After being tested on some systems, the protection wasn’t working for temporarily extracted executables from archive files. What I discovered was in software protection policies, the %temp% environment variable simply wasn’t expanding as expected. It is a complete MYSTERY to me why it works with %appdata% and not %temp%. Thanks for the unpredictable behavior, Microsoft! Note that CryptoPrevent’s internal test function only tests for the protection in %appdata% so it would succeed once properly applied, even though the %temp% blocks may fail.
The solution is in CryptoPrevent v2.1, which scans for all user folders on the system and creates a new rule set for each username with the full path to that %temp% directory expanded in the rule. It is not necessary to undo the protection of a previous version prior to re-protecting with v2.1, and if you use the installer based version it is also unnecessary to uninstall a previous version of CryptoPrevent before installing the latest version.
This ‘solution’ carries one caveat. If you apply the protection to a system, then create a new user account, the new user will not be protected and the protection must be re-applied.
Hopefully this will be the last CryptoPrevent update for a while!