Added rules for SRP Double Extensions to include (.7 & .ARJ)
Corrected possible issues with Updating from System Tray or problems with System Tray after an update (note: issues may still occur with this update since the issue will still exist in current EXE)
Subscription page now shows product key for the registered system or the 1st 5 of Bulk/White-Label Key being used for easier management and identification
Updated Digital Certificate for EXE files:
CryptoPrevent.exe
CryptoPreventFilterMod.CryptoPreventEXEC
CryptoPreventMonSvc.exe
CryptoPreventNotification.exe
d7x.exe
KillEmAll.exe
Other minor bug fixes
v18.11.29.0 (November 29th, 2018)
Corrected issue when submitting Bulk configs for creation
Fixed timing issues with registration in the Creator application (Bulk/White-Label)
Other minor bug fixes
v18.10.20.0 (October 20th, 2018)
Updated version numbering to reflect date of release for the version
Updated to the new d7x Tech branding
Updated included d7x
Corrects issue with Win10 1809 adding Downloads folder to the cleanmgr.exe run
Other misc improvements and bug fixes
Fixes for FolderWatch
Removed possible false positive patterns from matching
Optimized for memory consumption and performance
Added option to register free versions using the primary Bulk/White-Label Key (overall remaining key) if there are installs available that have not been assigned to an installer
Added check to only add UserProfile SRP rules for specific directories (in addition to %userprofile%) where there are more than 5 user directories on the system
CryptoPrevent v9.x
v9.1.0.0 (April 25th, 2018)
Corrected an issue where offline installation of CryptoPrevent may cause major exception to occur
Corrected possible issue of an unexpected reboot when updates are applied
Added a command line parameter for Bulk/White-Label editions to be able to apply update schedule back to what was set at time of install (/applyINIUpdate)
Expired subscriptions will retain all premium product functionality except updating to future versions & definitions
Free versions have update functionality disabled for future product versions and definitions
Bulk versions can now create their own installer without having to submit and receive their installers, this allows for creating a custom installer for a particular client with a set number of installations defined
A couple other minor bug fixes for CryptoPrevent, Monitor service, and the Tray application
v9.0.0.1 (April 11th, 2018)
Added a large number of additional ransomware patterns for the HoneyPot Detections
Added notification if definitions or the application is updated during the important version update check at each start of the application
Added a date updated beside definitions on main interface
Added additional verification for the Visual C++ 2010 x86 being installed
Added optional notification that settings have been disabled on reboot
Premium versions now use a faster server for downloading updates than the Free version
Several other minor bug fixes for CryptoPrevent, Monitor service, and the Tray application
v9.0.0.0 (January 17th, 2018)
User Interface Updated-adds additional explanation on features and functionality as well as streamlines options
Maintenance options have been added which are powered by d7x technology (manually running maintenance is available under the Free and Premium versions, scheduling automated maintenance is a premium feature only)
FolderWatch HoneyPot and the Quick Access tray are now available for usage under the free license; this makes all the protections CryptoPrevent provides free for personal usages
Program Filter has been updated to work with additional file execution situations
Corrected an issue where subscriptions keys may show as expired or invalid prior to subscription running out
Updates have been completely re-written for performance and lower bandwidth usage
Update feature has been added where CryptoPrevent will automatically apply any critical updates when opened (applies to the Free and Premium versions)
Several performance improvements for CryptoPrevent and the Monitor service
Several bug fixes for CryptoPrevent and the Monitor service
CryptoPrevent v8.x
v8.0.4.3 (October 5th, 2017)
Performance increases for save/load of Bulk/White-Label configurations
Performance increases in the application of Bulk/White-Label settings at time of install
Performance increases on application startup
Several other minor performance improvements
Corrected issue where blacklist command line option may have whitelisted in some cases
Bulk registration data is now handled entirely via HTTPS (Note registration data was always encrypted prior to being sent, this mainly eliminated a fallback v7 Bulk communication method)
HoneyPot Detection Message shows details about detected event and file detected
HoneyPot Detection Message gives the option to go back into windows explorer (instead of just shutdown or reboot)
Subscription Information shown in a tab in the interface
Debug submission available under subscription tab (so this is a premium only option to email support with debug info attached)
Additional HoneyPot Detections for new ransomware variants
Management Console ready (A management console is in the works and being up to date with this version should prepare the clients for this ability on its release)
v8.0.4.2 (June 3rd, 2017)
Major improvements in Memory usage across all executables (CryptoPrevent.exe, CryptoPreventMonSvc.exe, CryptoPreventNotification.exe), memory usage will decrease over time for the real-time as well as less usage on initial launches.
Corrected an issue where White-Label Creator was not updating the CryptoPrevent.exe launcher file in the includes folder which is used to create installers (you can delete this file and then re-open the WL Creator to force an update now)
SRP Whitelist is now sorted on initial loading and when updated
FolderWatch Custom Folders list is now sorted on initial loading and when updated
Fixed issue where services may not start via CLI options
Fixed issue where HoneyPot files might not be removed when FolderWatch has been disabled
Fixed issue where HoneyPot files might not be removed when Custom Folder is removed
Add/Removing Custom Folders to FolderWatch will now apply instantly
Fixed issue where services may be removed but not re-installed when changing various definition files or email settings
v8.0.4.1 (June 1st, 2017)
Fixed graphical issue where verifying settings might not disappear on first run of application
Added additional HoneyPot Detection Rules
Added changes to HoneyPot Detection rules that may cause false positives
Added fix for possible issue with HoneyPot Detection not being able to verify current HoneyPot files
Possible fix for issues with CLI options possibly not starting services as expected
Fixed QuickAccess Notification Tray to update on the fly with protection changes
Added Restore Previous Protections option to Main GUI, QuickAccess Tray, and CLI option of /revertsettings
Possible fix for Monitor Service consuming large amounts of RAM
Minor performance improvements when handling SRP protections from GUI and CLI options
v8.0.4.0 (May 24th, 2017)
Fixed graphical issue with policy numbers applied being shown in the policy editor
Added additional email settings CLI
/emailusername=”user@addy.com”
/emailsamesendtofromaddy
or use the following together:
/emailfromaddy=”user@addy.com”
/emailsendtoaddy=”user@addy.com”
/emailpassword=”password”
/emailserver=”serverAddress”
/emailport=”portNumber”
/emailauthenable
(Add =0 to disable)
/emailstarttlsenable
(Add =0 to disable)
/emailsslenable
(Add =0 to disable)
/clientemailid=”Client ID to be added to Email Subject”
/emaillocksettings
(Add =0 to disable)
Only applies to Bulk or White-Label Editions
d7x Rule Variables now add environment variable as well as expanded paths
Corrects issue where same policy may have been added more than once from CLI options
Added Debugging ability to the QuickAccess Notification Tray
Currently debugging information is fairly limited but this will improve over new revisions if additional debugging information is required
/debug when run from a command prompt with or without admin rights depending on the testing needed
Improved Multi-User support for QuickAccess Notification Tray
Bulk & White-Label Edition Installers Updated
Waits for installation to complete prior to showing finished button on non-silent installations
Silent installations wait on installers completion if being scripted now as well
Fixed possible issues with systems not restarting after install when selected to do so from the Bulk-Creator
Debug mode will be enabled by default on all Bulk Edition installs for the installation portion only
This can be used to check for problems if something doesn’t work correctly in the Bulk Edition installation on a particular system
Fixed possible issue with HoneyPot Detection triggering on changing of protections
v8.0.3.9 (May 19th, 2017)
Major performance increase when apply protections
from the command line and from the GUI
Corrected issues with Windows 8-10 Scaling
DPI changes could still cause problems if defined manually and not with the scaling in Windows
Windows XP-7 will still get warning
Corrected minor interface issue
Issue resulted in some changes in 8.0.3.8
Unable to read tabs, but still clickable
GUI subtabs looked step sided/pushed to the right some
Applied to the Protection Settings sub tabs
Applied to the Policy Editor sub tabs
v8.0.3.8 (May 19th, 2017)
Added an alert for Windows XP-7 to inform of high DPI setting and recommend lowering it while applying protections
Windows 8 & 10 do not get the alert but the interface is usable with only slight visual issues on increased scaling settings
Youtube video going over how to change DPI settings can be found here: https://youtu.be/biuNjFnoqPI
Removed a couple rules for HoneyPot Detection that could cause false positives with some file types
If you receive any false positive alerts with HoneyPot Detection please continue send us the event information from the History tab so we can get exceptions added when needed
v8.0.3.7 (May 15th, 2017)
Rolled back HoneyPot Definition update feature
received a number of strange false positives
Will refine more and bring back at a later date
v8.0.3.6 (May 15th, 2017)
Fixed Links not working in Get Premium Tab of the Free Edition
Updated HoneyPot Detection protections to correct for possible false positive
Updated list was pushed out using the previous version’s definition update feature
Published new version along with the correction because there was another reason to publish the updated version
v8.0.3.5 (May 15th, 2017)
Performance increase for HoneyPot Detection and alert notification from QuickAccess Tray icon
Added command line option to add unique identifier for individual client
/clientemailid=[UniqueClientID]
Run this CLI option to create a unique identifier for that specific client’s email subject line
Additional debug information when running /debug
Added additional Honey Pot detection for more ransomware detection
Added ability for HoneyPot definitions to be updated during definition updates
HoneyPot definitions will update during manual or auto-update processes
If HoneyPot definition file is not available on the system, hard-coded definitions of the current CryptoPrevent version will be used
v8.0.3.4 (Apr 11th, 2017)
Added Proxy support for updates and email
added command line parameters to configure proxy support
