Results 1 to 7 of 7
  1. #1
    5 Star Lounger
    Join Date
    Jan 2010
    Location
    Birkirkara, Malta
    Posts
    1,148
    Thanks
    180
    Thanked 7 Times in 7 Posts

    WinPatrol Popups

    Today I have been getting a constant stream of message windows from WinPatrol, one telling me that it has detected a change to the file type association .PIF from CryptoPrevent to %1 % and the other saying the same regarding CryptoPrevent but this time changing the file type association to %1 /S (Typically, while writing this post, the second message has not appeared, although it popped up constantly until I started to write this, and I didn't notice what file type it referred to).

    What can I do to stop this nuisance problem?

    Please advise.

    Thanks and regards, Roy
    OS Dual Boot Win 7 Pro 64 Bit-SP1 & IE11 & Win 8.1 Pro 64 Bit & IE11-Intel Core i7 2600K Processor LGA1155-Asus P867 Pro Motherboard-GTX550 Ti DirectCU Graphics Card-Memory 8GB

    Roy Whitethread

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,138
    Thanks
    102
    Thanked 207 Times in 181 Posts
    Hi, Roy.

    First, ensure that you have the latest version of CryptoPrevent installed, then, when WP pops up to alert you, set the box to allow the changes and to remember them.

  4. #3
    Silver Lounger
    Join Date
    Aug 2012
    Posts
    1,607
    Thanks
    24
    Thanked 230 Times in 225 Posts
    Are you running the Pro version of CryptoPrevent as that auto updates.

    I'm just running the free version being the tight fisted ®! that I am

  5. #4
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,721
    Thanks
    78
    Thanked 336 Times in 304 Posts
    I believe Malwarebytes Anti-Malware may treat the .pif and .scr protection applied by CrytoPrevent as potentially harmful and therefore quarantine the changes.

    Not sure yet whether it's possible to register an exception for this so that the two programs don't fight each other (and wake up WinPatrol in the process).

    Bruce

    EDIT: Looks like the following advice from CryptoPrevent is relevant:

    CryptoPrevent Filter Module:

    In v6+, the new real-time CryptoPrevent Filter Module seeks to block malicious executables, not blindly using Windows Software Restriction Policies, but rather it uses both a hash definitions based check and some logic based on certain attributes of the executable, in order to determine whether or not the executable should be launched. It can optionally prompt the user with a choice to run it or cancel. The Filter Module can also log to the Windows Event Logs and send emails both on blocked applications AND in situations where the user may choose to allow the blocked application.

    NOTE: Due to the way the filter module functions, it may be detected by certain anti-virus/anti-malware apps and it must be whitelisted.
    Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘ including the keys below, where the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
    ◦scrfile\shell\open\command
    ◦cplfile\shell\open\command
    ◦piffile\shell\open\command

    If using the experimental EXE/COM filter, you can also expect to see these keys:
    ◦exefile\shell\open\command
    ◦comfile\shell\open\command

    And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand”

    If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.


    http://www.foolishit.com/vb6-project...l-information/
    Last edited by BruceR; 2014-07-17 at 21:09.

  6. #5
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,138
    Thanks
    102
    Thanked 207 Times in 181 Posts
    Certainly looks that way, Bruce. After a hyper scan here, MBAM reports 2x potential threats detected, details on screen are sparse however, nothing appears to be available on the right-click; further details can be found by exporting a log (Export button) and then opening it, the tell-tale signs are here:
    Registry Data: 2
    Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5
    Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5
    It's obviously CryptoPrevent intercepting the pif and scr calls, so from the MBAM results screen you can then select "Add Exclusion" from the Action column dropdown for the 2 Broken.OpenCommand items detected. Once you have made exclusions, you can then Apply the actions to save them.

    Don't add anything blindly to the exclusion lists, always check first by studying the details available from the log. If in doubt, shout out.



    *My logs may not tie in exactly with the latest version of CryptoPrevent's details, I'm a little behind on updating it.*

  7. #6
    New Lounger
    Join Date
    Jan 2011
    Posts
    3
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Thanks to everyone who helped especially satrow. While I have found a new expert to take over WinPatrol I can offer some insight.

    WinPatrol's role is to monitor your system and let you know if a change has occurred in one of the critical system locations. Monitoring for changes to .pif and .src file associations has been a feature for many years. What's happening here is similar to Scotty watching a tennis match with his head bouncing back and forth between CrytoPrevent and Malwarebytes. Both of these programs have chosen to protect users by changing the file association from the Windows default, thus preventing a program from entering your computer via a bogus .pif or .src file.

    As pointed out, both programs detect a change and they detect this as a malicious action changing the configuration back to what it wants it to be.
    WinPatrol's default action is to warn you that a file association is being changed. Normally, when the file type is changed it's a good thing to be warned by WinPatrol. You'll see a single notification that you can accept or reject.
    In the case of two programs fighting over this setting will keep changing so even if you accept one programs choice the other program will try again to change it causing an infinite loop.
    What I would recommend is removing WinPatrol's monitoring of PIF and SCR. This can be done without making any changes to your system. Since you already have two programs monitoring these files types you don't need WinPatrol adding to the conflict.

    There's also a check box on the WinPatrol Options screen that says "Lock File Types". It hides the notification box and prevents the files types from changing. You'll still want to decide between Cryptolocker and Malwarebytes but at least you won't see the notifications from WinPatrol.

    Thanks for bringing your question to a great forum.

    Bill Pytlovany

  8. The Following User Says Thank You to BillPStudios For This Useful Post:

    satrow (2014-07-18)

  9. #7
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,138
    Thanks
    102
    Thanked 207 Times in 181 Posts
    Thanks, Bill.

    Your taking time out to call by the Lounge with advice on this is much appreciated.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •