This document will discuss the installation and operation of CryptoPrevent, detailing all options, settings, and best practices associated with its use.
Installation of CryptoPrevent is carried out with very few steps:
(Note: Bulk/White-Label Client installation may vary slightly from the below)
Extract the ZIP archive downloaded from our site to a location of your choosing and make note of the location. This file contains the installer/setup routine for CryptoPrevent.
Launch the installer executable file from the above location.
Click next.
It is not possible to proceed without accepting the license agreement and clicking next.
Choose whether or not to create a desktop shortcut and click next.
Click install to initiate the installation.
Click finish to close the installation and launch CryptoPrevent. Uncheck the box shown if you do not want to configure CryptoPrevent or apply protection.
Note: CryptoPrevent will not protect your PC just by installing it. It is required that protections be reviewed and applied for CryptoPrevent to start working.
You will be asked if you are in possession of product key for the purposes of enabling all premium features. If you have purchased and received an email containing your key, please choose yes.
Copy and paste your product key exactly as you received it and click ok.
You will be asked if you would like to schedule daily updates. You may either choose to do that with a random time or you may opt not to and select a time of your choosing at a later time.
Click ok to proceed to the main interface.
Main Interface Overview:
Apply a Protection Plan:
- Test Protection button
- currently tests only the protection location of %appdata% (which is enabled on all plans except None)
- indicates mainly if the Software Restrictions Policies have been enabled and have taken effect
- this will not test other locations, the filter module protections or FolderWatch protections
- Apply Protection Plan button
- Available on all tabs
- this button applies the currently selected plan and protections enabled under the Protection Settings tab
- Be sure to use this button when changing plans or after all individual settings have been customized as you want to have applied
- Kill Apps Now button
- CryptoPrevent includes certain features from Foolish IT’s next generation PC technician productivity tool, called d7x, which is currently in development.
- will close all running non-essential applications.
- Please be aware that using this option will not prompt you to save any work and will forcibly close running windows.
- CryptoPrevent QuickAccess (Premium only feature)
- a notification icon that will appear in the system tray when enabled
- exposes CryptoPrevent functionality to the user without the need to open the entire user interface.
- will also pop up with notifications regarding CryptoPrevent activity.
- Note: this tray should be enabled when using FolderWatch HoneyPot Detection to alert the end-user when detection has occurred (otherwise the system will shutdown without warning)
- Enable Active Protections
- includes master check boxes for active protections beyond software restriction policies.
- Use Protection Plan Settings
- checked means the two sub-items will follow selected plan recommendations
- this box will automatically uncheck and the plan setting will be changed to custom if either of the two sub-items are changed
- FolderWatch (real-time)
- FolderWatch is a new protection feature in CryptoPrevent v8
- allows for specified folders to be monitored for items that match the loaded hash definitions list (including custom added ones available in the premium version)
- allows for HoneyPot Detection (Premium Version feature) to protect the selected locations as well
- see more details about these items under the Protection Settings tab individual descriptions in this documentation
- checked means the protections and folders under Protection Settings tab->FolderWatch tab and Protection Settings tab->FolderWatch HoneyPot tab will be protected and enabled by the FolderWatch service
- unchecked means this protection will be disabled and the selected locations/enabling HoneyPot Detection will be irrelevant
- FolderWatch is a new protection feature in CryptoPrevent v8
- Protection plans are an easy way to apply sets of CryptoPrevent protections.
- Minimal plan
- includes all protections available in the original release of CryptoPrevent for blocking CryptoLocker and similar ransomware.
- These are a bare minimum level of protections and may not protect against more modern threats.
- Default plan
- includes additional protections to prevent a wider range of threats.
- More restrictive plans could impact software installations and this is the highest plan that should not interfere with that.
- For this reason, we refer to it as the “set it and forget it” plan.
- Maximum plan
- includes additional protections that will block even more threats.
- Please use this plan with caution as it has the potential to interfere with:
- software installations
- certain backup application that rely upon the bcdedit.exe utility
- Extreme plan
- enables every available protection feature, including those considered “beta”.
- This plan has the potential to block legitimate software from running.
- Please test in your environment with these settings to determine if they will negatively impact the use of your PC.
- Custom settings
- when settings do not specifically follow a predefined protection plan.
- A general guideline would be to start with the Default plan and check any additional protections that you are able to tolerate in your environment.
- Testing should be performed whenever changing protection settings.
- Testing involves applying the settings you wish to test, rebooting when prompted, and then trying out all your existing software for expected operation.