added automatic file trigger to configure proxy using “CryptoPreventProxy.ini” in application directory
Performance increase for removing whitelisted software restriction policies
Additional debug information when running /debug
for sending email
for updates
Added additional Honey Pot detection for more ransomware detection
v8.0.3.3 (Mar 21st, 2017)
Fixed issue where White-Label Creator might not have files needed to create installer correctly
Fixed possible false positive triggering Honey Pot detection
Added additional Honey Pot detection for more ransomware detection
v8.0.3.2 (Mar 7th, 2017)
Fixed possible false positive triggering Honey Pot detection
v8.0.3.1 (Mar 2nd, 2017)
Fixed grammatical error in silent test protection report file
Fixed issue where White-Label client may not show branded as expected
Fixed issue changing from subscription to non-subscription in White-Label Creator didn’t take as expected
v8.0.3.0 (Mar 1st, 2017)
Updated FolderWatch HoneyPot detection to improve on speed and processing of detections
Added fix for possible issue when starting FolderWatch service
Fixed issue with /disablefs and /disablefc CLI options (added option to pass up to all 3 extension types when separated by a comma)
Removed *.msi from %programdata% protection, because it may cause issues with a number of software upgrades
Updated service routines for speed and possible bug fixes
Updated double file extensions from *.rft to *.rtf
Updates uninstall registry locations to show “MajorVersion” & “MinorVersion”
Fixed issue where some command line parameters may be interpreted depending on what was passed
multiple option command line parameters can now be passed in a single parameter separated by a comma
Updated system files verification routine
Updated Program updates process
Added progress bars to WL and Bulk save/creating configs time
Added ultimate pack compatibility
Fixed issue with /applyini possibly not fully applying settings
v8.0.2.9 (Feb 13th, 2017)
Fixed issue where Vista/Server 2008 systems may constantly restart interface on launch/install
v8.0.2.8 (Feb 10th, 2017)
Removed timestamp from /test /silent file that is created
Added a fix for Bulk/White-Label client’s interface showing as none when protections have actually been applied during install
Added another fix for possible issue registering v8 Bulk/White-Label clients showing “Get Premium” tab when they should be registered
Added fix for where Bulk/White-Label Creator couldn’t recreate installers when 0 licenses were remaining
Added fix where some v7 Bulk clients couldn’t use the v8 Bulk Creator
Added fix where HoneyPot detection may be triggered when changing to a lower plan setting
Added fix for some Bulk/White-Label clients being unable to verify registration with server and showing inactive
v8.0.2.7 (Feb 8th, 2017)
Fixed issue with /? not showing and updated form display
/test /silent Fixes
Added additional debug info for when used with /debug
Changed so console and exit code match (protection applied =1 and not applied=0)
/test /silent now writes a file to the program install directory named “Protection Test [date/time test was performed]” that contains a 0/1 in the first line and if the test was successful in the next line
Added new CLI of /enabletray and disabletray for the tray icon settings
Fixed issue where /disablesidebar and /enablesidebar actually did reverse of their name
Fixed issue with /localappdata (/? showed /appdatalocal)
Fixed issue with /disablehoneypot not working as expected
Added fix for possible issue opening interface or changing to custom plan manually
Custom plan is now disabled for selection manually, to have a custom plan you would need to make changes to a protection that would deviate it from a particular plan
Added fix for possible issue registering v8 Bulk/White-Label clients showing “Get Premium” tab when they should be registered
v8.0.2.6 (Feb 1st, 2017)
Removed plan drop down from protection settings tab (caused interface crashes with some systems, UI will be updated in a later revision)
Corrected the interface when launched to show settings currently applied, previously if any changes were made to settings and then not applied they would be there when the app re-opened but not actually applied
Fixed issue where v7 Update Schedule might not be set correctly if /applyini is performed or on install for Bulk and White-Label
Adjusted how “/silent” was handled in CLI
Corrected an issue where Bulk/White-Label installers may reboot on install
Added additional logging/debug log information
v8.0.2.5 (Jan 31st, 2017)
Updated issue where custom plan in system tray would only select current plan settings
Added “Restore Installer Plan” to quickly set the originally installed settings of a Bulk edition
Corrected spelling issue on White-Label/Bulk Creator Load/Save Tab
Added additional HoneyPot file checks
Corrected an issue where XP based OS’s may experience a stackoverflow error in some cases
Corrected an issue saving different To/From Email addresses in advanced settings
Added additional logging/debug log information
v8.0.2.4 (Jan 25th, 2017)
v7 Bulk Purchases can now purchase an updated v8 installer ($25 additional Custom Purchase, contact us for additional information), allowing the ability of customizing their installer options with v8’s additional settings and features
Moved Disable Script Host from Maximum to Extreme plan settings (You may still enable this protection using the free version but it will be a custom plan at that point)
Corrected misspelling under PIF Suspicious Hover-over Help information
Fixed issue where services might not be applied correctly during install for silent Bulk/White-Label v8 installers
Fixed an issue where v7 Bulk/White-Label EXE Installers may not appear as registered after install and updated to v8 (reinstall of the v7 installer on the same system will correct this issue without consuming an additional license)
v8.0.2.3 (Jan 22nd, 2017)
Fixed issue where registration may fail when regional settings were changed
Added limited logging abilities with /debug or /logging CLI
v8.0.2.2 (Jan 19th, 2017)
Fixed issue where version 7 White-Label clients may not show as fully registered (should automagically fix at next launch of CryptoPrevent or Tray Icon, and/or start of the services (if installed)
Fixed issue where v7 Bulk or White-Label clients may have uninstalled if v8 registration failed (client’s where this occurred will need to be reinstalled with the installer)
Fixed issue where email password may be exposed through System Tray app even when Email Settings have been locked in White-Label editions
Added fix for possible issue of Bulk or White-Label v8 installers not fully applying settings when reboot after install option is selected in the creator
v8.0.2.1 (Jan 19th, 2017)
CryptoPrevent main program and service will ensure correct Uninstall Display Version number in Add/Remove Programs at every start
Added command line option to force updating Uninstall Display Version (/updateUninstallVersion)
v8.0.2.0 (Jan 17th, 2017)
Bulk version release (All versions of CP are now available for purchase)
Many bugs and additions have been added over this time (too many to list), future revisions will have more detailed release notes.
More information on will be available in the coming weeks, and as subsequent revisions are released.
v7.0 & Earlier
CryptoPrevent v7.x
For the current SHA256 hash and analysis of CryptoPrevent v7.4.21, visit this VirusTotal.com link. It is possible, though not currently witnessed, that a very few A/V engines on VirusTotal will trigger false positive detections within CryptoPrevent. For a nice little utility to examine and compare file hashes you can download my tool, QuickHash.
Recent Changes:
v7.4.21 (Nov 19th 2015)
Resolved: Mismatched control version relating to all email functionality
v7.4.20 (April 10th 2015)
Added: New extension rules for batch scripts and javascript files (*.JS, *.JSE) as some v3 versions of Crypto-malware are using these file types as an infection method.
Redesigned: Software Restriction Policy Editor to allow resizing and longer listboxes (previously some longer rules were not displayed entirely due to the short listboxes.) *fonts may appear smaller this is a known issue and will be resolved in a future update*
Fixed: Block Temp Extracted Executables checkbox in the Advanced interface did not apply this setting when checked.
v7.4.8 (Nov 14th 2014)
Added command line option /exefilter to enable the Program Filtering (BETA) setting.
v7.4.3 (Nov 3rd 2014)
Corrected a minor bug with the blacklisting rule creation for Max protection.
v7.4.2 (Nov 1st 2014)
Resolved an issue with the Program Filtering BETA which caused it to incorrectly flag existing security software as a threat that matched hash definitions.
Testing resolution of an issue preventing the Program Filtering BETA from logging blocked events to the event logs.
v7.4.0 (Oct. 21st 2014)
Vastly improved algorithms for file hash comparisons with the Program Filtering BETA functionality, and enabled a much larger definition set.
v7.3.5 (Oct. 12th 2014)
Changed status of Program Filtering from “Experimental” to “BETA” after extensive OS testing, and set enable restrictions on OS/Service Pack level where necessary.
(Program Filtering is not currently supported on Vista, but works for XP, Win7 with SP1, Win 8.x, and Win 10.)
Added TLS encryption capabilities to the email configuration, to support a more wide variety of SMTP servers for the email alerts function.
Tweaked the installation process, no longer prompting to set “default” protections, now showing the full (non-advanced) interface to allow the user to select one of the 4 pre-configured protection levels.
Tweaked the interface a little, explaining protection levels more clearly, and added a few more advanced options to the top menu of the default non-advanced interface (in an attempt to make the old more complicated advanced interface largely unnecessary.)
v7.1 (Aug. 2014)
Added new misc. protections for known malware processes (specifically dealing with “child porn” related ransomware going around currently) which is applied to Default level of protection and higher, or listed as the “Known malware processes” check in the Advanced interface.
Fixed two bugs associated with creating custom whitelist policies in the Software Restrictions Policy Editor (Advanced interface.)
v7.0
NEW simplified and easy to understand interface, replacing the many obscurely labeled protection option check boxes with a few simple protection “levels” to select from (the old interface still exists in the Advanced menu, and it has been updated as well.)
Updated to not trigger Malwarebytes Anti-Malware detections with the installed version (thanks to the Malwarebytes research team!)
Improved Filter Module function.
Changed recommended defaults slightly.
Enabled optional “Experimental Protection” level (the Experimental EXE/COM settings in the Filter Module.) NOTE: This setting is not largely tested and is NOT recommended for most people, as there may be side effects which could potentially cause system instability. Please understand I cannot accept responsibility for your usage of this setting. If you do wish to use this setting, I would love to hear your feedback on any issues you suspect may be related to having it enabled.
v6.1.5 – Added new internal hash definitions for Critroni/CBT-Locker detections and a few other misc tweaks.
v6.1
Improved Recycle Bin executable protection.
