• 8.0.4.3 Addendum – FolderWatch/HoneyPot Definitions

  WARNING:  These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff.  Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent.  Use these options at your own risk and in most cases here less is more and being specific is safer!
  

WARNING:  These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff.  Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent.  Use these options at your own risk and in most cases here less is more and being specific is safer!

• Whitelist Process from being Killed
  • One entry per line
  • This option applies to the Kill Apps Now button on the Apply Protection tab, the options available in the right click menu of the system tray, and to the ability of FolderWatch service killing tasks during a HoneyPot Detection activation
  • Only the executable name with extension is needed and is not case sensitive (ex. c:\program files\InstalledProgram\InstalledProgram.exe would only need to have a line entry of “installedprogram.exe”)
  • Notes:
    • It is not recommended to add any browser process name as these are the most common apps you want to be killed easily and most modern browsers save the sessions fairly well
    • Common programs you may want to add would be a word processor or other office productivity application or database applications, however since these can be used as points of attacks you may want to be very conservative in adding these too, increasing autosave features to shorter durations may be a better route
• FolderWatch Whitelist Path
  • One entry per line
  • This option allows entire folders or specific files or files in locations to be ignored by FolderWatch
    • This can be useful if a file requires a file lock and will not share access with FolderWatch in folders monitored by FolderWatch
  • Can use:
    • wildcard (*) for path variables
    • d7x variables (more information about variables here)
    • line entry ending with a trailing backslash so the entire folder is ignored
    • ex:
      • <ad>\programV18.*\ would have FolderWatch ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
      • c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
      • c:\installed program\programfileV*.exe would have FolderWatch ignore filenames with variable version numbers with matching extension
• HoneyPot Whitelist Pattern
  • One entry per line
  • This can be used to allow files that might match a built-in blacklisted pattern, helpful when filenames in folders monitored by FolderWatch might be similar or the same as some ransomware variants
  • Note each check for a whitelisted pattern adds time to the ability for checking against blacklisted patterns, meaning that ransomware could remain active and encrypt additional files prior to FolderWatch being able to detect and kill any active ransomware, it may be better to ignore specific files or types that match patterns using the FolderWatch Whitelist Path options
  • Can use:
    • wildcard (*) for path variables
    • d7x variables (more information about variables here)
    • ex:
      • If a false positive is triggered with the *.crypto pattern, *.crypto can be added to a line to ignore future matches
      • <ad>\programV18.*\ would have HoneyPot detection ignore the entire folder for a path where the version number changes in application data (roaming for vista+)
      • c:\installed program\programfilename.* would have FolderWatch ignore filenames matching with any extension
• HoneyPot Blacklist Pattern
  • One entry per line
  • This can be used to create your own encryption pattern matching options
  • Can use:
    • wildcard (*) for path variables
    • d7x variables (more information about variables here)
    • ex:
      • <ad>\programV18.*\ would have HoneyPot Detection triggered if the folder has files created or changed where the version number changes in the folder in application data (roaming for vista+)
      • c:\installed program\programfilename.* would have HoneyPot Detection triggered if filenames matching with any extension in the specific folder
• Custom HoneyPot Files
  • One entry per line
  • Allows you to:
    • create your own honeypot files named with or without default extensions
      • Syntax per line:
        • filename|filetype|extensionsdisabled
          • the pipe (|) character must separate the three definitions per custom honeypot file created and all items need to be defined as mentioned or errors may occur or produce unexpected results
          • filename=the custom file name you would like to be used (include extension if you are disabling the default extensions)
          • filetype=Normal, Hidden, or System which will create the custom file as indicated
          • extensionsdisabled=0 or 1, where 0 uses the default honeypot file extensions and removes any extension in the filename and 1 will not use the default honeypot file extensions and use the extension if defined in the filename above
    • enable or disable the default honeypot files creation
      • to disable the default honeypot files add a single line entry of:
        • nodefault
        • disabling default honeypot files and not adding custom files of your own will cause honeypot detection to operate on file/folder name pattern matching alone
      • to leave the default files created just do not add that line and the default files with various filenames will be created as system files as is the standard as well as any custom files you have defined

WARNING:  These settings are designed and should be used for advanced users only or as directed by Foolish IT support staff.  Misuse of these setting can severely impact the performance and ability of both FolderWatch and the HoneyPot Detection Protection features in CryptoPrevent.  Use these options at your own risk and in most cases here less is more and being specific is safer!