- Minimal plan
-
Maintenance
-
Fix Internet
- Clear Proxy Settings
- Clears IE & Firefox Proxy settings
- Reset Networking
- Performs these commands:
- Deletes Winsock registry keys on Windows XP.
- netsh winsock reset
- netsh winsock reset catalog
- netsh interface ip reset c:int-resetlog.txt
- netsh interface reset all
- netsh interface ip delete arpcache
- ipconfig /flushdns
- ipconfig /registerdns
- Reinstalls TCP/IP on Windows XP
- ipconfig /release all
- ipconfig /renew all
- Performs these commands:
- Reset WinSock
- Performs these commands:
- netsh winsock reset
- netsh winsock reset catalog
- Performs these commands:
- Fix Downloads Problems (IE/Edge)
- Attempts to reset IE security zones and other common download issues in IE
-
Free Up Space
- Delete Windows Update Backup Directories
- This function deletes $NTUninstallxxxxx and $NTServicePackUninstall$ directories in %windir% to free up disk space. WARNING: After using this item, you will no longer be able to uninstall Windows updates/service packs!
- Empty Recycle Bin
- Does what it says!
- Delete Temp Internet Files
- Deletes temporary internet files for ALL user accounts, including Internet Explorer, Firefox, and Chrome temp files.
- Delete Temp Files
- This deletes temp files (the %temp% directory) for ALL user accounts, and in %windir%temp
- Run Windows cleanmgr.exe
- Runs Windows own cleanmgr.exe, but fully automated, preconfiguring it to cleanup everything except MS Office files, Memory Dumps, and disabling compression of old files.
-
Performance Tweaks
- Process Idle Tasks
- Windows internal Prefetch & Defrag, etc. tasks that Windows normally performs automatically every 3 days while the system is idle. This is the equivalent of running rundll32.exe advapi32.dll,ProcessIdleTasks from a command prompt.
- Defrag Startup Items
- D7x scans your startup locations and registry for programs that automatically start with Windows, and defrags them one at a time using Sysinternals contig.exe!
- Registry Hive Backup
- Runs RegBackup, my utility that utilizes volume shadow copy to backup the registry. Backups will be stored in %systemdrive%SupportRegBackups however only the latest 10 backups will be kept.
- Clear Print Spooler
- Deletes everything inside the print spooler, clearing out past print jobs, and restarts the spooler service.
- Fix File Associations
- Import default values for the shell to launch EXE, COM, BAT, CMD, SCR, and REG files. These locations in the registry are HKCR\xxx\Shell\Open\Command where xxx = exefile, comfile, etc.
-
Repair Windows
- Repair Windows Defender
- Repairs Windows Defender on Vista/7 by re-writing the appropriate registry values, setting permissions, and ensuring the service can start.
- Repair Windows Installer Service
- Repairs the Windows Installer service blasting it with a number of fixes such as re-writing registry keys, assigning the appropriate permissions to registry keys and files, and re-registering related .DLL files.
- Repair Windows Update
- Attempts to repair the Automatic Updates and BITS services for Windows Update to function properly. Performs the following operations:
- Stops WUAUSERV and BITS services
- Deletes the following files: (the paths below reflect WinXP, which slightly differs in Vista/7 but d7 compensates of course)
- %allusersprofile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
- %allusersprofile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
- On WinXP, performs these commands:
- rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 C:WINDOWS\inf\au.inf
- rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 C:WINDOWS\inf\qmgr.inf
- Deletes directory %windir%\SoftwareDistribution
- Registers the following files:
- wuapi.dll
- wuaueng.dll
- atl.dll
- wucltui.dll
- wups.dll
- NOTE: TONS MORE .DLL files have been added to the regsvr32 list, too many to list here!!!
- Restarts the BITS and WUAUSERV services
- WMI/WMEB/DCOM – Performs the following operations:
- Stops WinMgmt service
- Runs %windir%\system32\wbem\winmgmt.exe /kill
- Deletes %windir%\system32\wbem\repository
- Registers all WBEM DLLs and EXEs in the %windir%\system32\wbem directory
- On Vista/7, runs %windir%\system32\wbem\winmgmt /salvagerepository
- On XP, runs %windir%\system32\rundll32.exe wbemupgd, UpgradeRepository
- On XP, reinstalls WBEM via this command: %windir%\system32\rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf
- Restarts the WinMgmt service
- Attempts to repair the Automatic Updates and BITS services for Windows Update to function properly. Performs the following operations:
- Repair Default Start Menu Links
- Repairs the default start menu links for items like Accessories and other common Windows start menu items
- Repair System Restore
- Performs the following functions:
- Deletes reg value DisableConfig in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- Deletes reg value DisableSR in HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- (On WinXP) – %windir%\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 C:WINDOWS\inf\sr.inf
- Performs the following functions:
- Repair Safe Mode Services
- Rebuilds/rewrites the list of services in the registry that should start in safe mode.