Added feature to remove ALL software restriction policies (created by CryptoPrevent or not) from the Advanced > Software Restriction Policies menu.
Added feature to block %localappdata%* in Advanced menu > Software Restriction Policies (max protection, but this includes a block on %temp% so it may cause issues with legitimate apps; generally not recommended.)
Added ability to install (or force install) from CryptoPrevent portable and uninstall/force uninstall from the installed version. Force option is only offered if standard methods fail. Not 100% perfect so only use the force option if absolutely necessary (e.g. the installer won’t run due to access denied errors.)
Bulk Installers now have the option of creating custom whitelist rules during installation.
Misc tweaks.
v6.0.3 – Fix for a minor annoyance of mine, not worth mentioning.
v6.0.2 – Fix for running certain screen savers with .SCR filtering enabled.
v6.0.1 – Minor UI tweaks and added some additional information and links to the interface.
v6.0 – CryptoPrevent is no longer based solely on Windows software restriction policies, and now includes a real-time filter and definitions files/updates!
New ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!)
New Policy Editor for software restriction policies, create your own custom path rules (premium feature.) You can also view, search, and selectively delete blacklist policies in effect.
User defined hash rules for MD5/SHA256 (meaning, you can create your own hash based definitions for the Filter Module.)
Separated all main protection policies so they may be individually applied or removed.
Added policy to disable Windows Sidebar/Gadgets due to security vulnerabilities.
Daily updates are now for the new definitions, and a new weekly schedule will be created for application updates.
New email options for bulk premium custom installers.
Easier to install and apply protection with the free version.
v5.2.2 – Fixed a setting not being remembered correctly on program relaunch. Added some email features for the Bulk Premium custom installers.
v5.2.1 – separated Prevent BCDEDIT.EXE option from the default protection settings, and put it in the Advanced menu. It was interfering with some backup applications..
v5.2 – Added automated protection test after reboot if you select to reboot after applying protection. Some UI and usability tweaks. Added a link to the help forums in the Premium Edition’s Information menu. Finally added Steve Basford (Sanesecurity) to the credits!
v5.1 – Tons of UI and usability tweaks. Added more hash values to internal block lists.
v5.0 – Added hash based blocking system.
v4.7.2 – Added bcdedit.exe and vssadmin.exe to the blocked executables action “Prevent system executables from running” along with syskey.exe and cipher.exe (with a new command line parameter /blocksysfiles that covers them all.) Reorganized the interface a bit and added a little description.
v4.7 – Added blocking of fake file extensions with spaces in them to hide the extension. Added blocking of cipher.exe along with syskey.exe, for the potential abuse. Added ability to create custom block and allow policies with scripting support. (Premium version only; for documentation consult the forums here.)
v4.4.1 – added ability to block syskey.exe from execution, which is being exploited by some new malware.
v4.3.3 – updated digital signature on CryptoPrevent executables.
v4.3.2 – added support for redirected %appdata% directories (Windows folder redirection typically only used on larger networks.)
v4.3 – separated protection option for %userprofile% / %programdata% / Startup Folder and added whitelisting capabilities for those locations – also removed unnecessary reboot prompt after automatic update on Vista+ OSes.
v4.2.6 – removed the *.com file rule for %userprofile% as this was causing some issues with user accounts with .com in the path name under certain circumstances.
v4.2.5 – Fixed a minor bug in that using the /w= command line parameter was also forcing /whitelist whether it was specified or not.
v4.2.4 – Fixed a recent bug causing email alerts to not be sent properly.
v4.2.3 – Misc. changes to the White-Label edition. Added IP address / Computer Name to the optional alert email when an application is blocked (Premium edition.)
v4.2 – Added Start Menu > All Programs > Startup folder protection. Added reboot prompt after automatic update / re-application of protection.
v4.1.5 – Misc changes to whitelisting functionality and added a link to the Email Setup FAQ inside the program.
v4.0 – Added Event Log to check event history of blocked applications. In the Premium Edition (formerly Automatic Update Edition), added email alert capability when an application is blocked.
CryptoPrevent v8 Client Manual
If there are any issues expanding the Client Manual click here for the listed version or click here the single page version.
CryptoPrevent Client Installation
Installation of CryptoPrevent is carried out with very few steps: (Note: Bulk/White-Label Client installation may vary slightly from the below)
Extract the ZIP archive downloaded from our site to a location of your choosing and make note of the location. This file contains the installer/setup routine for CryptoPrevent.
Launch the installer executable file from the above location.
Click next.
It is not possible to proceed without accepting the license agreement and clicking next.
Choose whether or not to create a desktop shortcut and click next.
Click install to initiate the installation.
Click finish to close the installation and launch CryptoPrevent. Uncheck the box shown if you do not want to configure CryptoPrevent or apply protection.
Note: CryptoPrevent will not protect your PC just by installing it. It is required that protections be reviewed and applied for CryptoPrevent to start working.
You will be asked if you are in possession of product key for the purposes of enabling all premium features. If you have purchased and received an email containing your key, please choose yes.
Copy and paste your product key exactly as you received it and click ok.
You will be asked if you would like to schedule daily updates. You may either choose to do that with a random time or you may opt not to and select a time of your choosing at a later time.
Click ok to proceed to the main interface.
CryptoPrevent Client Apply Protections Tab
Apply Protection tab:
Protection plans are an easy way to apply sets of CryptoPrevent protections.
Minimal plan
includes all protections available in the original release of CryptoPrevent for blocking CryptoLocker and similar ransomware.
These are a bare minimum level of protections and may not protect against more modern threats.
Default plan
includes additional protections to prevent a wider range of threats.
More restrictive plans could impact software installations and this is the highest plan that should not interfere with that.
For this reason, we refer to it as the “set it and forget it” plan.
Maximum plan
includes additional protections that will block even more threats.
Please use this plan with caution as it has the potential to interfere with:
software installations
certain backup application that rely upon the bcdedit.exe utility
Extreme plan
enables every available protection feature, including those considered “beta”.
This plan has the potential to block legitimate software from running.
Please test in your environment with these settings to determine if they will negatively impact the use of your PC.
Custom settings
when settings do not specifically follow a predefined protection plan.
A general guideline would be to start with the Default plan and check any additional protections that you are able to tolerate in your environment.
Testing should be performed whenever changing protection settings.
Testing involves applying the settings you wish to test, rebooting when prompted, and then trying out all your existing software for expected operation.
Enable Active Protections
includes master check boxes for active protections beyond software restriction policies.
Use Protection Plan Settings
checked means the two sub-items will follow selected plan recommendations
this box will automatically uncheck and the plan setting will be changed to custom if either of the two sub-items are changed
FolderWatch (real-time)
FolderWatch is a new protection feature in CryptoPrevent v8
allows for specified folders to be monitored for items that match the loaded hash definitions list (including custom added ones available in the premium version)
allows for HoneyPot Detection (Premium Version feature) to protect the selected locations as well
see more details about these items under the Protection Settings tab individual descriptions in this documentation
checked means the protections and folders under Protection Settings tab->FolderWatch tab and Protection Settings tab->FolderWatch HoneyPot tab will be protected and enabled by the FolderWatch service
unchecked means this protection will be disabled and the selected locations/enabling HoneyPot Detection will be irrelevant
Kill Apps Now button
CryptoPrevent includes certain features from Foolish IT’s next generation PC technician productivity tool, called d7x, which is currently in development.
will close all running non-essential applications.
Please be aware that using this option will not prompt you to save any work and will forcibly close running windows.
CryptoPrevent QuickAccess (Premium only feature)
a notification icon that will appear in the system tray when enabled
exposes CryptoPrevent functionality to the user without the need to open the entire user interface.
will also pop up with notifications regarding CryptoPrevent activity.
Note: this tray should be enabled when using FolderWatch HoneyPot Detection to alert the end-user when detection has occurred (otherwise the system will shutdown without warning)
Apply Protection Plan button
Available on all tabs
this button applies the currently selected plan and protections enabled under the Protection Settings tab
Be sure to use this button when changing plans or after all individual settings have been customized as you want to have applied
Test Protection button
currently tests only the protection location of %appdata% (which is enabled on all plans except None)
indicates mainly if the Software Restrictions Policies have been enabled and have taken effect
this will not test other locations, the filter module protections or FolderWatch protections
CryptoPrevent Protection Settings->Software Restriction Policies->Minimum Plan Tab
The Minimum plan tab:
The following protect each of these locations from executable files:
CryptoPrevent Protection Settings->Software Restriction Policies->Default Plan Tab
The Default plan tab
The following protect each of these locations from executable files:
%programdata%
Windows Vista + OS
%programdata%\*.[executable extension]
%userprofile%
All Supported OS
%userprofile%\*.[executable extension] (does not include *.com extension)
For each actual user folder at time of settings being applied, a rule for that specific user folder is added ([user folder location]\*.[executable extension]
CryptoPrevent includes a program filter module that can either selectively block certain executable file types or indiscriminately block them.
Prevent Suspicious File Types
depending what is selected the .cpl, .scr, and .pif file types will check each files against our malware definitions and block them if a match is found
Suspicious will also use various logic for determining if that file type should be launched
various items like file location, naming convention and others are included in this logic
Always Prevent File Types
always prevent the execution of the respective file types
Notification prompt
these settings only pertain to the .cpl, .scr, and .pif file types for filtering
We recommend the default value of Message Box Alert for the notification prompt.
