Current Version: 3.1
CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.
New! CryptoPrevent Automatic Updates
Malware gets updates, shouldn’t you be updating CryptoPrevent too?
Click here to learn more…
For current MD5/SHA256 hashes and analysis of CryptoPrevent v3.1, visit this VirusTotal.com link or this link for the installer version. For a nice little utility to examine and compare file hashes you can download my tool, QuickHash.
Also, yes I know McAfee SiteAdvisor lists my site as malicious, I have submitted a dispute, but I don’t expect much as it is notorious for false positives, just google it…
Recent Changes:
v3.1 – Added some new areas of protection, fixed an issue with not protecting the Recycle Bin properly and expanded that to protect the bin on all drives, fixed some instances of the test failing although protection was in fact successful, and a few other misc. changes.
v3.0 – Added protection from executables located inside the Recycle Bin. Introduced a new optional CryptoPrevent Automatic Updates service for home users!
v2.6 – implemented protection (and whitelisting) for *.com *.scr and *.pif files in addition to *.exe for %appdata% directories in order to block a lot more malware than just Cryptolocker. Added new file extensions to the fake file extension protection. Implemented a 12 second timer to stop waiting on group policy to refresh when applying actions, as it was noted on some systems that gpupdate seems to freeze up.
v2.5.3 – removed blanket rules for fake file extensions (the ? wildcards) in favor of specific rules, do to potential application incompatibilities.
v2.5.2 – added the /nogpupdate command line parameter to skip the group policy update in scripted environments.
v2.5.1 – fixed an issue with the /whitelist parameter not working when CryptoPrevent.exe was scripted to run under the local system account.
v2.5 – implemented protection against fake file extension executables (e.g. *.docx.exe or *.pdf.exe) on suggestion from Steve B at sanesecurity.com; also made Temp Extracted Executable protection unchecked by default and implemented a warning when checking this item, as this can cause issues with some apps/installations.
v2.4 – implemented the option to check for updates direct from this website within the application itself.
v2.3 – relaxed protection methods on Vista+ OSes as rules of prior versions were blocking some executables running from %temp% directories which could cause certain application installations to fail unless you temporarily removed protection during the installation. This should no longer be necessary. Tested relaxed protection against Cryptolocker to ensure it still cannot infect the OS, and it cannot. Also made the whitelist dialog resizable.
v2.2 – added additional restriction policies to better protect Windows XP against the latest strains – prior versions were not protecting %username%\local settings\application data and their first level subdirectories, but rather only %username%\application data and their first level subdirectories. Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules for better compatibility with all OSes.
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains and OSes that have access to group policy editor (Professional versions of Windows) leaving Home versions without a method of protection. It also isn’t the most intuitive of installations for the average Joe, either. The methodology CryptoPrevent uses to lock down a system was presented by Lawrence Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately, like the other Cryptolocker Prevention Kit mentioned, the guide by Lawrence Abrams involves usage of the Group Policy Editor available in Professional versions of Windows, and is a time consuming manual task.
CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically. Further, CryptoPrevent has been improved to include upwards of 200 rules instead of just 6.
CryptoPrevent is a single executable and is fully portable (of course unless you download the installer based version) and will run from anywhere, even a network share.
The User Interface
The User Interface allows you to select to apply the blocks to executable files as listed under Prevention Methodology below. You may also automatically whitelist all EXEs located in %appdata% / %localappdata% and first level subdirectories. There also exists an Undo feature, and a Test feature, a Whitelist Options dialog allowing you to selectively whitelist individual items, and a feature to automatically check for and apply updates to the application itself.
Prevention Methodology
CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is somewhere between 150 and 200+ rules depending on the OS and options selected, not including whitelisting! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! Executables now protected against (starting with v2.6) are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard:
%appdata% / %localappdata% / Recycle Bin - These locations are used by the malware as launch points.
%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
%localappdata% (and on Windows XP, any first-level subdirectories in there.) NOTE beginning with v2.2, any time %localappdata% is referred to on this page, it also refers to %userprofile%\Local Settings\Application data on Windows XP, where %localappdata% is not an actual environment variable.