- Repair Windows Firewall
- Performs the following commands:
- %windir%\system32\rundll32.exe setupapi.dll,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf
- Performs the following commands:
- Repair WMI/WBEM/DCOM
- Performs the following operations:
- Stops WinMgmt service
- Runs %windir%\system32\wbem\winmgmt.exe /kill
- Deletes %windir%\system32\wbem\repository
- Registers all WBEM DLLs and EXEs in the %windir%\system32\wbem directory
- On Vista/7, runs %windir%\system32\wbem\winmgmt /salvagerepository
- On XP, runs %windir%\system32\rundll32.exe wbemupgd, UpgradeRepository
- On XP, reinstalls WBEM via this command: %windir%\system32\rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf
- Restarts the WinMgmt service
- Performs the following operations:
- Repair Security Center
- Repairs Windows Security Center by re-writing the appropriate registry values, setting permissions, and ensuring the service can start.
- Repair Adobe Flash
- Attempts to repair permissions on all keys related to Flash, so it can install and/or function properly.
- There is a flag in the registry that can disable Flash from working inside IE, whether it is installed properly or not. This attempts to remove the restriction, by deleting the following registry key: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}
- Repair VSS Service
- Attempts to repair the Volume Shadow Copy service
- Rebuild Icon Cache
- Attempts to fix issues with icons by rebuilding the icon cache. Attempts to refresh icons after this, however refreshing icons doesn’t always work properly, so a reboot or logoff/on may be required for the full effect.
-
Options/Settings
-
Software Restriction Policies:
-
Minimum plan:
- The following protect each of these locations from executable files:
- %appdata%
- All Supported OS
- %appdata%\*.[executable extension]
- Windows Vista + OS
- %userprofile%\AppData\*.[executable extension]
- %userprofile%\Appdata\Roaming\*.[executable extension]
- Windows XP OS
- %allusersprofile%\Application Data\*.[executable extension]
- %userprofile%\Application Data\*.[executable extension]
- All Supported OS
- %appdata%\*
- All Supported OS
- %appdata%\*\*.[executable extension]
- Windows Vista + OS
- %userprofile%\Appdata\Roaming\*\*.[executable extension]
- Windows XP OS
- %allusersprofile%\Application Data\*\*.[executable extension]
- %userprofile%\Application Data\*\*.[executable extension]
- All Supported OS
- %localappdata%
- Windows Vista + OS
- %userprofile%\AppData\Local\*.[executable extension]
- %userprofile%\AppData\LocalLow\*.[executable extension]
- %userprofile%\AppData\LocalLow\*\*.[executable extension]
- Windows XP OS
- %allusersprofile%\Local Settings\Application Data\*.[executable extension]
- %allusersprofile%\Local Settings\Application Data\*\*.[executable extension]
- %userprofile%\Local Settings\Application Data\*.[executable extension]
- %userprofile%\Local Settings\Application Data\*\*.[executable extension]
- Windows Vista + OS
- Recycle Bin
- Windows Vista + OS
- *:\$Recycle.Bin\*.[executable extension]
- Windows XP OS
- *:\RECYCLER\*.[executable extension]
- Windows Vista + OS
- %appdata%
- Double File Extensions
- Protects all locations from executable files with a path of *.[dbl extension list item].[executable extension]
- Note this does not apply for the executable extension [.lnk]
- Right-to-Left Override
- exploits related to the direction of text interpretation.
- Please follow the provided link for more information regarding the right-to-left override character:
- The following protect each of these locations from executable files:
-
Default plan
- The following protect each of these locations from executable files:
- %programdata%
- Windows Vista + OS
- %programdata%\*.[executable extension]
- Windows Vista + OS
- %userprofile%
- All Supported OS
- %userprofile%\*.[executable extension] (does not include *.com extension)
- For each actual user folder at time of settings being applied, a rule for that specific user folder is added ([user folder location]\*.[executable extension]
- Windows Vista + OS
- [user folders location]\Public\*.[executable extension]
- Windows XP OS
- %allusersprofile%\*.[executable extension]
- All Supported OS
- Startup Folders (in Start Menu)
- Windows Vista + OS
- %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.[executable extension]
- %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.[executable extension]
- Windows XP OS
- %allusersprofile%\Start Menu\Programs\Startup\*.[executable extension]
- %userprofile%\Start Menu\Programs\Startup\*.[executable extension]
- Note this does not include the *.lnk extension because this is expected to be in these locations
- Windows Vista + OS
- %programdata%
- Block Windows Programs:
- vssadmin.exe
- syskey.exe
- cipher.exe
- Note: these are legitimate tools that have been known to be co-opted by malicious software.