Program filtering for .exe and .com executables
always restrict exe or com files based upon hash definitions
The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
the root folder of each Protected location selected in the FolderWatch tab will be protected by the honeypot files
this includes any custom locations
honeypot files may or may not be visible in these locations depending on what hidden/system files you have shown
When activity is detected against these files, the HoneyPot feature will do everything in its power to prevent any further system activity, including:
slowing the system
only allowing it to be rebooted or shutdown.
When this feature is activated, the idea is that the system has been grievously compromised and your data is at risk from malicious activity.
As such, it is a “last ditch” effort to preserve your data with the hopes that only our bait files will be compromised and not any legitimate data.
Please use this feature with caution as there is the possibility of false positives due to the fact that any manipulation of the HoneyPot files will trigger our HoneyPot protections.
Similar to the whitelist and blacklist software restriction policies, our hash definitions also utilize lists to either allow or block a specific hash definitions, respectively.
Hashes are only used with the Filter Module and FolderWatch protections
The blacklist will only contain custom hashes and does not expose the hashes distributed with CryptoPrevent.
As with the blacklist policies, you may add your own to enhance the base level of protections offered. (Premium Only)
Changes to these lists take effect immediately after clicking the Save Hash Definitions File button.
CryptoPrevent Policy Editor->Submit New Hash Tab
Submit New Hash tab:
If you identify a file you know to be malicious, you may use this tab to select that file, compute its hashes, and potentially upload it to Foolish IT for further analysis and potential inclusion in future base definitions.
After browsing for a file, its hashes will be computed and compared against the internal lists.
You will alerted in red text if the hash is not already present in our definitions and, in that case, the hashes will be added if and when you choose to upload the file.
If you choose not to upload the file, you will need to manually add the hashes to your custom hash definitions in order to have that file blocked.
CryptoPrevent Email Settings Tab
Email Settings tab:
This tab is used to enable email notifications of alerts.
Alerts will be emailed using the provided credentials and options. (Settings entered here are only available to the local system, this information is not transmitted or used by Foolish IT in any way)
Settings are predefined for Google’s Gmail service or you may specify your own SMTP settings.
Please note that Google will block external SMTP access unless you enable the “use less secure apps” option in your Gmail account settings.
This restriction applies to any software that uses Google’s SMTP access and is not specific to CryptoPrevent. For example, Microsoft Outlook is affected by this as well.
The History tab logs information about CryptoPrevent activity either since:
the Previous Startup
for as far back as the Windows event logs happen to record.
Events will be created whenever either a software restriction policy is enforced or when either our program filter module or FolderWatch protection detects malicious software or activity.
The contents of each event may be useful for troubleshooting purposes and for getting the path information necessary to create a whitelist policy entry.
Event IDs
866
Software Restriction Policy Protection
10177
v7 Filter Module Protection
10188
v8 Beta FolderWatch
10189
v8 Beta FolderWatch HoneyPot Detection
36650
v8.0.0.0 + denotes protection via the source for the event
CryptoPrevent Program Filter
CryptoPreventFW
CryptoPreventHP
36651
v8.0.0.0 + denotes protection via the source for the event
CryptoPrevent Program Filter
CryptoPreventFW
CryptoPreventHP
36652
v8.0.0.0 + denotes protection via the source for the event
CryptoPrevent Program Filter
CryptoPreventFW
CryptoPreventHP
36659
v8.0.0.0 + denotes protection via the source for the event
CryptoPrevent Program Filter
CryptoPreventFW
CryptoPreventHP
CryptoPrevent Updates Tab
Updates tab:
Enable a daily update schedule
runs at the hour of your choosing or at a randomly picked time.
A button is provided for manually checking for updates. (made available if enable daily update schedule checkbox fails)
Additional hash definitions will be downloaded from our servers if the Extended Hash Definitions option is checked.
As of this writing, over 50000 base definitions are applied and that number increases to over 70000 with that option enabled.
Note this list is not as well vetted as the standard definitions and may result in false positives
CryptoPrevent About Tab
About tab:
This tab displays information about CryptoPrevent including its history, evolution, and honorable mentions.
CryptoPrevent Applying Protections (Plan/Custom Settings) & Final Notes
Applying Protections (Plan or customized selected)
Once you have confirmed all your desired settings at this point, click the Apply Protection Plan Depending on the policy and number of protections selected, it may take several minutes to apply protections.
You may also be prompted to whitelist all executables located in locations that will be blocked.
Please ensure that your systems is malware free prior to installing CryptoPrevent and particularly prior to answering yes to the question about whitelisting.
After the settings are applied, you will be prompted to reboot.
There is no guarantee that protections will be enabled unless a reboot is performed.
After rebooting, please test all your applications and ensure that they function as expected.
If you note any problems you feel may be caused by CryptoPrevent, you can review the History tab and to determine what may have happened.
Remediation will include either whitelisting or alteration of protection settings.
If you need additional assistance or advice in that, please contact our Help Desk via email: support@d7xtech.com
CryptoPrevent->Command Line Parameters (Premium Only Feature)
Command Line Parameters (Premium Only Feature):
/undo
Remove protections but leave whitelists
/undoall
Remove protections and all whitelists
/l=#
Set a specific plan level set of protections
Note: l is a lowercase L
#=0 for None Protection Plan
=1 for Minimal Protection Plan
=2 for Default Protection Plan
=3 for Maximum Protection Plan
=5 for Extreme Protection Plan
=a for Custom Plan (This won’t actually apply any new settings it will just reapply current settings)
/whitelist
Whitelist all EXEs in protected locations
/enablesidebar
Enable Sidebar and Gadgets
/disablesidebar
Disable Sidebar and GadgetsFor the following protections a “=0” can be added to disable protection. Enabling the protection would not require additional parameters.
You may also want to run “/apply” to ensure settings have been fully applied.
/bcdedit
Prevent bcdedit from execution on the system
/syskey
Prevent syskey from execution on the system
/cipher
Prevent cipher from execution on the system
/vssadmin
Prevent vssadmin from execution on the system
/known
Enable Prevent known malware from starting on Protection Settings->Software Restriction Policies->Default Plan
/programdata
Enable %programdata% on Protection Settings->Software Restriction Policies->Default Plan
/userprofile
Enable %userprofile% on Protection Settings->Software Restriction Policies->Default Plan
/startup
Enable Startup Folders on Protection Settings->Software Restriction Policies->Default Plan
/bin
Enable Recycle Bin on Protection Settings->Software Restriction Policies->Minimum Plan
/appdata
Enable %appdata% on Protection Settings->Software Restriction Policies->Minimum Plan
/appdatadeep
Enable %appdata%\* on Protection Settings->Software Restriction Policies->Minimum Plan
/localappdata
Enable %localappdata% on Protection Settings->Software Restriction Policies->Minimum Plan
/localappdatadeep
Enable %localappdata%\* on Protection Settings->Software Restriction Policies->Maximum Plan
/fakeexts
Enable Double File Extensions on Protection Settings->Software Restriction Policies->Minimum Plan
/tempexes
Enable Block Executables Temporarily Extracted from Archives on Protection Settings->Software Restriction Policies->Maximum Plan
/w=[filename.ext]
Whitelist a specific executable in %appdata%
/p=[filename.ext]
Whitelist a specific executable in %programdata%
/u=[filename.ext]
Whitelist a specific executable in %userprofile%
/s=[filename.ext]
Whitelist a specific executable in Startup Folder
/a=[custom allow policy rule]
Custom allow rule; full file/path NO WILDCARDS
/b=[custom block policy rule]
Custom block rule; wildcards supportedYou can add multiple entries by separating values with “,”(comma)
/enablefiltermodule
Enable the filter module based on the current settings
/disableenablefiltermodule
Disables the filter module (regardless of current settings)
/noallowprompt
Disable allowing applications from running when blocked by filter module
/fs=[extensionType] (separate values with ‘,’ comma)
Add suspicious filter module for CPL, SCR, or PIF
/fc=[extensionType] (separate values with ‘,’ comma)
Add constant filter module for CPL, SCR, or PIF
/disablefs=[extensionType] (separate values with ‘,’ comma)
Remove supsicious filter moduel for CPL, SCR, or PIF
/disablefc=[extensionType] (separate values with ‘,’ comma)
Remove constant filter module for CPL, SCR, or PIF
/updatehour=[XX] or Random
Defines update hours for scheduled updates
(XX should be between 00 and 23)
(Assumes /enableupdates command as well)
/killemall
Kills all non-essential running processes
/test + /silent
Writes a file w/ text 0 or 1 to show protections status
/test
Displays a form to show protection status
/silent
Silent Mode
/reboot
Reboots the system (final operation if other parameters are defined)
/nogpupdate
Skip the group policy update after changes
/apply
Apply protection and alert when completed
/logging or /debug
Enable logging output to logs folder
/emailusername=”user@addy.com”
/emailsamesendtofromaddy
or use the following together:
/emailfromaddy=”user@addy.com”
/emailsendtoaddy=”user@addy.com”
/emailpassword=”password”
/emailserver=”serverAddress”
/emailport=”portNumber”
/emailauthenable
(Add =0 to disable)
/emailstarttlsenable
(Add =0 to disable)
/emailsslenable
(Add =0 to disable)
/clientemailid=”Client ID to be added to Email Subject”
/emaillocksettings
(Add =0 to disable)
Only applies to Bulk or White-Label Editions
/ProxyUpdateEnabled (add ‘=0’ to disable)
Enables proxy for update operations
/ProxyUpdateAddress=[domain]
Set proxy address to specified domain or IP for update operations
/ProxyUpdatePort=[Port#]
Set proxy port number for update operations
/ProxyUpdateUser=[userName]
Set proxy username for update operations
/ProxyUpdatePassword=[password]
Set proxy password for update operations
/ProxyUpdateSocksEnabled (add ‘=0’ to disable)
Set proxy to be SOCKS proxy instead of HTTP proxy for update operations
/ProxyEmailEnabled (add ‘=0’ to disable)
Enables proxy for email operations
/ProxyEmailAddress=[domain]
Set proxy address to specified domain or IP for email operations
/ProxyEmailPort=[Port#]
Set proxy port number for email operations
/ProxyEmailUser=[userName]
Set proxy username for email operations
/ProxyEmailPassword=[password]
Set proxy password for email operations
/ProxyEmailSocksEnabled (add ‘=0’ to disable)
Set proxy to be SOCKS proxy instead of HTTP proxy for email operations
/ProxySame (add ‘=0’ to disable)
Apply the same proxy settings for email as are applied for updates
/ProxyFromFile=[ini file location]
Applies proxy settings from an INI file format