• 8.0.3.4 Addendum – Proxy Settings
  

• Enable Proxy Settings
  Enables proxy settings defined for update/download operations
  • Proxy Server Address (domain or IP only)
  • Port
  • Username
  • Password
  • Socks 5 Proxy enable/disable
• Use the same proxy settings for email
  Enable or disable using the same proxy settings defined for updates for sending emails as well
• Enable Proxy Settings
  Enables proxy settings defined for email operations
  • Proxy Server Address (domain or IP only)
  • Port
  • Username
  • Password
  • Socks 5 Proxy enable/disable

• Command Line Parameters (Premium Only Feature):
  

• /undo
  Remove protections but leave whitelists
• /undoall
  Remove protections and all whitelists
• /l=#
  Set a specific plan level set of protections
  Note: l is a lowercase L
  #=0 for None Protection Plan
  =1 for Minimal Protection Plan
  =2 for Default Protection Plan
  =3 for Maximum Protection Plan
  =5 for Extreme Protection Plan
  =a for Custom Plan (This won’t actually apply any new settings it will just reapply current settings)
• /whitelist
  Whitelist all EXEs in protected locations
• /enablesidebar
  Enable Sidebar and Gadgets
• /disablesidebar
  Disable Sidebar and GadgetsFor the following protections a “=0” can be added to disable protection.  Enabling the protection would not require additional parameters.
  You may also want to run “/apply” to ensure settings have been fully applied.
• /bcdedit
  Prevent bcdedit from execution on the system
• /syskey
  Prevent syskey from execution on the system
• /cipher
  Prevent cipher from execution on the system
• /vssadmin
  Prevent vssadmin from execution on the system
• /known
  Enable Prevent known malware from starting on Protection Settings->Software Restriction Policies->Default Plan
• /programdata
  Enable %programdata% on Protection Settings->Software Restriction Policies->Default Plan
• /userprofile
  Enable %userprofile% on Protection Settings->Software Restriction Policies->Default Plan
• /startup
  Enable Startup Folders on Protection Settings->Software Restriction Policies->Default Plan
• /bin
  Enable Recycle Bin on Protection Settings->Software Restriction Policies->Minimum Plan
• /appdata
  Enable %appdata%  on Protection Settings->Software Restriction Policies->Minimum Plan
• /appdatadeep
  Enable %appdata%\*  on Protection Settings->Software Restriction Policies->Minimum Plan
• /localappdata
  Enable %localappdata%  on Protection Settings->Software Restriction Policies->Minimum Plan
• /localappdatadeep
  Enable %localappdata%\*  on Protection Settings->Software Restriction Policies->Maximum Plan
• /fakeexts
  Enable Double File Extensions  on Protection Settings->Software Restriction Policies->Minimum Plan
• /tempexes
  Enable Block Executables Temporarily Extracted from Archives on Protection Settings->Software Restriction Policies->Maximum Plan
• /w=[filename.ext]
  Whitelist a specific executable in %appdata%
• /p=[filename.ext]
  Whitelist a specific executable in %programdata%
• /u=[filename.ext]
  Whitelist a specific executable in %userprofile%
• /s=[filename.ext]
  Whitelist a specific executable in Startup Folder
• /a=[custom allow policy rule]
  Custom allow rule; full file/path NO WILDCARDS
• /b=[custom block policy rule]
  Custom block rule; wildcards supportedYou can add multiple entries by separating values with “,”(comma)
• /enablefiltermodule
  Enable the filter module based on the current settings
• /disableenablefiltermodule
  Disables the filter module (regardless of current settings)
• /noallowprompt
  Disable allowing applications from running when blocked by filter module
• /sg=[type] (separate values with a ‘,’ comma)  * Requires v21.07.07 or later!
  Enable ‘ShadowGuard’ protection; valid types include “powershell”, “wmic”, and “vssadmin”
• /disablesg=[type] (separate values with a ‘,’ comma)  * Requires v21.07.07 or later!
  Disable ‘ShadowGuard’ protection; valid types include “powershell”, “wmic”, and “vssadmin”
• /fs=[extensionType] (separate values with ‘,’ comma)
  Add suspicious filter module for CPL, SCR, or PIF
• /fc=[extensionType] (separate values with ‘,’ comma)
  Add constant filter module for CPL, SCR, or PIF
• /disablefs=[extensionType] (separate values with ‘,’ comma)
  Remove supsicious filter moduel for CPL, SCR, or PIF
• /disablefc=[extensionType] (separate values with ‘,’ comma)
  Remove constant filter module for CPL, SCR, or PIF
• /exefilter
  Enable EXE/COM program filter
• /disableexefilter
  Disable EXE/COM program filter
• /enablefolderwatch
  Enable FolderWatch Protection
• /disablefolderwatch
  Disable FolderWatch protection
• /enablehoneypot
  Enable FolderWatch HoneyPot Detection (note: FolderWatch Protection must also be enabled)
• /disablehoneypot
  Disable FolderWatch HoneyPot Detection
• /enableemail
  Enable email alerts (uses already defined settings)
• /disableemail
  Disable email alerts
• /enabletray
  Enable tray icon autostart
• /disabletray
  Disable tray icon autostart
• /enableupdates
  Enable scheduled updates (uses existing hour)
• /disableupdates
  Disable schedule updates
• /updatehour=[XX] or Random
  Defines update hours for scheduled updates
  (XX should be between 00 and 23)
  (Assumes /enableupdates command as well)
• /killemall
  Kills all non-essential running processes
• /test + /silent
  Writes a file w/ text 0 or 1 to show protections status
• /test
  Displays a form to show protection status
• /silent
  Silent Mode
• /reboot
  Reboots the system (final operation if other parameters are defined)
• /nogpupdate
  Skip the group policy update after changes
• /apply
  Apply protection and alert when completed
• /logging or /debug
  Enable logging output to logs folder