- If you have no use of these tools and you do not use applications that rely upon them, you may safely disable those protections.
- Note: these applications are blocked from running in any location
- Misc. Protections:
- Prevent known malware from starting
- list of various known malware items
- Turn off Windows Sidebar and Gadgets
- disable the use of legacy “Sidebar and Gadget” applications.
- This option is recommended by Microsoft due to known security implications of their usage: https://technet.microsoft.com/library/security/2719662
- Prevent known malware from starting
- The following protect each of these locations from executable files:
-
Maximum/Extreme plan:
- The following protect each of these locations from executable files:
- %localappdata%\*
- Windows Vista + OS
- %userprofile%\AppData\Local\*\*.[executable extension]
- %userprofile%\AppData\Local\Temp\*.[executable extension]
- [windows installation directory]\Temp\*.[executable extension]
- Windows XP OS
- %userprofile%\Local Settings\Temp\*.[executable extension]
- [windows installation directory]\Temp\*.[executable extension]
- Windows Vista + OS
- Block Executables Temporarily Extracted from Archives
- Windows Vista + OS
- %userprofile%\AppData\Local\Temp\wz*\*.[executable extension]
- %userprofile%\AppData\Local\Temp\*.zip\*.[executable extension]
- %userprofile%\AppData\Local\Temp\7z*\*.[executable extension]
- %userprofile%\AppData\Local\Temp\rar*\*.[executable extension]
- Windows XP OS
- %userprofile%\Local Settings\Temp\wz*\*.[executable extension]
- %userprofile%\Local Settings\Temp\*.zip\*.[executable extension]
- %userprofile%\Local Settings\Temp\7z*\*.[executable extension]
- %userprofile%\Local Settings\Temp\rar*\*.[executable extension]
- Windows Vista + OS
- %localappdata%\*
- The Block Windows Programs section
- bcdedit.exe
- BCDedit.exe is used to modify the booting of Windows
- this exe is blocked from running in any location on the system
- It can be used safely by certain backup applications
- if you have a backup application that uses this you can disable this protection
- Disable Windows Script Host
- Please note that although the Disable Windows Script Host option is listed on this tab, it is NOT applied with the Maximum plan as of version 8.0.2.4.
- The reason for this is that long login delays were reported when enabling this option in environments that utilize login scripts.
- It should be safe to enable this option in a non-domain environment and when you do not rely upon the use of Windows scripts.
- For more information, please review these sites: and https://technet.microsoft.com/en-us/library/ee198684.aspx
- bcdedit.exe
- The following protect each of these locations from executable files:
-
Prevent File Types:
- CryptoPrevent includes a program filter module that can either selectively block certain executable file types or indiscriminately block them.
- Prevent Suspicious File Types
- depending what is selected the .cpl, .scr, and .pif file types will check each files against our malware definitions and block them if a match is found
- Suspicious will also use various logic for determining if that file type should be launched
- various items like file location, naming convention and others are included in this logic
- Always Prevent File Types
- always prevent the execution of the respective file types
- Notification prompt
- these settings only pertain to the .cpl, .scr, and .pif file types for filtering
- We recommend the default value of Message Box Alert for the notification prompt.
- Program filtering for .exe and .com executables
- always restrict exe or com files based upon hash definitions
- Prevent Suspicious File Types
- CryptoPrevent includes a program filter module that can either selectively block certain executable file types or indiscriminately block them.
-
FolderWatch:
- FolderWatch provides additional monitoring of a selection of common folders and custom folders (Premium Only).
- User Folders:
- these locations are based on the Windows internal location for these folders (normally under the user profile)
- all subdirectories and files are monitored in these locations
- Custom FolderWatch Folders:
- these locations can be monitored based on user selection
- only the top level selected directory files will be monitored in these locations
- sub folders must be added individually when desired
- Quarantine Location:
- Files flagged as potentially malicious will be quarantined in the folder specified here.