The All Users application data and local settings\application data paths on XP.
the %userprofile% and %programdata% paths (no nested subfolders.)
The Recycle Bin on all drives, and multiple nested subfolders.
Fake File Extension Executables: (ex. document.docx.exe)
*.x.y where:
x = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4
y = exe, com, scr, and pif.
Temp Extracted Executables in Archive Files:
%temp%\rar* directories
%temp%\7z* directories
%temp%\wz* directories
%temp%\*.zip directories
The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox.))
NOTE the variable %temp% is no longer used, and instead the actual temp file path is expanded after %userprofile%. There is an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata% or %userprofile%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder (after %userprofile%) in each rule set. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.
Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will protect all user accounts on the system.
The Test Feature
When using the test feature, you are first presented with a dialog of simple success or failure. What actually happens is a temporary executable is extracted to %appdata% and the test feature attempts to launch it, if the launch fails then the prevention is successful. If the launch succeeds the temporary application silently returns errorlevel 9 back to CryptoPrevent to alert it that the app was successful in launching and the prevention has failed.
NOTE: Versions prior to v1.3 did not alert when the prevention was successful, only if it failed – this is explained in a dialog box which pops up prior to the test in those versions.
Whitelist Options
There are a handful of legitimate executables that developers have poorly decided to put in these locations, and the most popular seems to be ‘Spotify’ though there also there are a few remote support applications as well that can run from these locations. Due to this CryptoPrevent v2 comes with a whitelist editor and capabilities. From here you can view whitelisted items and add your own manually or via browse button, and also you may choose to automatically whitelist all items currently located in %appdata% / %localappdata% and their first level subdirectories. Note that manually entered whitelist items may NOT contain wildcards.
Undo
You may undo the protection at any time by using the Undo button in the main interface. You are given the option in v2.x to also undo the whitelist policies, selecting no will undo the protection only. Note that actually removing the protection is not consistent behavior. In my testing, when removing the protection sometimes the change is instantaneous, while other times a reboot is required just like applying the policies in the first place, and on rare occasion a group policy update is required, then a reboot. Windows is funny that way and there seems to be no way to predict this behavior. v2.1.1 now runs gpupdate /force after the Undo features to ensure group policy is refreshed, and then protection is tested for again to determine if a reboot prompt will be displayed.
Automation / Scripting
CryptoPrevent when run by itself will display a user interface, but command line parameters may be utilized (in v1.1 and above) for optionally silent automation. Command line parameters accepted are:
/apply - this option applies the default settings (to block *.exe in both %appdata% locations and the four %temp% locations.)
/silent - this option SILENTLY applies the default settings as listed above (or when combined with /undo it will silently undo the protection.)
/reboot - this option SILENTLY applies the default settings as listed above, and executes a forced mandatory reboot.
/noappdata - this option skips the block on both %appdata% locations as explained above.
/notempexes - this option skips the block on the four %temp% locations as explained above. (this option is skipped by default in v3.1)
/includetempexes – (new in v3.1) – include the Temp Extracted Executables block.
/nofakeexts – (new in v2.5!) this option skips the block on the fake file extension executables as explained above.
/whitelist - whitelist all EXEs currently located in %appdata% / %localappdata% and their first level subdirectories.
/w=[path\filename.exe] - whitelist a specific file.
The path/filename may not contain wildcards.
If no path is specified (e.g. /w=foo.exe ) then both %appdata%\foo.exe and %localappdata%\foo.exe will be whitelisted.
If a path is specified it should be only one first level subdirectory from either %appdata% or %localappdata% (e.g. /w=Foo\Bar.exe ) which will actually whitelist both %appdata%\Foo\Bar.exe and %localappdata%\Foo\Bar.exe
/undo - this option obviously removes the protection, and can be combined with the /silent parameter.
/undoall – this option removes the protection and any whitelist policies defined as well.
/nogpupdate – skip the group policy update after modifications are made.
/test - obviously this runs the test feature, overriding any other command line parameters. v1.3 is required for this parameter to function. Scripters should use the new CryptoPreventTestCLI.exe included with v1.4 and above to silently test for the protection, as this command line parameter will output a dialog box just like the test button in the main user interface.