• /emailusername=”user@addy.com”
• /emailsamesendtofromaddy
  • or use the following together:
    • /emailfromaddy=”user@addy.com”
    • /emailsendtoaddy=”user@addy.com”
• /emailpassword=”password”
• /emailserver=”serverAddress”
• /emailport=”portNumber”
• /emailauthenable
  • (Add =0 to disable)
• /emailstarttlsenable
  • (Add =0 to disable)
• /emailsslenable
  • (Add =0 to disable)
• /clientemailid=”Client ID to be added to Email Subject”
• /emaillocksettings
  • • (Add =0 to disable)
    • Only applies to Bulk or White-Label Editions

• /ProxyUpdateEnabled (add ‘=0’ to disable)
  Enables proxy for update operations
• /ProxyUpdateAddress=[domain]
  Set proxy address to specified domain or IP for update operations
• /ProxyUpdatePort=[Port#]
  Set proxy port number for update operations
• /ProxyUpdateUser=[userName]
  Set proxy username for update operations
• /ProxyUpdatePassword=[password]
  Set proxy password for update operations
• /ProxyUpdateSocksEnabled (add ‘=0’ to disable)
  Set proxy to be SOCKS proxy instead of HTTP proxy for update operations
• /ProxyEmailEnabled (add ‘=0’ to disable)
  Enables proxy for email operations
• /ProxyEmailAddress=[domain]
  Set proxy address to specified domain or IP  for email operations
• /ProxyEmailPort=[Port#]
  Set proxy port number  for email operations
• /ProxyEmailUser=[userName]
  Set proxy username  for email operations
• /ProxyEmailPassword=[password]
  Set proxy password  for email operations
• /ProxyEmailSocksEnabled (add ‘=0’ to disable)
  Set proxy to be SOCKS proxy instead of HTTP proxy  for email operations
• /ProxySame (add ‘=0’ to disable)
  Apply the same proxy settings for email as are applied for updates
• /ProxyFromFile=[ini file location]
  Applies proxy settings from an INI file format
  Example Proxy INI File contents:
  [Proxy] UpdateSameEmail=1 or 0
  UpdateEnabled=1 or 0
  ProxyAddressU=testAddress
  ProxyPortU=1234
  ProxyAuthU=1 or 0
  ProxyUserU=userName
  ProxyPassU==password
  ProxySocksU=1 or 0
  EmailEnabled=1 or 0
  ProxyAddressE=testAddress
  ProxyPortE=1234
  ProxyAuthE=1 or 0
  ProxyUserE=userName
  ProxyPassE==password
  ProxySocksE=1 or 0

Applying Protections (Plan or customized selected)

Once you have confirmed all your desired settings at this point, click the Apply Protection Plan
Depending on the policy and number of protections selected, it may take several minutes to apply protections.

You may also be prompted to whitelist all executables located in locations that will be blocked.

Please ensure that your systems is malware free prior to installing CryptoPrevent and particularly prior to answering yes to the question about whitelisting.