- Please exercise caution when interacting with quarantined files as they are likely malicious.
- files placed here will be renamed including the time/date they were added to the quarantine
- User Folders:
- FolderWatch provides additional monitoring of a selection of common folders and custom folders (Premium Only).
-
FolderWatch HoneyPot:
- Enable FolderWatch HoneyPot Ransomware Detection (Premium Only)
- The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
- the root folder of each Protected location selected in the FolderWatch tab will be protected by the honeypot files
- this includes any custom locations
- honeypot files may or may not be visible in these locations depending on what hidden/system files you have shown
- When activity is detected against these files, the HoneyPot feature will do everything in its power to prevent any further system activity, including:
- slowing the system
- only allowing it to be rebooted or shutdown.
- When this feature is activated, the idea is that the system has been grievously compromised and your data is at risk from malicious activity.
- As such, it is a “last ditch” effort to preserve your data with the hopes that only our bait files will be compromised and not any legitimate data.
- Please use this feature with caution as there is the possibility of false positives due to the fact that any manipulation of the HoneyPot files will trigger our HoneyPot protections.
- The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
- Enable FolderWatch HoneyPot Ransomware Detection (Premium Only)
-
Policy Editor:
-
-
Whitelist SR policies:
- The whitelist is a list of programs explicitly allowed via software restriction path rules.
- Whitelist Executables Currently In All Blocked Locations button
- simplifies whitelisting by adding all existing items in blocked locations to the whitelist
- When using this feature ensure you review the files added to verify no malicious or unknown programs have been added
- Whitelist policies should be as specific as possible to avoid being overridden by a more specific blacklist entry.
- This concern comes into play when using wildcards, so the use of wildcards should be avoided in whitelist rules if possible.
- Changes to policies are applied immediately; however, it may be necessary to reboot for the changes to take effect.
-
Blacklist SR policies:
- The blacklist is a list of programs explicitly blocked via software restriction path rules.
- It is possible to use wildcards in blacklist policies.
- CryptoPrevent version 8 applies roughly ten times the number of blacklist policies at any given protection plan compared to version 7.
- Any of the black list rules may be removed if a specific one causes problems (included in the Free version as well)
- Note when removing policies this will not change your plan to Custom and if you re-apply protections they will be re-added
- Feel free to add additional rules to this list to enhance protections for your specific environment. (Premium Edition Only*)
- Changes to policies are applied immediately; however, it may be necessary to reboot for the changes to take effect.
- The blacklist is a list of programs explicitly blocked via software restriction path rules.
-
User Hash Definitions:
- Similar to the whitelist and blacklist software restriction policies, our hash definitions also utilize lists to either allow or block a specific hash definitions, respectively.
- Hashes are only used with the Filter Module and FolderWatch protections
- The blacklist will only contain custom hashes and does not expose the hashes distributed with CryptoPrevent.
- As with the blacklist policies, you may add your own to enhance the base level of protections offered. (Premium Only)
- Changes to these lists take effect immediately after clicking the Save Hash Definitions File button.
-
HoneyPot Definitions
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
- Whitelist Process from being Killed
- One entry per line
- This option applies to the Kill Apps Now button on the Apply Protection tab, the options available in the right click menu of the system tray, and to the ability of FolderWatch service killing tasks during a HoneyPot Detection activation
- Only the executable name with extension is needed and is not case sensitive (ex. c:\program files\InstalledProgram\InstalledProgram.exe would only need to have a line entry of “installedprogram.exe”)
- Notes:
- It is not recommended to add any browser process name as these are the most common apps you want to be killed easily and most modern browsers save the sessions fairly well
- Common programs you may want to add would be a word processor or other office productivity application or database applications, however since these can be used as points of attacks you may want to be very conservative in adding these too, increasing autosave features to shorter durations may be a better route
- FolderWatch Whitelist Path
- One entry per line
- This option allows entire folders or specific files or files in locations to be ignored by FolderWatch
- This can be useful if a file requires a file lock and will not share access with FolderWatch in folders monitored by FolderWatch
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- line entry ending with a trailing backslash so the entire folder is ignored
- ex:
- <ad>\programV18.*\ would have FolderWatch ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
- c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
- c:\installed program\programfileV*.exe would have FolderWatch ignore filenames with variable version numbers with matching extension
- HoneyPot Whitelist Pattern
- One entry per line
- This can be used to allow files that might match a built-in blacklisted pattern, helpful when filenames in folders monitored by FolderWatch might be similar or the same as some ransomware variants