Example Proxy INI File contents:
[Proxy]
UpdateSameEmail=1 or 0
UpdateEnabled=1 or 0
ProxyAddressU=testAddress
ProxyPortU=1234
ProxyAuthU=1 or 0
ProxyUserU=userName
ProxyPassU==password
ProxySocksU=1 or 0
EmailEnabled=1 or 0
ProxyAddressE=testAddress
ProxyPortE=1234
ProxyAuthE=1 or 0
ProxyUserE=userName
ProxyPassE==password
ProxySocksE=1 or 0
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
Whitelist Process from being Killed
One entry per line
This option applies to the Kill Apps Now button on the Apply Protection tab, the options available in the right click menu of the system tray, and to the ability of FolderWatch service killing tasks during a HoneyPot Detection activation
Only the executable name with extension is needed and is not case sensitive (ex. c:\program files\InstalledProgram\InstalledProgram.exe would only need to have a line entry of “installedprogram.exe”)
Notes:
It is not recommended to add any browser process name as these are the most common apps you want to be killed easily and most modern browsers save the sessions fairly well
Common programs you may want to add would be a word processor or other office productivity application or database applications, however since these can be used as points of attacks you may want to be very conservative in adding these too, increasing autosave features to shorter durations may be a better route
FolderWatch Whitelist Path
One entry per line
This option allows entire folders or specific files or files in locations to be ignored by FolderWatch
This can be useful if a file requires a file lock and will not share access with FolderWatch in folders monitored by FolderWatch
line entry ending with a trailing backslash so the entire folder is ignored
ex:
<ad>\programV18.*\ would have FolderWatch ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
c:\installed program\programfileV*.exe would have FolderWatch ignore filenames with variable version numbers with matching extension
HoneyPot Whitelist Pattern
One entry per line
This can be used to allow files that might match a built-in blacklisted pattern, helpful when filenames in folders monitored by FolderWatch might be similar or the same as some ransomware variants
Note each check for a whitelisted pattern adds time to the ability for checking against blacklisted patterns, meaning that ransomware could remain active and encrypt additional files prior to FolderWatch being able to detect and kill any active ransomware, it may be better to ignore specific files or types that match patterns using the FolderWatch Whitelist Path options
If a false positive is triggered with the *.crypto pattern, *.crypto can be added to a line to ignore future matches
<ad>\programV18.*\ would have HoneyPot detection ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
HoneyPot Blacklist Pattern
One entry per line
This can be used to create your own encryption pattern matching options
<ad>\programV18.*\ would have HoneyPot Detection triggered if the folder has files created or changed where the version number changes in the folder in application data (roaming for vista+)
c:\installed program\programfilename.* would have HoneyPot Detection triggered if filenames matching with any extension in the specific folder
Custom HoneyPot Files
One entry per line
Allows you to:
create your own honeypot files named with or without default extensions
Syntax per line:
filename|filetype|extensionsdisabled
the pipe (|) character must separate the three definitions per custom honeypot file created and all items need to be defined as mentioned or errors may occur or produce unexpected results
filename=the custom file name you would like to be used (include extension if you are disabling the default extensions)
filetype=Normal, Hidden, or System which will create the custom file as indicated
extensionsdisabled=0 or 1, where 0 uses the default honeypot file extensions and removes any extension in the filename and 1 will not use the default honeypot file extensions and use the extension if defined in the filename above
enable or disable the default honeypot files creation
to disable the default honeypot files add a single line entry of:
nodefault
disabling default honeypot files and not adding custom files of your own will cause honeypot detection to operate on file/folder name pattern matching alone
to leave the default files created just do not add that line and the default files with various filenames will be created as system files as is the standard as well as any custom files you have defined
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
CPv8 Client Manual in Video Format
View on Youtube to access segmented times and additional links in the description
CryptoPrevent v8 Bulk Creator Manual
If there are any issues expanding the Bulk Creator Manual click here for the listed version or click here the single page version.
CryptoPrevent Bulk Creator Installation
Installation of CryptoPrevent Bulk Creator is carried out with very few steps:
Extract the ZIP archive downloaded from our site to a location of your choosing and make note of the location. This file contains the installer/setup routine for CryptoPrevent.
Launch the installer executable file from the above location.
Click next.
It is not possible to proceed without accepting the license agreement and clicking next.
Choose whether or not to create a desktop shortcut and click next.
Click install to initiate the installation.
Click finish to close the installation and launch the tool. Uncheck the box shown if you do not want to proceed at this time.
CryptoPrevent Bulk Creator Main Interface
CryptoPrevent Creator-Configurator Tool Main Interface
Please enter in your company name for purchase identification purposes and the product key that was delivered as part of your bulk purchase.
Copy and paste your product key exactly as you received it.
The key should automatically validate after a delay that may last for a minute or more.
If the information was entered correctly and was validated successfully, the bottom portion of the tool will be exposed.
Ensure your version of the Creator is up to date using the Configurator setup & “Get Latest Update” button on the far right prior to a new submission
CryptoPrevent Bulk Creator Load/Save ConfigTab
Load/Save Config tab
The top portion of the tool’s interface shows the total number of remaining licenses associated with the product key previously entered.
In the above example, 99 installations/licenses are available to assign to a particular configuration.
Once installations/licenses are assigned to a particular configuration, they are reduced from your overall remaining installations.
Installations/licenses may be retrieved from a configuration as long as they have not been deployed.
Placing a smaller number of installs than originally specified or a zero in the Define Number of Installs for Configuration field will increase your overall remaining installations.
The loss of a configuration with installations/licenses attached will result in the loss of those installations/licenses.
For this reason, we provide backup and restore buttons to safeguard your configurations. Please do not hesitate to frequently utilize those buttons.
The standard steps you would want to follow to create a configuration are the following:
Assuming you have more than 0 “Overall Remaining Installations:” available.
Enter a name for the configuration
this name is for your reference only
the client in most all circumstances will not see this configuration name
however it is stored in an ini file on their system so keep that in mind when naming configurations
Enter a positive number in the “Define Number of Installs for Configuration” box
this is the number of installs the created installer will be able to be used on
this number can be increased/decreased in the future as long as
additional “Overall Remaining Installations” are available to increase the configuration’s remaining installs
there are “Installs Remaining on Configuration” to decrease, which will be added back to the “Overall Remaining Installs”
once the number of remaining installs on the configuration are at 0
the created installer will not longer install the premium version with your defined settings on new systems
This installer can still be used to reinstall on systems currently consuming a license under this bulk key
a 0 (“zero”) can be entered here to disable the created installer from installing additional installs
This installer can still be used to reinstall on systems currently consuming a license under this bulk key
if you enter the same number as the “Installs Remaining on Configuration”, no licenses changes will be made
this is useful if you want to change the configuration and resubmit for a new installer that has different settings
Save/Update Current Configuration
Backup Configurations to Zip
save this backup in a secure location
it is password protected, you will be prompted to enter a password at time of backup creation
Foolish IT has no access to this password
if it is lost/forgotten, it is unlikely that it will be recoverable
you should only need to restore this backup if:
you uninstall the CryptoPrevent Creator-Configuration tool from the system
the system with your configurations suffers a failure and needs to be reloaded
Adjusting the “Installs Remaining on Configuration” can be done by ensuring the appropriate configuration is loaded and then following steps 3-5 above
You can load a saved configuration using the “Load a Previously Saved Configuration” button
this will allow you to adjust the remaining installs
this will automatically apply to the currently created installer
or change the settings on the configuration
this would require submitting the configuration again and having a new installer created
note this may incur a charge for additional installer creation
additional information on the Submit tab documentation
CryptoPrevent Bulk Creator Protections Tab
Protections tab
The Minimum plan includes:
Software restriction policy path rules for the appdata folder, all folders beneath appdata, the “local” (as opposed to “roaming”) appdata folder, and the Recycle Bin.
It also includes protections related to program naming, including blocking of double file extensions and exploits related to the direction of text interpretation.
Please follow the provided link for more information regarding the right-to-left override character:
View the client documentation for more information on the specific locations these locations include
The Default plan includes:
Software restriction policy path rules for the programdata folder, the user profiles folders, and the start menu startup folders.
Three additional Windows utilities are also potentially blocked under this plan, vssadmin.exe, syskey.exe, and cipher.exe.
Please note that these are legitimate tools that have been known to be co-opted by malicious software.
If you have no use of these tools and you do not use applications that rely upon them, you may safely enable those protections.
The miscellaneous protections included in the Default plan will block some additional vectors for existing malware as well as the option to disable the use of legacy “Sidebar and Gadget” applications.
The Sidebar and Gadget” option is recommended by Microsoft due to known security implications of their usage:
View the client documentation for more information on the specific locations these locations include
The Maximum plan includes:
Software restriction policy path rules for the subfolders beneath localappdata and folders where files are temporarily extracted from archives, such as ZIP files
The Block Windows Programs section will optionally prevent the use of the following Windows utilities: bcdedit.exe, wscript.exe, and cscript.exe.
