Cryptoprevent

I have just installed Cryptoprevent to stop the deadly cryptolocker malware, however the software works by changing group policy and I wonder if it will interfere with Comodo?

Tell us the changes it does in the policies.
Interesting to know anyway.

How is this malware spread? Or do you want to be very cautious cause of happenings?

This is from the website as I do not have a clue which policies it changes - cryptolocker is deadly spread via email and websites:

CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. The number of rules created by CryptoPrevent is somewhere between 150 and 200+ rules depending on the OS and options selected, not including whitelisting! Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows — but rest assured they are still there! Executables now protected against (starting with v2.6) are *.exe *.com *.scr and *.pif, and these executables are blocked in the paths below where * is a wildcard:

%appdata% / %localappdata% / Recycle Bin - These locations are used by Cryptolocker and other malware as launch points.

%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
%localappdata% (and on Windows XP, any first-level subdirectories in there.) NOTE beginning with v2.2, any time %localappdata% is referred to on this page, it also refers to %userprofile%\Local Settings\Application data on Windows XP, where %localappdata% is not an actual environment variable.
The All Users application data and local settings\application data paths on XP.
The Recycle Bin on all drives, and multiple nested subfolders.
%userprofile% / %programdata% / Startup Folder

the %userprofile% and %programdata% paths (no nested subfolders.)
the Startup folder located in the Start menu > All Programs > Startup
Fake File Extension Executables: (ex. document.docx.exe)

*.x.y where:
x = pdf, doc, docx, xls, xlsx, ppt, pptx, txt, rtf, zip, rar, 7z, jpeg, jpg, png, gif, avi, mp3, wma, wmv, wav, divx, mp4
y = exe, com, scr, and pif.
with v4.1, now includes RLO (Right to Left Override) exploit protection.
Temp Extracted Executables in Archive Files:

%temp%\rar* directories
%temp%\7z* directories
%temp%\wz* directories
%temp%*.zip directories
The final four locations above are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well; however this option may interfere with certain program installations (e.g. Firefox) and for this reason this option is NOT recommended for most people.)

NOTE the variable %temp% is no longer used, and instead the actual temp file path is expanded after %userprofile%. There is an apparent bug in Microsoft’s software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata% or %userprofile%)… so protection for %temp% folders is now applied by expanding the full path to the user’s temp folder (after %userprofile%) in each rule set. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn’t working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.

Does this mean that comodo does not protect against it?
Or is this a way to minimize the damage AFTER giving consent to run a file with misperception of its nature?

I have heard that CIS does protect from crypto malware. Just set the sandbox to restricted and there you go.

I am not too sure whether it would stop the files from being encrypted that’s the dangerous aspect to cryptolocker. Cryptoprevent stops cryptolocker taking hold of the OS stopping the files being dropped in application data - it also protects against other ransomware and viruses e.g., fake av’s as they to drop files in application data.

Group policies don’t interfere with CIS.

A little forum search would have yielded:

Pointing to this article by Comodo: http://blogs.comodo.com/pc-security/cryptolocker-virus-best-practices-to-ensure-100-immunity/ .

There are no reports at the forums by users that they have been infected with cryptolocker.

Firstly there is nothing you can do if you become infected even the FBI and NSA are unable to decrypt the files. No one is 100% secure as I’m so told on this forum about AV’s that score 100% so you cannot say I am secure against cryptolocker. Finally, there is always a first!

Well yes that’s true, but with CIS (BB set >Restricted) you will never be infected :wink:

Unless it is somehow seen as a trusted file, you know by stealing certificates or something like that, but then running your browser and e-mail client in the FV sandbox should keep you safe either way.

You don’t need anything extra if you have CIS. Just use the correct settings that’s all. Sandbox should be limited or above including FV in order to protect you against this.

Trusted crypto? Thank God it’s very rare :slight_smile:

And yes running your browser in the FV sandbox will add another layer of protection.

If the files are encrypted by cryptolocker, does windows system restore or comodo time machine helps in this i.e restoring the system back to clean state we can get back our files?

Time Machine may be able to I am inclined to think as long as you have one or more snapshots to return to. But that’s thinking out loud.

Windows Sytem Restore does not get mentioned in this article on Wikipedia: CryptoLocker - Wikipedia . It if were that simple we would not have this topic.

No nothing will work, that’s why the LA Police Dept. paid $700 to get their files back.

I use multiple layers of security - Comodo Internet Security Pro 6.3
Malwarebytes Pro
Cryptoprevent
HitmanPro.Alert 2.5
Online Cloud backup for important files

Do you know that they are using a snapshot programs like CTM? Where did you read that?

I dont know much about Cryptolocker.

I test security software on real system XP. After test I check my documents, my computer - program files, add-remove, etc… few places to see folders, files, etc… created by malware. Then I do the rest like Ccleaner, Comodo Cleaning Essentials, HMP, MBAM, etc… to check malware.

I use Comodo Time Machine 2.8 stable to go back to clean state.

During one test, my documents - my pictures folder - pictures were encrypted. There was a notepad file mentioning pictures are encrypted & to decrypt them something was mentioned I dont remember now.

I used CTM to go back to clean state & the pictures were fine i.e not encrypted.

So was that some other malware or Cryptolocker?

I do not have a clue. Our Met Police released an urgent alert about cryptolocker it as on the news about the LAPD. There are a lot of businesses that are paying the ransom to get their files back

If you use a program like Comodo Time Machine or AX64 Time Machine or any other imaging or snapshot (or hybrid) program and you have an image/snapshot of the files before they were encrypted then yes you can revert to that as long as the image or snapshot file(s) haven’t been encrypted and you have access to the programs needed, I’d recommend a recovery CD/USB with the program on it.

Preventing the image or snapshot file(s) from being modified from any program other than the imaging/snapshot program can be achieved through HIPS but it can be a pain to set up correctly (by correctly I mean blocking ALL programs from modifying the files but still allowing the imaging or snapshot program to modify the files, it requires editing most HIPS rules and editing a few rulesets) However it should be noted that CIS can’t protect from external changes, for example if you dual boot with another OS which is also infected and doesn’t have CIS or such installed or if you have the image or snapshot on an external hard-drive and plug it into an infected computer. It could be worth noting that Cryptolocker only encrypts certain file extensions and so far the file extensions used by AX64 Time Machine are not being encrypted but that might change, don’t know the situation for CTM.

Any business which is hit by this malware and needs to pay the ransom has not done a proper job with the back-ups (If they had back-ups and they got encrypted then it wasn’t proper) and now they are paying the price, literally. I believe the police department in question is setting a bad example, one would expect them to have proper back-ups, but then again they’re a perfect example of what might happen when you don’t keep proper back-ups.

Personally I’m not interested in Cryptoprevent, I trust myself to make proper rules and settings for CIS and if I fail that then I still have my system backed up and if I still get infected and lose my files, well then I didn’t do a very good job. That said Cryptoprevent might be good for people who don’t use CIS or use CIS but insist on keeping BB at partially limited (don’t know if Cryptolocker can break this though as I’ve seen no tests with Cryptolocker yet, speaking of which I find it weird we’ve seen no proper test of CIS vs Cryptolocker, I know there are several people willing to do these tests but from what I’ve gathered the issue is finding a sample… Seems weird if so many people are getting infected, just saying…)

Sanya,

So if the file extension used by CTM is encrypted by Cryptolocker then CTM would not work during boot?

Some malware have bypassed partial limited but not limited. So I guess even if partial limited prevents Cryptolocker, it may not protect from other versions of Cryptolocker but limited will. How many versions of Cryptolocker are there, any idea/info?