- Note each check for a whitelisted pattern adds time to the ability for checking against blacklisted patterns, meaning that ransomware could remain active and encrypt additional files prior to FolderWatch being able to detect and kill any active ransomware, it may be better to ignore specific files or types that match patterns using the FolderWatch Whitelist Path options
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- ex:
- If a false positive is triggered with the *.crypto pattern, *.crypto can be added to a line to ignore future matches
- <ad>\programV18.*\ would have HoneyPot detection ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
- c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
- HoneyPot Blacklist Pattern
- One entry per line
- This can be used to create your own encryption pattern matching options
- Can use:
- wildcard (*) for path variables
- d7x variables (more information about variables here)
- ex:
- <ad>\programV18.*\ would have HoneyPot Detection triggered if the folder has files created or changed where the version number changes in the folder in application data (roaming for vista+)
- c:\installed program\programfilename.* would have HoneyPot Detection triggered if filenames matching with any extension in the specific folder
- Custom HoneyPot Files
- One entry per line
- Allows you to:
- create your own honeypot files named with or without default extensions
- Syntax per line:
- filename|filetype|extensionsdisabled
- the pipe (|) character must separate the three definitions per custom honeypot file created and all items need to be defined as mentioned or errors may occur or produce unexpected results
- filename=the custom file name you would like to be used (include extension if you are disabling the default extensions)
- filetype=Normal, Hidden, or System which will create the custom file as indicated
- extensionsdisabled=0 or 1, where 0 uses the default honeypot file extensions and removes any extension in the filename and 1 will not use the default honeypot file extensions and use the extension if defined in the filename above
- filename|filetype|extensionsdisabled
- Syntax per line:
- enable or disable the default honeypot files creation
- to disable the default honeypot files add a single line entry of:
- nodefault
- disabling default honeypot files and not adding custom files of your own will cause honeypot detection to operate on file/folder name pattern matching alone
- to leave the default files created just do not add that line and the default files with various filenames will be created as system files as is the standard as well as any custom files you have defined
- to disable the default honeypot files add a single line entry of:
- create your own honeypot files named with or without default extensions
WARNING: These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff. Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent. Use these options at your own risk and in most cases here less is more and being specific is safer!
- Whitelist Process from being Killed
-
Email Settings:
- This tab is used to enable email notifications of alerts.
- Alerts will be emailed using the provided credentials and options. (Settings entered here are only available to the local system, this information is not transmitted or used by Foolish IT in any way)
- Settings are predefined for Google’s Gmail service or you may specify your own SMTP settings.
- Please note that Google will block external SMTP access unless you enable the “use less secure apps” option in your Gmail account settings.
- This restriction applies to any software that uses Google’s SMTP access and is not specific to CryptoPrevent. For example, Microsoft Outlook is affected by this as well.
- Additional information: https://www.d7xtech.com/cryptoprevent-malware-prevention/email-setup-faq/
- This tab is used to enable email notifications of alerts.
-
Proxy Settings
- Enable Proxy Settings
Enables proxy settings defined for update/download operations- Proxy Server Address (domain or IP only)
- Port
- Username
- Password
- Socks 5 Proxy enable/disable
- Use the same proxy settings for email
Enable or disable using the same proxy settings defined for updates for sending emails as well - Enable Proxy Settings
Enables proxy settings defined for email operations- Proxy Server Address (domain or IP only)
- Port
- Username
- Password
- Socks 5 Proxy enable/disable
- Enable Proxy Settings
-
Submit New Hash:
- If you identify a file you know to be malicious, you may use this tab to select that file, compute its hashes, and potentially upload it to Foolish IT for further analysis and potential inclusion in future base definitions.
- After browsing for a file, its hashes will be computed and compared against the internal lists.
- You will alerted in red text if the hash is not already present in our definitions and, in that case, the hashes will be added if and when you choose to upload the file.
- If you choose not to upload the file, you will need to manually add the hashes to your custom hash definitions in order to have that file blocked.
- If you identify a file you know to be malicious, you may use this tab to select that file, compute its hashes, and potentially upload it to Foolish IT for further analysis and potential inclusion in future base definitions.
-
-
History – Detections and Events:
- The History tab logs information about CryptoPrevent activity either since:
- the Previous Startup
- for as far back as the Windows event logs happen to record.
- Events will be created whenever either a software restriction policy is enforced or when either our program filter module or FolderWatch protection detects malicious software or activity.