Disable Windows Script Host option
You may not want to enable this option because long login delays were reported when enabling this option in environments that utilize login scripts.
It should be safe to enable this option in a non-domain environment and when you do not rely upon the use of Windows scripts.
View the client documentation for more information on the specific locations these locations include
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent Bulk Creator Filter Module Tab
Filter Module tab:
Filter Module
can either selectively block certain executable file types or indiscriminately block them.
The top three check boxes for the the .cpl, .scr, and .pif file types will check each files against our malware definitions and block them if a match is found.
The lower three check boxes may be selected to always prevent the execution of the respective file types.
Program filtering for .exe and .com executables is always based upon definitions because preventing them always would prevent most, if not all, software from operating.
The notification prompt settings on the right side only pertain to the .cpl, .scr, and .pif file types.
We recommend the default value of Message Box Alert for the notification prompt.
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent Bulk Creator FolderWatch Tab
FolderWatch tab:
FolderWatch provides additional monitoring of a selection of common folders and, optionally, custom folders.
Files flagged as potentially malicious will be quarantined in the folder specified here.
It is important to note that subfolders are monitored in the case of the predefined user folders but not in the case of custom folders.
It would be necessary to individually add subfolders to the custom list in order for them to be monitored.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
When activity is detected against these files, the HoneyPot feature will do everything in its power to prevent any further system activity, including slowing the system and only allowing it to be rebooted or shutdown.
When this feature is activated, the idea is that the system has been grievously compromised and your data is at risk from malicious activity.
As such, it is a “last ditch” effort to preserve your data with the hopes that only our bait files will be compromised and not any legitimate data.
Please use this feature with caution as there is the possibility of false positives due to the fact that any manipulation of the HoneyPot files will trigger our HoneyPot protections.
If this feature is enabled it is highly recommended you enable the QuickAccess Tray Icon under the Installer tab as well
otherwise the end user will not be notified and the system will shutdown without warning when HoneyPot feature is activated
an event will still be written to the event log and and email alert (if enabled) will be sent out regardless of the QuickAccess Tray Icon being enabled
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent Bulk Creator Policies Tab
Policies tab:
Software Restriction Policy (SRP) Whitelist:
The whitelist is a list of programs explicitly allowed via software restriction path rules.
We provide a Whitelist EXEs already located in blocked locations upon install checkbox to simplify adding all existing items in blocked locations to the whitelist during client installation.
You may predefine whitelist policies using the Define button.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
Whitelist policies should be as specific as possible to avoid being overridden by a more specific blacklist entry.
This concern comes into play when using wildcards, so the use of wildcards should be avoided in whitelist rules if possible.
SRP Blacklist:
The blacklist is a list of programs explicitly blocked via software restriction path rules.
It is possible to use wildcards in blacklist policies.
Feel free to add additional rules using the Define button to enhance protections for your specific environment.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
User Hash Definitions:
Similar to the whitelist and blacklist software restriction policies, our hash definitions also utilize lists to either allow or block a specific hash definitions, respectively.
Use the various Define buttons to allow or disallow a hash, for the whitelist or blacklist, respectively to either remove a false positive or enhance protections over the base definitions.
note it should be defined one line per folder
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent Bulk Creator Updates Tab
Updates tab:
The updates tab allows you to enable a daily update schedule that runs at the hour of your choosing or at a randomly picked time.
You may disable the reboot prompt for installation under Windows XP using the provided check box.
Additional hash definitions will be downloaded from our servers if the Enable Extended Definitions Files *beta* option is checked.
As of this writing, over 50000 base definitions are applied and that number increases to over 70000 with that option enabled.
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent Bulk Creator Email Settings Tab
Email Settings tab:
This tab is used to enable email notifications of alerts.
Alerts will be emailed using the provided credentials and options.
Settings must be specified for every option except for email subject line text.
Please note that Google will block external SMTP access unless you enable the “use less secure apps” option in your Gmail account settings.
This restriction applies to any software that uses Google’s SMTP access and is not specific to CryptoPrevent.
For example, Microsoft Outlook is affected by this as well.
Please ensure your settings are correct by using the Send Test Email button.
This tab contains various options relating to how the installer we provide functions.
Please note that it is not possible to uncheck the option to apply protection silently after Installation with the bulk edition of CryptoPrevent.
All installations with the CryptoPrevent Bulk client software silently apply protections
however, it is necessary to specify the /verysilent command line parameter to have a completely silent installation without the need of any user interaction.
Additional checkboxes are provided for options relating to automatically launching the tray app for notifications, creating additional shortcut icons, and automatic restart preferences.
Note: applying protections after install can take a long time depending on the system
you can check the task manager to verify when CryptoPrevent.exe
optionally you can check “Restart After Install” to ensure protections are set
by waiting for the system to reboot on its own after applying protections
This tab is used to submit your configuration to us.
We will build you an installer upon reception of your settings.
One of our staff will review each submission before completing your build.
Any information you may wish to communicate to us may be placed in the Notes for Installer field.
example: “This installer is just for testing”
The name, email, and password fields for the zip archive containing your .exe and .msi custom installer are all required fields.
The submission process requires access to port 465 for an SSL email connection, please ensure this port is open for CryptoPrevent if there is an error submitting your configuration.
Only one installer is included with your purchase
however, we do allow testing of your settings and will rebuild an installer for you if you encounter problems during this testing period
Note: test installers usually only include 1-2 licenses and we can add these back once you have completed your testing
Additional installers beyond the first one may be purchased for $25
by making a payment at the below link
using “Custom Installer” as the payment description
Please allow up to 24 hours for your installer to be built and delivered.
Normally this occurs much more quickly during our normal business hours, 0900-1800 EST Mon-Fri.
Our offices may be closed and our staff unavailable on weekends and many federal holidays observed by the United States.
Additional Notes on the Installer that is created:
Your custom installer contains your licensing codes.
You are not authorized to make your custom installer available to any third party or provide a public link to your custom installer.
Installations and licenses consumed by your custom installer are considered authorized by you.
You will be responsible for all usage of your custom installer.
If we believe your custom installer to be in violation of our licensing terms, we reserve the right to terminate the licenses and ban the associated codes.
For additional assistance, please send all communications to sales [at] foolishit.com or support [at] foolishit.com for the fastest response.
These settings only apply to the client system the installer created is used on (does not apply to the Creator-Configuration Tool itself)
Enable Proxy Settings
Enables proxy settings defined for update/download operations
Proxy Server Address (domain or IP only)
Port
Username
Password
Socks 5 Proxy enable/disable
Use the same proxy settings for email
Enable or disable using the same proxy settings defined for updates for sending emails as well
Enable Proxy Settings
Enables proxy settings defined for email operations
Proxy Server Address (domain or IP only)
Port
Username
Password
Socks 5 Proxy enable/disable
CryptoPrevent v8 White-Label Creator Manual
If there are any issues expanding the White-Label Creator Manual click here for the listed version or click here the single page version.
CryptoPrevent White-Label Installation
Installation of CryptoPrevent White-Label Creator is carried out with very few steps:
Extract the ZIP archive downloaded from our site to a location of your choosing and make note of the location. This file contains the installer/setup routine for CryptoPrevent.
Launch the installer executable file from the above location.
Click next.
It is not possible to proceed without accepting the license agreement and clicking next.
Choose whether or not to create a desktop shortcut and click next.
Click install to initiate the installation.
Click finish to close the installation and launch the tool. Uncheck the box shown if you do not want to proceed at this time.
CryptoPrevent White-Label Main Interface
CryptoPrevent Creator-Configurator Tool Main Interface
Please enter in your company name for purchase identification purposes and the product key that was delivered as part of your White-Label purchase.
The vast majority of white label edition licenses that exist are not subscription based.
Please only use the Whitelabel Subscription checkbox if were provided with a username or password as part of a prior purchase.
In the case of subscriptions, it is necessary to check the box for that and enter your provided username and password.
The Test Login button must then be pressed to validate your information.
Copy and paste your product key exactly as you received it.
The key should automatically validate after a delay that may last for a minute or more.
If the information was entered correctly and was validated successfully, the bottom portion of the tool will be exposed.
You always want to make sure the Creator tool is up to date
The Latest version of CP will be shown in the top right
click the “Get Latest Update” button to upgrade the Creator
This will ensure any installers you create are up to date when you build the installer
Inno Setup is required to build your custom installer and it is necessary to either use the provided button or install it manually to complete a build.
The top portion of the tool’s interface shows the total number of remaining licenses associated with the product key previously entered.
In the above example, 99 installations/licenses are available to assign to a particular configuration.
Once installations/licenses are assigned to a particular configuration, they are reduced from your overall remaining installations.
Installations/licenses may be retrieved from a configuration as long as they have not been deployed.
Placing a smaller number of installs than originally specified or a zero in the Define Number of Installs for Configuration field will increase your overall remaining installations.
The loss of a configuration with installations/licenses attached will result in the loss of those installations/licenses.
For this reason, we provide backup and restore buttons to safeguard your configurations. Please do not hesitate to frequently utilize those buttons.
The standard steps you would want to follow to create a configuration are the following:
Assuming you have more than 0 “Overall Remaining Installations:” available.