After the settings are applied, you will be prompted to reboot.

There is no guarantee that protections will be enabled unless a reboot is performed.

After rebooting, please test all your applications and ensure that they function as expected.

If you note any problems you feel may be caused by CryptoPrevent, you can review the History tab and to determine what may have happened.

Remediation will include either whitelisting or alteration of protection settings.

If you need additional assistance or advice in that, please contact our Help Desk via email:  support@d7xtech.com

About tab:

• This tab displays information about CryptoPrevent including its history, evolution, and honorable mentions.

Updates tab:

• Enable a daily update schedule
  • runs at the hour of your choosing or at a randomly picked time.
  • A button is provided for manually checking for updates. (made available if enable daily update schedule checkbox fails)
• Additional hash definitions will be downloaded from our servers if the Extended Hash Definitions option is checked.
  • As of this writing, over 50000 base definitions are applied and that number increases to over 70000 with that option enabled.
  • Note this list is not as well vetted as the standard definitions and may result in false positives

History tab:

• The History tab logs information about CryptoPrevent activity either since:
  • the Previous Startup
  • for as far back as the Windows event logs happen to record.
• Events will be created whenever either a software restriction policy is enforced or when either our program filter module or FolderWatch protection detects malicious software or activity.
  • The contents of each event may be useful for troubleshooting purposes and for getting the path information necessary to create a whitelist policy entry.
• Event IDs
  • 866
    • Software Restriction Policy Protection
  • 10177
    • v7 Filter Module Protection
  • 10188
    • v8 Beta FolderWatch
  • 10189
    • v8 Beta FolderWatch HoneyPot Detection
  • 36650
    • v8.0.0.0 + denotes protection via the source for the event
      • CryptoPrevent Program Filter
      • CryptoPreventFW
      • CryptoPreventHP
  • 36651
    • v8.0.0.0 + denotes protection via the source for the event
      • CryptoPrevent Program Filter
      • CryptoPreventFW
      • CryptoPreventHP
  • 36652
    • v8.0.0.0 + denotes protection via the source for the event
      • CryptoPrevent Program Filter
      • CryptoPreventFW
      • CryptoPreventHP
  • 36659
    • v8.0.0.0 + denotes protection via the source for the event
      • CryptoPrevent Program Filter
      • CryptoPreventFW
      • CryptoPreventHP

Email Settings tab:

• This tab is used to enable email notifications of alerts.
  • Alerts will be emailed using the provided credentials and options. (Settings entered here are only available to the local system, this information is not transmitted or used by Foolish IT in any way)
  • Settings are predefined for Google’s Gmail service or you may specify your own SMTP settings.
• Please note that Google will block external SMTP access unless you enable the “use less secure apps” option in your Gmail account settings.
  • This restriction applies to any software that uses Google’s SMTP access and is not specific to CryptoPrevent. For example, Microsoft Outlook is affected by this as well.
  • Additional information:  https://www.d7xtech.com/cryptoprevent-malware-prevention/email-setup-faq/

Submit New Hash tab:

• If you identify a file you know to be malicious, you may use this tab to select that file, compute its hashes, and potentially upload it to Foolish IT for further analysis and potential inclusion in future base definitions.
  • After browsing for a file, its hashes will be computed and compared against the internal lists.
  • You will alerted in red text if the hash is not already present in our definitions and, in that case, the hashes will be added if and when you choose to upload the file.
  • If you choose not to upload the file, you will need to manually add the hashes to your custom hash definitions in order to have that file blocked.

User Hash Definitions tab:

• Similar to the whitelist and blacklist software restriction policies, our hash definitions also utilize lists to either allow or block a specific hash definitions, respectively.
• Hashes are only used with the Filter Module and FolderWatch protections
• The blacklist will only contain custom hashes and does not expose the hashes distributed with CryptoPrevent.
  • As with the blacklist policies, you may add your own to enhance the base level of protections offered.  (Premium Only)
• Changes to these lists take effect immediately after clicking the Save Hash Definitions File button.

Blacklist policies tab:

• The blacklist is a list of programs explicitly blocked via software restriction path rules.
  • It is possible to use wildcards in blacklist policies.
  • CryptoPrevent version 8 applies roughly ten times the number of blacklist policies at any given protection plan compared to version 7.
  • Any of the black list rules may be removed if a specific one causes problems.
    • Note when removing policies this will not change your plan to Custom and if you re-apply protections they will be re-added
• Feel free to add additional rules to this list to enhance protections for your specific environment. (Premium Edition Only*)
• Changes to policies are applied immediately; however, it may be necessary to reboot for the changes to take effect.