- The contents of each event may be useful for troubleshooting purposes and for getting the path information necessary to create a whitelist policy entry.
- Event IDs
- 866
- Software Restriction Policy Protection
- 10177
- v7 Filter Module Protection
- 10188
- v8 Beta FolderWatch
- 10189
- v8 Beta FolderWatch HoneyPot Detection
- 36650
- v8.0.0.0 + denotes protection via the source for the event
- CryptoPrevent Program Filter
- CryptoPreventFW
- CryptoPreventHP
- v8.0.0.0 + denotes protection via the source for the event
- 36651
- v8.0.0.0 + denotes protection via the source for the event
- CryptoPrevent Program Filter
- CryptoPreventFW
- CryptoPreventHP
- v8.0.0.0 + denotes protection via the source for the event
- 36652
- v8.0.0.0 + denotes protection via the source for the event
- CryptoPrevent Program Filter
- CryptoPreventFW
- CryptoPreventHP
- v8.0.0.0 + denotes protection via the source for the event
- 36659
- v8.0.0.0 + denotes protection via the source for the event
- CryptoPrevent Program Filter
- CryptoPreventFW
- CryptoPreventHP
- v8.0.0.0 + denotes protection via the source for the event
- 866
-
Updates:
- Enable a daily update schedule
- runs at the hour of your choosing or at a randomly picked time.
- A button is provided for manually checking for updates. (made available if enable daily update schedule checkbox fails)
- Additional hash definitions will be downloaded from our servers if the Extended Hash Definitions option is checked.
- As of this writing, over 50000 base definitions are applied and that number increases to over 70000 with that option enabled.
- Note this list is not as well vetted as the standard definitions and may result in false positives
- Enable a daily update schedule
-
About:
- This tab displays information about CryptoPrevent including its history, evolution, and honorable mentions.
Applying Protections (Plan or customized selected)
Once you have confirmed all your desired settings at this point, click the Apply Protection Plan
Depending on the policy and number of protections selected, it may take several minutes to apply protections.
You may also be prompted to whitelist all executables located in locations that will be blocked.
Please ensure that your systems is malware free prior to installing CryptoPrevent and particularly prior to answering yes to the question about whitelisting.
After the settings are applied, you will be prompted to reboot.
There is no guarantee that protections will be enabled unless a reboot is performed.
After rebooting, please test all your applications and ensure that they function as expected.
If you note any problems you feel may be caused by CryptoPrevent, you can review the History tab and to determine what may have happened.
Remediation will include either whitelisting or alteration of protection settings.
If you need additional assistance or advice in that, please contact our Help Desk via email: support@d7xtech.com
-
Command Line Parameters (Premium Only Feature):
- /undo
Remove protections but leave whitelists - /undoall
Remove protections and all whitelists - /l=#
Set a specific plan level set of protections
Note: l is a lowercase L
#=0 for None Protection Plan
=1 for Minimal Protection Plan
=2 for Default Protection Plan
=3 for Maximum Protection Plan
=5 for Extreme Protection Plan
=a for Custom Plan (This won’t actually apply any new settings it will just reapply current settings) - /whitelist
Whitelist all EXEs in protected locations - /enablesidebar
Enable Sidebar and Gadgets - /disablesidebar
Disable Sidebar and GadgetsFor the following protections a “=0” can be added to disable protection. Enabling the protection would not require additional parameters.