Enter a name for the configuration
this name is for your reference only
the client in most all circumstances will not see this configuration name
however it is stored in an ini file on their system so keep that in mind when naming configurations
Enter a positive number in the “Define Number of Installs for Configuration” box
this is the number of installs the created installer will be able to be used on
this number can be increased/decreased in the future as long as
additional “Overall Remaining Installations” are available to increase the configuration’s remaining installs
there are “Installs Remaining on Configuration” to decrease, which will be added back to the “Overall Remaining Installs”
once the number of remaining installs on the configuration are at 0
the created installer will not longer install the premium version with your defined settings on new systems
This installer can still be used to reinstall on systems currently consuming a license under this White-Label key
a 0 (“zero”) can be entered here to disable the created installer from installing additional installs
This installer can still be used to reinstall on systems currently consuming a license under this White-Label key
if you enter the same number as the “Installs Remaining on Configuration”, no licenses changes will be made
this is useful if you want to change the configuration and resubmit for a new installer that has different settings
Save/Update Current Configuration
Backup Configurations to Zip
save this backup in a secure location
it is password protected, you will be prompted to enter a password at time of backup creation
Foolish IT has no access to this password
if it is lost/forgotten, it is unlikely that it will be recoverable
you should only need to restore this backup if:
you uninstall the CryptoPrevent Creator-Configuration tool from the system
the system with your configurations suffers a failure and needs to be reloaded
Adjusting the “Installs Remaining on Configuration” can be done by ensuring the appropriate configuration is loaded and then following steps 3-5 above
You can load a saved configuration using the “Load a Previously Saved Configuration” button
this will allow you to adjust the remaining installs
this will automatically apply to the currently created installer
or change the settings on the configuration
this would require submitting the configuration again and having a new installer created
note this may incur a charge for additional installer creation
additional information on the Submit tab documentation
CryptoPrevent White-Label Creator Protections Tab
Protections tab
The Minimum plan includes:
Software restriction policy path rules for the appdata folder, all folders beneath appdata, the “local” (as opposed to “roaming”) appdata folder, and the Recycle Bin.
It also includes protections related to program naming, including blocking of double file extensions and exploits related to the direction of text interpretation.
Please follow the provided link for more information regarding the right-to-left override character:
View the client documentation for more information on the specific locations these locations include
The Default plan includes:
Software restriction policy path rules for the programdata folder, the user profiles folders, and the start menu startup folders.
Three additional Windows utilities are also potentially blocked under this plan, vssadmin.exe, syskey.exe, and cipher.exe.
Please note that these are legitimate tools that have been known to be co-opted by malicious software.
If you have no use of these tools and you do not use applications that rely upon them, you may safely enable those protections.
The miscellaneous protections included in the Default plan will block some additional vectors for existing malware as well as the option to disable the use of legacy “Sidebar and Gadget” applications.
The Sidebar and Gadget” option is recommended by Microsoft due to known security implications of their usage:
View the client documentation for more information on the specific locations these locations include
The Maximum plan includes:
Software restriction policy path rules for the subfolders beneath localappdata and folders where files are temporarily extracted from archives, such as ZIP files
The Block Windows Programs section will optionally prevent the use of the following Windows utilities: bcdedit.exe, wscript.exe, and cscript.exe.
Disable Windows Script Host option
You may not want to enable this option because long login delays were reported when enabling this option in environments that utilize login scripts.
It should be safe to enable this option in a non-domain environment and when you do not rely upon the use of Windows scripts.
View the client documentation for more information on the specific locations these locations include
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
can either selectively block certain executable file types or indiscriminately block them.
The top three check boxes for the the .cpl, .scr, and .pif file types will check each files against our malware definitions and block them if a match is found.
The lower three check boxes may be selected to always prevent the execution of the respective file types.
Program filtering for .exe and .com executables is always based upon definitions because preventing them always would prevent most, if not all, software from operating.
The notification prompt settings on the right side only pertain to the .cpl, .scr, and .pif file types.
We recommend the default value of Message Box Alert for the notification prompt.
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent White-Label Creator FolderWatch Tab
FolderWatch tab:
FolderWatch provides additional monitoring of a selection of common folders and, optionally, custom folders.
Files flagged as potentially malicious will be quarantined in the folder specified here.
It is important to note that subfolders are monitored in the case of the predefined user folders but not in the case of custom folders.
It would be necessary to individually add subfolders to the custom list in order for them to be monitored.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
When activity is detected against these files, the HoneyPot feature will do everything in its power to prevent any further system activity, including slowing the system and only allowing it to be rebooted or shutdown.
When this feature is activated, the idea is that the system has been grievously compromised and your data is at risk from malicious activity.
As such, it is a “last ditch” effort to preserve your data with the hopes that only our bait files will be compromised and not any legitimate data.
Please use this feature with caution as there is the possibility of false positives due to the fact that any manipulation of the HoneyPot files will trigger our HoneyPot protections.
If this feature is enabled it is highly recommended you enable the QuickAccess Tray Icon under the Installer tab as well
otherwise the end user will not be notified and the system will shutdown without warning when HoneyPot feature is activated
an event will still be written to the event log and and email alert (if enabled) will be sent out regardless of the QuickAccess Tray Icon being enabled
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent White-Label Creator Policies Tab
Policies tab:
Software Restriction Policy (SRP) Whitelist:
The whitelist is a list of programs explicitly allowed via software restriction path rules.
We provide a Whitelist EXEs already located in blocked locations upon install checkbox to simplify adding all existing items in blocked locations to the whitelist during client installation.
You may predefine whitelist policies using the Define button.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
Whitelist policies should be as specific as possible to avoid being overridden by a more specific blacklist entry.
This concern comes into play when using wildcards, so the use of wildcards should be avoided in whitelist rules if possible.
SRP Blacklist:
The blacklist is a list of programs explicitly blocked via software restriction path rules.
It is possible to use wildcards in blacklist policies.
Feel free to add additional rules using the Define button to enhance protections for your specific environment.
d7x Variables can be used in the Custom Locations to apply protections generically to various OS versions and 32/64 bit versions
note it should be defined one line per folder
User Hash Definitions:
Similar to the whitelist and blacklist software restriction policies, our hash definitions also utilize lists to either allow or block a specific hash definitions, respectively.
Use the various Define buttons to allow or disallow a hash, for the whitelist or blacklist, respectively to either remove a false positive or enhance protections over the base definitions.
note it should be defined one line per folder
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent White-Label Creator Updates Tab
Updates tab:
The updates tab allows you to enable a daily update schedule that runs at the hour of your choosing or at a randomly picked time.
You may disable the reboot prompt for installation under Windows XP using the provided check box.
Additional hash definitions will be downloaded from our servers if the Enable Extended Definitions Files *beta* option is checked.
As of this writing, over 50000 base definitions are applied and that number increases to over 70000 with that option enabled.
Check for Updates after Install allows you to ensure when an installer is used the latest CryptoPrevent is installed
View the client documentation for more information on these protections
The default selections (shown in the picture above) are the recommended “set and forget” options that should not cause issues with any legitimate applications
these are the same protections as selecting the Default Protection plan in the CryptoPrevent client
CryptoPrevent White-Label Creator Email Tab
Email Settings tab:
This tab is used to enable email notifications of alerts.
Alerts will be emailed using the provided credentials and options.
Settings must be specified for every option except for email subject line text.
Please note that Google will block external SMTP access unless you enable the “use less secure apps” option in your Gmail account settings.
This restriction applies to any software that uses Google’s SMTP access and is not specific to CryptoPrevent.
For example, Microsoft Outlook is affected by this as well.
Please ensure your settings are correct by using the Send Test Email button.
This tab contains various options relating to how the installer we provide functions.
You can force the protections to apply automatically and silently after install
this will save a last step in the installation process where it would still be necessary to have the protections applied after installed
There also option to force a reboot when protections have been silently applied
however, it is necessary to specify the /verysilent command line parameter to have a completely silent installation without the need of any user interaction.
Note: applying protections after install can take a long time depending on the system
you can check the task manager to verify when CryptoPrevent.exe
optionally you can check “Restart After Install” to ensure protections are set
by waiting for the system to reboot on its own after applying protections
Additional checkboxes are provided for options relating to automatically launching the tray app for notifications, creating additional shortcut icons, and automatic restart preferences.
Optional Installer Texts, offers further customization of the actual installer itself for branding purposes
EULA-offer supplemental terms and conditions for installation
note the default CryptoPrevent EULA will always be included with the installer creation
Info (Pre)
offers ability to add information the end user reads prior to installation
Info (Post)
offers ability to add information the end user reads after the installation has completed
You will want to have a txt document ready with the text you would like to add to any of these options
Branding Options
provides the ability to add your own logo and icon to CryptoPrevent
the logo is used when protections are being applied
you can see an example of it’s usage with the “Test BMP Logo” after you have added a logo file
it is suggested you use a 24-bit BMP with dimensions of 280×190
the icon is used for shortcut icons, the upper left of the application and taskbar
Start Menu options
Apply & Undo protection options are always added to the start menu unless you uncheck the “Start Menu Launch CP” option
An additional option to open the main CryptoPrevent client interface to the start menu
An additional web address can be added to the start menu location as well
CryptoPrevent White-Label Creator Tray Tab
Tray tab:
This tab is used to configure all aspects of the tray icon.
Each option available on the right-click menu is optional as are three custom options.
** indicate options that would require administrative rights for the end user to actually be able to use them
it will prompt for elevation when needed
Custom options include the ability to:
Launch a program (ex a remote support tool)
Take a screenshot (ex useful when a user needs to show examples of an error)
Link to a web site (ex support ticket creation or link to your site)
This tab is used to create your installer to deploy this configuration
It is highly recommended you make installers only on a system you control
as well as limiting installer creation to a single system
If the “Save/Create Custom Installer button is Greyed out/unavailable
Ensure in the top right “Inno Setup is:” shows as installed
It is required for Inno Setup to be installed in it’s default location under the Program Files directory
When the Save/Create Custom Installer button is used this will also save you configuration
Be sure to make a backup of your configurations regularly
See the Load/Save tab documentation for more information about this process
Additional Notes on the Installer that is created:
Your custom installer contains your licensing codes.