Whitelist policies tab:

• The whitelist is a list of programs explicitly allowed via software restriction path rules.
• Whitelist Executables Currently In All Blocked Locations button
  • simplifies whitelisting by adding all existing items in blocked locations to the whitelist
  • When using this feature ensure you review the files added to verify no malicious or unknown programs have been added
• Whitelist policies should be as specific as possible to avoid being overridden by a more specific blacklist entry.
  • This concern comes into play when using wildcards, so the use of wildcards should be avoided in whitelist rules if possible.
• Changes to policies are applied immediately; however, it may be necessary to reboot for the changes to take effect.

FolderWatch HoneyPot tab:

• Enable FolderWatch HoneyPot Ransomware Detection (Premium Only)
  • The HoneyPot feature related to FolderWatch places numerous files around your PC to act as bait.
    • the root folder of each Protected location selected in the FolderWatch tab will be protected by the honeypot files
    • this includes any custom locations
    • honeypot files may or may not be visible in these locations depending on what hidden/system files you have shown
  • When activity is detected against these files, the HoneyPot feature will do everything in its power to prevent any further system activity, including:
    • slowing the system
    • only allowing it to be rebooted or shutdown.
  • When this feature is activated, the idea is that the system has been grievously compromised and your data is at risk from malicious activity.
    • As such, it is a “last ditch” effort to preserve your data with the hopes that only our bait files will be compromised and not any legitimate data.
    • Please use this feature with caution as there is the possibility of false positives due to the fact that any manipulation of the HoneyPot files will trigger our HoneyPot protections.

FolderWatch tab:

• FolderWatch provides additional monitoring of a selection of common folders and custom folders (Premium Only).
  • User Folders:
    • these locations are based on the Windows internal location for these folders (normally under the user profile)
    • all subdirectories and files are monitored in these locations
  • Custom FolderWatch Folders:
    • these locations can be monitored based on user selection
    • only the top level selected directory files will be monitored in these locations
      • sub folders must be added individually when desired
  • Quarantine Location:
    • Files flagged as potentially malicious will be quarantined in the folder specified here.
    • Please exercise caution when interacting with quarantined files as they are likely malicious.
    • files placed here will be renamed including the time/date they were added to the quarantine

Prevent File Types tab:

• CryptoPrevent includes a program filter module that can either selectively block certain executable file types or indiscriminately block them.
  • Prevent Suspicious File Types
    • depending what is selected the .cpl, .scr, and .pif file types will check each files against our malware definitions and block them if a match is found
    • Suspicious will also use various logic for determining if that file type should be launched
      • various items like file location, naming convention and others are included in this logic
  • Always Prevent File Types
    • always prevent the execution of the respective file types
  • Notification prompt
    • these settings only pertain to the .cpl, .scr, and .pif file types for filtering
    • We recommend the default value of Message Box Alert for the notification prompt.
  • Program filtering for .exe and .com executables
    • always restrict exe or com files based upon hash definitions

The Maximum plan tab:

• The following protect each of these locations from executable files:
  • %localappdata%\*
    • Windows Vista + OS
      • %userprofile%\AppData\Local\*\*.[executable extension]
      • %userprofile%\AppData\Local\Temp\*.[executable extension]
      • [windows installation directory]\Temp\*.[executable extension]
    • Windows XP OS
      • %userprofile%\Local Settings\Temp\*.[executable extension]
      • [windows installation directory]\Temp\*.[executable extension]
  • Block Executables Temporarily Extracted from Archives
    • Windows Vista + OS
      • %userprofile%\AppData\Local\Temp\wz*\*.[executable extension]
      • %userprofile%\AppData\Local\Temp\*.zip\*.[executable extension]
      • %userprofile%\AppData\Local\Temp\7z*\*.[executable extension]
      • %userprofile%\AppData\Local\Temp\rar*\*.[executable extension]
    • Windows XP OS
      • %userprofile%\Local Settings\Temp\wz*\*.[executable extension]
      • %userprofile%\Local Settings\Temp\*.zip\*.[executable extension]
      • %userprofile%\Local Settings\Temp\7z*\*.[executable extension]
      • %userprofile%\Local Settings\Temp\rar*\*.[executable extension]
• The Block Windows Programs section
  • bcdedit.exe
    • BCDedit.exe is used to modify the booting of Windows
    • this exe is blocked from running in any location on the system
    • It can be used safely by certain backup applications
      • if you have a backup application that uses this you can disable this protection
  • Disable Windows Script Host
    • Please note that although the Disable Windows Script Host option is listed on this tab, it is NOT applied with the Maximum plan as of version 8.0.2.4.
    • The reason for this is that long login delays were reported when enabling this option in environments that utilize login scripts.
    • It should be safe to enable this option in a non-domain environment and when you do not rely upon the use of Windows scripts.
    • For more information, please review these sites:  and https://technet.microsoft.com/en-us/library/ee198684.aspx

