I did some more digging around. It seems the Crypto Prevent tool injects software restrictions directly into the registry and does not use local policies at all. I guess that makes sense, since it is designed for pro and home versions of the OS so can't rely on group policy editor being present.
I then searched the registry, for various entries and did find a couple of keys related to Foolish IT (the developer), but didn't have time to locate any kind of table that might indicate which applications are being blocked and which are whitelisted. If I had time I could take a clean install of Crypto Prevent and one with a single app added to the whitelist and run a file compare on the saved registries to find out where and how.
But I din't have time and for the purposes of this discussion I think it is a mute point because of the following reasons:
In a limited deployment of similar blocking techniques, some genuine software was tripped up. Thus, to address the question from Bobprimak earlier, in my opinion that means MS would have a pretty hard time developing and updating a blocking algorithm that is anywhere near responsive enough for all the apps that at some point in time might want to execute from there.
Foolish IT can do it because they are a small shop offering a standalone patch with caveats and are open about the hazards. MS couldn't do it because countless hundreds of millions of users would pick up the patch and goodness knows how many apps would break.
I think this goes back to closing the door after the horse has bolted. The problem does not appear in hardened OS's, but does in Windows because of historical design choices that were made well over a decade ago.
In some cases (for example my work environment) it makes sense to deploy software restriction policies, but that is not necessarily proven to be the best solution for home situations where a behavioural firewall (i.e. a HIPS) could provide a better option.
HIPS costs money, Crytpo Prevent is free. Perhaps that's the differentiation?
Thanks for all the work checking this :). Nice job.
Originally Posted by Tinto Tech
As to the money, well, a decent HIPS can cost $25-$30 and protects against a lot more than just against Crypto. I suppose that can be expensive... until you get one single infection. That alone will make up for the cost, IMVHO.
Speaking of free anti-virus and anti-malware applications, just yesterday I had a drive-by infection of the PC Antivirus 2009 type, and both my up-to-date Windows Defender and my up-to-date, running-in-the-background anti-virus program allowed it to do its dirty work.
Originally Posted by Medico
The thing that saved me was -- as soon as I saw the nasty screen pop up with its spurious demands -- to turn off my PC using the Power button (i.e., holding it in for 5 seconds) and reboot into Safe Mode (Win7 64-bit) with networking. From there I downloaded and immediately updated Malwarebytes AntiMalware (free) and SuperAntiSpyware (free) and went to the website of the free Trend online anti-virus scanner. I ran all three simultaneously (in Quick Scan mode), and after about 15 minutes ONLY ONE of them picked up 10 assorted Trojans/PUPs, etc. That was Malwarebytes. The other two ran longer but found nothing but tracking cookies. Malwarebytes then quarantined and deleted all of them. When I rebooted my PC all was well again! So much for relying on the anti-virus capabilities of the "usual suspects."
Not all AVs are alike. No AV will protect against everything, but there are those that are better than others... and I think having two live apps to detect malware get you a better chance of remaining free of malware.
Originally Posted by frankd14612
So I guess the answer to my query about Microsoft implementing something like CryptoPrevent in the form of a patch is:
While this might be a good idea in principle, in practice there are indeed some products, including Microsoft's own offerings, which would break badly. End users would not tolerate this amount of breakage.
So unless MS rewrites installers and Apps, we are doomed to repeat the insecurities of the past and the present.
... I think we should ask our representatives in Congress to use the NSA to identify and block all the purveyors of viruses/malware/ID theft/ransomware/etc. And for our representatives to task the FBI and CIA to putting an end to their nefarious activities by whatever means necessary. I already have asked my representatives (Feinstein, Boxer and Eshoo) to do just that:
"First, Congress should pass legislation making illegal and subject to prosecution, fines, punitive damages, and prison, practices such as identity theft, using the Internet and/or phone system to foist malware, viruses, adware, ransomeware and other digital abuses to phone and computer users.
You should add to the NSA's mandate, to identify, locate and track these cybercriminals, whether domestic or foreign; and if possible, shut them down.
Then mandate the FBI to vigorously investigate, and prosecute the perpetrators with stiff fines and lengthy prison sentences.
Cybercrime is a growing source of revenue to criminals, and Congress must pass legislation to make it unprofitable and risky.
I encourage everyone to copy/paste my message, or create your own, so Congress gets the message that cybercrime is out of control and needs to be harshly dealt with.
I didn't see if the following has already been mentioned:
The replacement harddrive can be larger. If you're restoring Windows 7 and older boot legacy in the BIOS.
If you're restoring Windows 8 -- boot U[something] has to be in the BIOS.
I think it's best if the harddrive is in the same manufacture-specs family.
I'm not sure if you can safely mix IDE with SATA with SSD -- ask around :)
"Going back way too many years, my own favorite saying has always been "the only bad backup is the one you decided NOT to make".
Well said! The second bad backup is the one done carelessly and there is no restore possible, discovered too late.
I will just add my own ditto to the image chorus. Most all of us here live by the simple rule; image after any Change or patch, security with regularly updated AV/AM apps, and regular data backups. Those of us with the paranoia gene unplug the USB drive when not creating the image and do regular file backups too. Granted you probably can't expect said "average user" to follow this plan, BUT, everyone should have at least one "clean" image of the OS in good working order. I always create one after bailing out friend, co-worker, or family member from some dire "my computer won't work! Can you help?"
It's been said enough here and for a LONG time, but new members or whatever, it bears repeating so:
BACKUP, BACKUP, BACKUP, CREATE AN IMAGE!
The good news is that CryptoLocker can only arrive on your computer by email with an attachment , usually a bogus service message with a pdf attachment where the .exe hides so education can stop this threat . The simplest thing to do is have data copy and paste full size to an external drive. Keep it simple. The rest of what you said about reinstalling windows applies. The data is what matters teach this to your users and you will be ok I know its not easy as I also do what you do in Montreal Good luck and thanks for your article
That may have been true last week, who knows how it will be mutated?
Originally Posted by BobFo
thanks again, ruirib
I agree the danger is having it stolen. However, as I said, I don't keep serious secret data on my system. It's just lots of photos of family, my mango tree or black Lab dog or a fish I caught and MD3 files of old CDs, so I don't have much fear.
Since my nearest relative (or good friend even) is over 100 miles, I would have to buy 3 or 4 drives and UPS them back and forth. I know I am just being silly, but, for me, some of the heavy user solutions are not really feasible. My safe deposit box is only $50 a year and it's close by.
That's a great solution, as well :).
Originally Posted by paulbyr