These parameters may be used in most any logical combination, e.g.
CryptoPrevent.exe /whitelist /reboot
CryptoPrevent.exe /undoall /silent
CryptoPrevent.exe /silent /whitelist /notempexes /w=Foo\Bar.exe /w=Foo\Bar2.exe
IMPORTANT NOTE: If you are pushing out CryptoPrevent.exe through an RMM tool, specifically Labtech, there may be a problem with the /whitelist parameter not working as intended. You must use the ‘Process Execute as Admin’ or ‘Shell as Admin’ option to deploy properly.
CryptoPreventTestCLI.exe
This is a console application designed to test for the protection, designed to be scripted, and included in the latest portable download. Perfect for usage with your RMM software (maybe, see note below,) when protection tests successful, it will output to the console “Prevention Successfully Applied!” and exit with errorlevel 0. If unsuccessful, it exits with errorlevel 1 and prints to the console “Prevention Not Applied or Unsuccessful!”
NOTE: This test will always return unsuccessful when run from the local system account, as many RMM tools will do by default. It must be run from a standard user or admin account to test properly. This is because the local system account is NOT restricted by the policies set by CryptoPrevent.
Q&A
You released a new version. Should I update, and how?
YES! You should periodically check for and update to the latest version using the program’s internal update function in the top menu to stay current with the latest methodology in preventing this (and other) malware. After update it is then necessary to re-apply the protection to your system. It is not necessary to undo the previous protection in place before doing this, or even to uninstall the app before updating. If you have an older version of the app before the update functionality was introduced, simply download and install the latest version, then re-apply protection.
This process is entirely automatic for users of the Automatic Update edition.
Will this protect against other malware?
YES! A LOT of trojan based malware out there utilizes the same infection tactics and launch point locations as Cryptolocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behavior. This is especially true in v2.6+ when protection was increased to include other executable types.
My legitimate software isn’t working properly after applying the protection. What do I do?
Be CERTAIN you have the latest version of the app, which is getting better all the time at not blocking legitimate applications. If you had an outdated version, after update then re-apply the protection and restart, then re-test your app. If it still isn’t working, ensure you’ve done the whitelisting first, and reboot if new entries are added to the whitelist. If it still isn’t working, then you may need to temporarily undo protection when using/installing that app. If this is the case, I would appreciate you telling me what app isn’t working for you and if you can, the details on the app’s filename and where it is running from, maybe I can help alleviate the issue with a new version.
Does my existing Anti-Virus software protect against this threat?
I cannot answer that. Your existing Anti-Virus protection is only as good as the latest definition files, and I can’t tell you which products on the market are confirmed to protect against this threat. What I can tell you is that there is NO Anti-Virus software on the market today that provides the same type of protection that CryptoPrevent provides, it works in an entirely different manner. Since the two can co-exist on the same PC peacefully, why not utilize both methods of protection?
Video
Video of v2.x with new whitelisting capabilities: http://www.youtube.com/watch?v=He4Evv7R2f4
Video of v2.2 protection against the latest strain of the Cryptolocker malware in both Windows XP and Windows 7 environments. http://youtu.be/M4dNuZYGgMM
White-Label Redistributable Version
While I do give this tool away freely to all who wish to use it, it has been requested that I sell a white-label brandable version to tech shops, in order for them to freely redistribute the tool to their clients with the tech’s company info/logo in the app, for brand recognition. If this is something you are interested in, click the link above for more information.
New! CryptoPrevent Automatic Updates
Malware gets updates, shouldn’t you be updating CryptoPrevent too?
Click here to learn more…
License
CryptoPrevent is completely FREE for personal and commercial usage. If you would like to give a little something for it, consider purchasing the Automatic Updates service for CryptoPrevent!
Download the portable version below:
http://www.foolishit.com/download/cryptoprevent/
Alternately, you can download a setup installer with full uninstall support below.
http://www.foolishit.com/download/cryptoprevent-installer/
以上转自:http://www.foolishit.com/vb6-projects/cryptoprevent/ |
发表于 2013-11-5 09:35:37
楼主
