    The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox) and for this reason this option is NOT recommended for most people.)

    NOTE the variable %temp% is no longer used, and instead the actual temp file path is expanded after %userprofile%. There is an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata% or %userprofile%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder (after %userprofile%) in each rule set. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.

    Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will protect all user accounts on the system.




    hxxp://-www.foolishit.com/vb6-projects/cryptoprevent-
     
  2. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Is CyrptoPrevent compatible with other AV software, AppGuard, NoVirusThanks ERP, etc?
     
  3. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK

    Not sure about the other security you mention, but from the cryto site...

    "Does CryptoPrevent work with my existing Anti-Virus software?"

    Yes. Because CryptoPrevent is not an active monitor, it only writes these rules for Windows to follow and that’s it, it will sit peacefully along side any Anti-Virus software without issue.
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,905
    Location:
    U.S.A.
Thread Status:
Not open for further replies.