Installations and licenses consumed by your custom installer are considered authorized by you.
You will be responsible for all usage of your custom installer.
If we believe your custom installer to be in violation of our licensing terms, we reserve the right to terminate the licenses and ban the associated codes.
For additional assistance, please send all communications to sales [at] foolishit.com or support [at] foolishit.com for the fastest response.
These settings only apply to the client system the installer created is used on (does not apply to the Creator-Configuration Tool itself)
Enable Proxy Settings
Enables proxy settings defined for update/download operations
Proxy Server Address (domain or IP only)
Port
Username
Password
Socks 5 Proxy enable/disable
Use the same proxy settings for email
Enable or disable using the same proxy settings defined for updates for sending emails as well
Enable Proxy Settings
Enables proxy settings defined for email operations
Proxy Server Address (domain or IP only)
Port
Username
Password
Socks 5 Proxy enable/disable
Additional Documentation
(this documentation is from v7 some items may no longer apply or may vary slightly on v8 and later versions)
Software Restriction Policies
Software Restriction Policies Applied:
CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is up to 350 rules depending on the OS and options selected! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! NEW!
Executables protected against are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard: (These locations are used by Cryptolocker and other malware as launch points.)
%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%directory1, %appdata%directory2, etc.)
%localappdata% (and on Windows XP, any first-level subdirectories in there.) NOTE beginning with v2.2, any time %localappdata% is referred to on this page, it also refers to %userprofile%Local SettingsApplication data on Windows XP, where %localappdata% is not an actual environment variable.
The All Users application data and local settingsapplication data paths on XP.
The Recycle Bin on all drives, and all nested subfolders.
the %userprofile% and %programdata% paths (no nested subfolders.)
the Startup folder located in the Start menu > All Programs > Startup
This option prevents SYSKEY.EXE, CIPHER.EXE, BCDEDIT.EXE, and VSSADMIN.EXE from running (in any location,) as it is being exploited by recent malware. NOTE: any software requiring an automated special reboot sequence (e.g. booting AUTOMATICALLY into safe mode, recovery mode, a recovery partition, etc. etc.) may fail with this protection option enabled!
Temp Extracted Executables in Archive Files:
%temp%\rar* directories
%temp%\7z* directories
%temp%\wz* directories
%temp%\*.zip directories
The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox) and for this reason this option is NOT recommended for most people.)
Filter Module
CryptoPrevent Filter Module:
In v6+, the new real-time CryptoPrevent Filter Module seeks to block malicious executables, not blindly using Windows Software Restriction Policies, but rather it uses both a hash definitions based check and some logic based on certain attributes of the executable, in order to determine whether or not the executable should be launched. It can optionally prompt the user with a choice to run it or cancel. The Filter Module can also log to the Windows Event Logs and send emails both on blocked applications AND in situations where the user may choose to allow the blocked application.
There are two types of filtering:
Suspicious – A file is examined and it is determined whether or not it is “suspicious” by certain characteristics. If the file isn’t suspicious, (and of course it passes the definitions comparison) then the block is not applied. Suspicious files will trigger the configured action (e.g. inform the user but do not allow execution, prompt the user to choose to execute the file, or block without prompt.
Constant – As it implies, this always applies the filtering to that file type, triggering the configured action, regardless of the file characteristics and definitions comparison.
Notes and Recommendations:
CPL files – the filtering is NOT applied to these files when launched as part of control.exe (Control Panel) so you can use constant or suspicious filtering with this file type without crippling Control Panel.
SCR files – recommend to apply suspicious filtering, not constant, as that will block any configured screen savers.
PIF files – recommend to apply constant filtering, because PIF files haven’t really been legitimately used since Windows 3.x, and if you read the history and behavior outlined below, you’ll want to block them constantly!
The PIF file was originally a ‘shortcut’ like a modern LNK file, except it was used to launch DOS programs from within Windows, while allowing certain environment options to be configured for the console in the PIF file’s properties.
Oddly enough, modern versions of Windows still consider a PIF file a default file type, and an executable one at that! In other words a PIF file doesn’t have to be a shortcut, it can be an actual executable and execute code just like an EXE file!
Also Windows Explorer permanently hides the file extension, like LNK shortcuts, so you could rename “program.exe” to “program.pif” and all you will ever see in Explorer is “program” even with ‘show file extensions’ enabled in Explorer options. Renaming the file back from .PIF to .EXE would need to be done from a command prompt at that point, since you cannot interact with the file extension from within Explorer.
Program Filtering (BETA) in v7.3 and above:
Program Filtering, which is the EXE/COM component in the CryptoPrevent Filter Module described above, operates in exactly the same way, except it is specifically enabled for .exe and .com file types. This compares executables to a hash based definitions system which is updated frequently, and contains thousands of hashes for newer CryptoLocker variants, copycats, and similar ransomware.
This option is always filtered as “suspicious” in the CryptoPrevent Filter Module. Constant filtering for these two file types is not available.
Note that when enabling and disabling this feature the change takes place instantly, you don’t even need to click the “Apply” button.
Program Filtering may not be initially available in the initial CryptoPrevent v8 release (at least until it is entirely compatible with all systems/software) in favor of using the same detection database with a different technique that is more compatible with all systems.
Windows Event Log Entries
Windows Event Log Entries:
Software restriction policies will log a blocked application to the Windows Application event log with Event ID: 866
The CryptoPrevent Filter Module including Program Filtering log to the Application event log with Event ID: 10177 and Source: CryptoPreventFilterMod
Whitelisting
Whitelisting:
Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
Automation / Scripting
Automation / Scripting
CryptoPrevent when run by itself will display a user interface, but command line parameters may be utilized (in v1.1 and above) for optionally silent automation. Command line parameters accepted are:
NOTE: command line parameters and syntax has changed since v6+ Most importantly, the /apply switch no longer applies all default protections, they must each be specified individually now.
Main switches:
/apply – this option applies the settings specified by additional command switches.
/silent – forces silent operation.
/reboot – executes a forced mandatory reboot after applying protection silently.
/undo – this option obviously removes all protection policies (but does not remove whitelist policies or the disable Sidebar policy,) and can be combined with the /silent parameter.
/undoall – this option removes all protection policies AND any whitelist policies defined as well (except the disable Sidebar policy; the /enablesidebar switch must also be specified to remove that policy.)
/nogpupdate – skip the group policy update after modifications are made.
Location based protection switches:
/appdata – %appdata%
/appdatadeep – %appdata%* (covers any first-level subdirs of appdata)
/appdatalocal – %localappdata%
/localappdatadeep – Protect subdirs in %localappdata% (also blocks %temp% as a consequence, not recommended)
/programdata – %programdata%
/userprofile – %userprofile%
/startup – Startup Folder (in the Start Menu)
/bin – Recycle Bin
/fakeexts – Fake file extension executables and RLO exploit protection.
/tempexes – Temp Extracted Executables block. (NOT recommended – may interfere with some app installations!)
/known – Blocks several known malware processes in certain locations.
Individual file execution prevention switches:
/bcdedit – bcdedit.exe (NOT recommended – may interfere with backup apps)
/syskey – syskey.exe
/cipher – cipher.exe
/vssadmin – vssadmin.exe (Prevents Crypto malware from deleting shadow copies/previous versions of files after encryption.)
Misc protection switches:
/disablesidebar – Creates a policy to disable the Windows Sidebar and Gadgets in Vista+ (recommended practice, by Microsoft themselves.)
/enablesidebar – Removes the disable policy on the Windows Sidebar and Gadgets. This switch is necessary as /undo or /undoall do not perform this function!
Filter Module switches: (Note these have no effect on the portable version as the program must be installed for the filter module to function properly.)
/fc=[ext] – where [ext] = a file extension (CPL, SCR, or PIF) enables CONSTANT filter module protection for that file type.
/fs=[ext] – where [ext] = a file extension (CPL, SCR, or PIF) enables SUSPICIOUS filter module protection for that file type.
/exefilter – Enables new Program Filtering (BETA) for EXE/COM files.
Whitelist switches:
/whitelist – whitelist all EXEs currently located in %appdata% / %localappdata% and their first level subdirectories.
/w=[pathfilename.exe] – whitelist a specific file in %appdata% or %localappdata%.
The path/filename may not contain wildcards.
If no path is specified (e.g. /w=foo.exe ) then both %appdata%foo.exe and %localappdata%foo.exe will be whitelisted.
If a path is specified it should be only one first level subdirectory from either %appdata% or %localappdata% (e.g./w=FooBar.exe ) which will actually whitelist both %appdata%FooBar.exe and %localappdata%FooBar.exe
/p=[filename.exe] – whitelist a specific file in %programdata%
/u=[filename.exe] – whitelist a specific file in the %userprofile%
/s=[filename.exe] – whitelist a specific file in the Start menu > Startup folder
Premium version switches:
/b=[custom block policy rule] – (Premium version only, see this thread for syntax and examples.)
/a=[custom allow policy rule] – (Premium version only, full path/filename required, no wildcards!!)
These parameters may be used in most any logical combination, e.g.
IMPORTANT NOTE: If you are pushing out CryptoPrevent.exe through Labtech’s RMM tool, there may be a problem with the /whitelist parameter not working as intended. You must use the ‘Process Execute as Admin’ or ‘Shell as Admin’ option to deploy properly. This is confirmed to work properly when running under the local system account as deployed via Kaseya. I do not have any feedback on other RMM deployment tools or methods.
Notes:
Notes:
Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will protect all user accounts on the system, even protecting accounts created after protection is applied.