You may also want to run “/apply” to ensure settings have been fully applied. - /bcdedit
Prevent bcdedit from execution on the system - /syskey
Prevent syskey from execution on the system - /cipher
Prevent cipher from execution on the system - /vssadmin
Prevent vssadmin from execution on the system - /known
Enable Prevent known malware from starting on Protection Settings->Software Restriction Policies->Default Plan - /programdata
Enable %programdata% on Protection Settings->Software Restriction Policies->Default Plan - /userprofile
Enable %userprofile% on Protection Settings->Software Restriction Policies->Default Plan - /startup
Enable Startup Folders on Protection Settings->Software Restriction Policies->Default Plan - /bin
Enable Recycle Bin on Protection Settings->Software Restriction Policies->Minimum Plan - /appdata
Enable %appdata% on Protection Settings->Software Restriction Policies->Minimum Plan - /appdatadeep
Enable %appdata%\* on Protection Settings->Software Restriction Policies->Minimum Plan - /localappdata
Enable %localappdata% on Protection Settings->Software Restriction Policies->Minimum Plan - /localappdatadeep
Enable %localappdata%\* on Protection Settings->Software Restriction Policies->Maximum Plan - /fakeexts
Enable Double File Extensions on Protection Settings->Software Restriction Policies->Minimum Plan - /tempexes
Enable Block Executables Temporarily Extracted from Archives on Protection Settings->Software Restriction Policies->Maximum Plan
- /w=[filename.ext]
Whitelist a specific executable in %appdata% - /p=[filename.ext]
Whitelist a specific executable in %programdata% - /u=[filename.ext]
Whitelist a specific executable in %userprofile% - /s=[filename.ext]
Whitelist a specific executable in Startup Folder - /a=[custom allow policy rule]
Custom allow rule; full file/path NO WILDCARDS - /b=[custom block policy rule]
Custom block rule; wildcards supportedYou can add multiple entries by separating values with “,”(comma)
- /enablefiltermodule
Enable the filter module based on the current settings - /disableenablefiltermodule
Disables the filter module (regardless of current settings) - /noallowprompt
Disable allowing applications from running when blocked by filter module - /fs=[extensionType] (separate values with ‘,’ comma)
Add suspicious filter module for CPL, SCR, or PIF - /fc=[extensionType] (separate values with ‘,’ comma)
Add constant filter module for CPL, SCR, or PIF - /disablefs=[extensionType] (separate values with ‘,’ comma)
Remove supsicious filter moduel for CPL, SCR, or PIF - /disablefc=[extensionType] (separate values with ‘,’ comma)
Remove constant filter module for CPL, SCR, or PIF - /exefilter
Enable EXE/COM program filter - /disableexefilter
Disable EXE/COM program filter - /enablefolderwatch
Enable FolderWatch Protection - /disablefolderwatch
Disable FolderWatch protection - /enablehoneypot
Enable FolderWatch HoneyPot Detection (note: FolderWatch Protection must also be enabled) - /disablehoneypot
Disable FolderWatch HoneyPot Detection
- /enableemail
Enable email alerts (uses already defined settings) - /disableemail
Disable email alerts - /enabletray
Enable tray icon autostart - /disabletray
Disable tray icon autostart - /enableupdates
Enable scheduled updates (uses existing hour) - /disableupdates
Disable schedule updates - /updatehour=[XX] or Random
Defines update hours for scheduled updates
(XX should be between 00 and 23)
(Assumes /enableupdates command as well)
- /killemall
Kills all non-essential running processes - /test + /silent
Writes a file w/ text 0 or 1 to show protections status - /test
Displays a form to show protection status - /silent
Silent Mode - /reboot
Reboots the system (final operation if other parameters are defined) - /nogpupdate
Skip the group policy update after changes - /apply
Apply protection and alert when completed - /logging or /debug
Enable logging output to logs folder - /ProxyUpdateEnabled (add ‘=0’ to disable)
Enables proxy for update operations - /ProxyUpdateAddress=[domain]
Set proxy address to specified domain or IP for update operations - /ProxyUpdatePort=[Port#]
Set proxy port number for update operations - /ProxyUpdateUser=[userName]
Set proxy username for update operations - /ProxyUpdatePassword=[password]
Set proxy password for update operations - /ProxyUpdateSocksEnabled (add ‘=0’ to disable)
Set proxy to be SOCKS proxy instead of HTTP proxy for update operations - /ProxyEmailEnabled (add ‘=0’ to disable)
Enables proxy for email operations - /ProxyEmailAddress=[domain]
Set proxy address to specified domain or IP for email operations - /ProxyEmailPort=[Port#]
Set proxy port number for email operations - /ProxyEmailUser=[userName]
Set proxy username for email operations - /ProxyEmailPassword=[password]
Set proxy password for email operations - /ProxyEmailSocksEnabled (add ‘=0’ to disable)
Set proxy to be SOCKS proxy instead of HTTP proxy for email operations - /ProxySame (add ‘=0’ to disable)
Apply the same proxy settings for email as are applied for updates - /ProxyFromFile=[ini file location]
Applies proxy settings from an INI file format
Example Proxy INI File contents:
[Proxy] UpdateSameEmail=1 or 0
UpdateEnabled=1 or 0
ProxyAddressU=testAddress
ProxyPortU=1234
ProxyAuthU=1 or 0
ProxyUserU=userName
ProxyPassU==password
ProxySocksU=1 or 0
EmailEnabled=1 or 0
ProxyAddressE=testAddress
ProxyPortE=1234
ProxyAuthE=1 or 0
ProxyUserE=userName
ProxyPassE==password
ProxySocksE=1 or 0