CryptoLocker Ransomware + CryptoPrevent Q&A

[ky331]

Just noting that CryptoPrevent hasn't been updated in quite a while... still at v4.3    Nonetheless, I see that the homepage has been updated to declare:

UPDATE:  Feb 6th 2014:  YES, CryptoPrevent still protects against the latest strains of CryptoLocker!!!

[Corrine]

There is a new one out called CryptoBit.  As usual, Grinler has done an excellent job:  CryptorBit and HowDecrypt Information Guide and FAQ.

[MikeW]

Thanks Basil

[LilBambi]

Thanks! Do you think there will ever be an auto update feature for CryptoPrevent? Would be easier for use on friend/family/client computers.

We have no problems updating manually, but you know how some folks are about that. It will just never get done.

[Basil]

Hi Fran,
I think there is an auto update feature but only on the Premium version. ($19.95)
As I visit the Foolish IT website at least every couple of days, I personally do not need it, but I know exactly what you mean by people not updating... :wub:
CryptoPrevent Premium | Computer Technician - PC Repair Software |Foolish IT LLC

[LilBambi]

Hi Fran,
I think there is an auto update feature but only on the Premium version. ($19.95)
As I visit the Foolish IT website at least every couple of days, I personally do not need it, but I know exactly what you mean by people not updating... :wub:
CryptoPrevent Premium | Computer Technician - PC Repair Software |Foolish IT LLC

Thanks Basil!  :mitch:

[LilBambi]

Thanks for all the updates!  :mitch:

[ky331]

Observation:   CryptoPrevent offers TWO versions of its FREE program, a "portable" version (which can be run from any location), and an "installer" version (offering a setup installer with full uninstall support).   Apparently, I'm running the "portable" version on my test system... and the portable version does not support the Filter Module, which is only available in the installer version.   As such, I don't have to be concerned about the filter module running continually in real time.   Indeed, I see where the author now warns:  "if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent's [restriction of policy] settings."

ScreenShots attached show:
1) the "old" v 5.2.2 main screen
2) the new v 6.0 main screen, and
3) a sample of the new Advanced / Software Restriction Policies / Policy Editor (for path rules) screen:

[MikeW]

Mbam shows a FP they have to be added to the exclude list

[ky331]

 "if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent's [restriction of policy] settings."

Specifically, these registry keys may be detected as 'modified' or 'hijacked', and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
◦ scrfile\shell\open\command
◦ cplfile\shell\open\command
◦ piffile\shell\open\command

If using the experimental EXE/COM filter, you can also expect to see these keys:
◦ exefile\shell\open\command
◦ comfile\shell\open\command

And any key above may also have "runas" where "open" is, and affected values may include "(Default)" and "IsolatedCommand"

If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent's settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.

[Corrine]

If you use WinPatrol and/or Malwarebytes Anti-Malware, you may not want to use the Filter Module settings.  WinPatrol and MBAM will flag the name change for .pif in file associations.  Although this is about the 6.0 preview, it applies to the recent update:  FoolishTech.com • View topic - CryptoPrevent v6.0 Preview

[MikeW]

Response from Malwarebytes


To avoid any confusion, since we already received a few mails about this...



We do not really detect this as malware, but as "Broken.OpenCommand", which means, any change that malware (and other programs) makes to an "executable - shell\open\command" valuedata which isn't set by default should be alerted to the user for safety sake. So this isn't a real false positive here, since we detect correctly as "Broken.OpenCommand".

If you're aware that one of the programs you installed *does* change this valuedata, then add it to your whitelist. If you're not aware of this, then have Malwarebytes fix this (as this will restore the default valuedata set by Windows again).


Mieke Verburgh
Director of Research

[ky331]

Two users have experienced and reported this at the DeLL forum.   The specific details, obtained by exporting the MBAM Threat-scan results to a .txt file, are:

Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5


Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5

Interestingly, there were only two objections from MBAM, despite CryptoPrevent changing (by default) 3 file-type settings [the 3rd being .CPL (Control Panel)].

For what it's worth, neither user mentioned any objections/interaction with WinPatrol.

[Basil]

Just updated to 6.0.1
I got two alerts from Scotty and accepted changes. All seems OK, now... :thumbsup:

[Basil]

Hmmm!!
Just run a MBAM scan and it detected two items.
Broken.O....    Registry Data       HKCR\piffile\shell\open\comand
Broken.O....    Registry Data       HKCR\scrfile\shell\open\command

Quarantined both (NOT deleted) and the machine seems to be working fine.
Restarted computer....still working fine....... :o
I don't intend to delete....just in case!!..