The Default plan tab

• The following protect each of these locations from executable files:
  • %programdata%
    • Windows Vista + OS
      • %programdata%\*.[executable extension]
  • %userprofile%
    • All Supported OS
      • %userprofile%\*.[executable extension] (does not include *.com extension)
      • For each actual user folder at time of settings being applied, a rule for that specific user folder is added ([user folder location]\*.[executable extension]
    • Windows Vista + OS
      • [user folders location]\Public\*.[executable extension]
    • Windows XP OS
      • %allusersprofile%\*.[executable extension]
  • Startup Folders (in Start Menu)
    • Windows Vista + OS
      • %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.[executable extension]
      • %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.[executable extension]
    • Windows XP OS
      • %allusersprofile%\Start Menu\Programs\Startup\*.[executable extension]
      • %userprofile%\Start Menu\Programs\Startup\*.[executable extension]
    • Note this does not include the *.lnk extension because this is expected to be in these locations
• Block Windows Programs:
  • vssadmin.exe
  • syskey.exe
  • cipher.exe
  • Note: these are legitimate tools that have been known to be co-opted by malicious software.
    • If you have no use of these tools and you do not use applications that rely upon them, you may safely disable those protections.
  • Note: these applications are blocked from running in any location
• Misc. Protections:
  • Prevent known malware from starting
    • list of various known malware items
  • Turn off Windows Sidebar and Gadgets
    • disable the use of legacy “Sidebar and Gadget” applications.
    • This option is recommended by Microsoft due to known security implications of their usage:  https://technet.microsoft.com/library/security/2719662

The Minimum plan tab:

• The following protect each of these locations from executable files:
  • %appdata%
    • All Supported OS
      •  %appdata%\*.[executable extension]
    • Windows Vista + OS
      • %userprofile%\AppData\*.[executable extension]
      • %userprofile%\Appdata\Roaming\*.[executable extension]
    • Windows XP OS
      • %allusersprofile%\Application Data\*.[executable extension]
      • %userprofile%\Application Data\*.[executable extension]
  • %appdata%\*
    • All Supported OS
      •  %appdata%\*\*.[executable extension]
    • Windows Vista + OS
      • %userprofile%\Appdata\Roaming\*\*.[executable extension]
    • Windows XP OS
      • %allusersprofile%\Application Data\*\*.[executable extension]
      • %userprofile%\Application Data\*\*.[executable extension]
  • %localappdata%
    • Windows Vista + OS
      • %userprofile%\AppData\Local\*.[executable extension]
      • %userprofile%\AppData\LocalLow\*.[executable extension]
      • %userprofile%\AppData\LocalLow\*\*.[executable extension]
    • Windows XP OS
      • %allusersprofile%\Local Settings\Application Data\*.[executable extension]
      • %allusersprofile%\Local Settings\Application Data\*\*.[executable extension]
      • %userprofile%\Local Settings\Application Data\*.[executable extension]
      • %userprofile%\Local Settings\Application Data\*\*.[executable extension]
  • Recycle Bin
    • Windows Vista + OS
      • *:\$Recycle.Bin\*.[executable extension]
    • Windows XP OS
      • *:\RECYCLER\*.[executable extension]
• Double File Extensions
  • Protects all locations from executable files with a path of *.[dbl extension list item].[executable extension]
  • Note this does not apply for the executable extension [.lnk]
• Right-to-Left Override
  • exploits related to the direction of text interpretation.
  • Please follow the provided link for more information regarding the right-to-left override character:
    • https://www.google.com/search?q=right+to+left+override
    • https://blogs.technet.microsoft.com/office_global_experience/2009/11/18/bidirectional-text-embedding-and-override

Apply Protection tab:

• Protection plans are an easy way to apply sets of CryptoPrevent protections.
  • Minimal plan
    • includes all protections available in the original release of CryptoPrevent for blocking CryptoLocker and similar ransomware.
    • These are a bare minimum level of protections and may not protect against more modern threats.
  • Default plan
    • includes additional protections to prevent a wider range of threats.
    • More restrictive plans could impact software installations and this is the highest plan that should not interfere with that.
    • For this reason, we refer to it as the “set it and forget it” plan.
  • Maximum plan
    • includes additional protections that will block even more threats.
    • Please use this plan with caution as it has the potential to interfere with:
    • software installations
    • certain backup application that rely upon the bcdedit.exe utility
  • Extreme plan
    • enables every available protection feature, including those considered “beta”.
    • This plan has the potential to block legitimate software from running.
    • Please test in your environment with these settings to determine if they will negatively impact the use of your PC.
  • Custom settings
    • when settings do not specifically follow a predefined protection plan.
    • A general guideline would be to start with the Default plan and check any additional protections that you are able to tolerate in your environment.
    • Testing should be performed whenever changing protection settings.
    • Testing involves applying the settings you wish to test, rebooting when prompted, and then trying out all your existing software for expected operation.
• Enable Active Protections
  • includes master check boxes for active protections beyond software restriction policies.
  • Use Protection Plan Settings
    • checked means the two sub-items will follow selected plan recommendations
    • this box will automatically uncheck and the plan setting will be changed to custom if either of the two sub-items are changed
  • FolderWatch (real-time)
    • FolderWatch  is a new protection feature in CryptoPrevent v8
      • allows for specified folders to be monitored for items that match the loaded hash definitions list (including custom added ones available in the premium version)
      • allows for HoneyPot Detection (Premium Version feature) to protect the selected locations as well
      • see more details about these items under the Protection Settings tab individual descriptions in this documentation
    • checked means the protections and folders under Protection Settings tab->FolderWatch tab and  Protection Settings tab->FolderWatch HoneyPot tab will be protected and enabled by the FolderWatch service
    • unchecked means this protection will be disabled and the selected locations/enabling HoneyPot Detection will be irrelevant
• Kill Apps Now button
  • CryptoPrevent includes certain features from Foolish IT’s next generation PC technician productivity tool, called d7x, which is currently in development.
  • will close all running non-essential applications.
  • Please be aware that using this option will not prompt you to save any work and will forcibly close running windows.
• CryptoPrevent QuickAccess (Premium only feature)
  • a notification icon that will appear in the system tray when enabled
  • exposes CryptoPrevent functionality to the user without the need to open the entire user interface.
  • will also pop up with notifications regarding CryptoPrevent activity.
  • Note: this tray should be enabled when using FolderWatch HoneyPot Detection to alert the end-user when detection has occurred (otherwise the system will shutdown without warning)
• Apply Protection Plan button
  • Available on all tabs
  • this button applies the currently selected plan and protections enabled under the Protection Settings tab
  • Be sure to use this button when changing plans or after all individual settings have been customized as you want to have applied
• Test Protection button
  • currently tests only the protection location of %appdata% (which is enabled on all plans except None)
  • indicates mainly if the Software Restrictions Policies have been enabled and have taken effect
  • this will not test other locations, the filter module protections or FolderWatch protections

Installation of CryptoPrevent is carried out with very few steps:
(Note: Bulk/White-Label Client installation may vary slightly from the below)

Extract the ZIP archive downloaded from our site to a location of your choosing and make note of the location. This file contains the installer/setup routine for CryptoPrevent.

Launch the installer executable file from the above location.

Click next.

It is not possible to proceed without accepting the license agreement and clicking next.

Choose whether or not to create a desktop shortcut and click next.

Click install to initiate the installation.

Click finish to close the installation and launch CryptoPrevent. Uncheck the box shown if you do not want to configure CryptoPrevent or apply protection.
Note: CryptoPrevent will not protect your PC just by installing it.  It is required that protections be reviewed and applied for CryptoPrevent to start working.

You will be asked if you are in possession of product key for the purposes of enabling all premium features. If you have purchased and received an email containing your key, please choose yes.

Copy and paste your product key exactly as you received it and click ok.

You will be asked if you would like to schedule daily updates. You may either choose to do that with a random time or you may opt not to and select a time of your choosing at a later time.

Click ok to proceed to the main interface.