Am I right in believing that Avast has yet to come up with a built-in shield to prevent this ransomware from installing itself? There is a little dedicated CryptoPrevent tool in www.snicpa.com/10690 which I have downloaded and installed but there appear to be some problems in getting it to work (in my case).
Kaspersky says they protect against this: http://blog.kaspersky.com/cryptolocker-is-bad-news/
http://forum.kaspersky.com/index.php?s=03714328a1131498c4c68be54e9d76c6&showtopic=273487
Not sure it is true.
Of ALL the Malware out there this is the one that scares me the most.
Good article from MalwareBytes: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
I read through the MWB article blog. Not easy for the layman to follow some of the arguments, counter-arguments and comments (proper grammar would be a help!!). Having read through the lot what do you consider on balance to be the most convincing lines of action to pursue? I am intending to uninstall my dodgy CryptoPrevent app and download the equivalent zip file from majorgeeks as recommended to me in another forum.
If Avast could come up with a proven effective shield - why can’t they emulate CryptoPrevent as part of the next version??? - it would be a major advance and comfort.
Hello Telegraph_Sam,
Another on-going article of interest about the Cryptolocker malware can be seen at the Bleeping Computer website via the link below:
Best regards.
Deepscreen and hardened mode appear to catch a test version which was run when I installed the Foolishit tool
However, with the way the malware mutates on a daily basis I still installed it
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
In theory, using Hardened Mode (Aggressive) should prevent all the ransomware malwares…
Essexboy, you’ve helped me (and so many others) in the past I first want to say thanks for all your efforts…to say “above and beyond” is an understatement. I’d like your opinion on CryptoPrevent.
I assume it is for real since you are recommending but what does it do ?
Can you explain the install, use, maintenance ?..you mention mutation of CryptoLock type malware, does a static solution work ?
I am paranoid this can cause issues ?..example, if it is “locking things down” does that mean other things may have issue ?..example other recovery efforts by MS O/S tools ?
How about A/V tools, will they see this CryptoPrevent as a virus and removal with muck up the very files I’m protecting ?
My plan now is to do daily backups (already do) of “copying” MyDoc files to SD Card that I now “pull” from laptop (used to leave in) and also “pull” the USB HDD after it’s morning receipt of image (Macrium Reflect) of my PC. My biggest concern is that this CryptoPrevent is locking down the very files I’m trying to prevent being “locked” by CryptoLock and if something else goes wrong I’m locked from these files not only on my PC but in my backups.
Also, I’m super paranoid on downloads and installs of these “utils”…so many places put other crud in the installer…some not seen.
Thus, can you provide a link of a clean installation version of CryptoPrevent ?..I run W7 64-bit.
Telegraph-Sam wrote: "there appear to be some problems in getting it to work (in my case)… I am intending to uninstall my dodgy CryptoPrevent app and download the equivalent zip file… "
If CryptoPrevent is having an issue on your system, and if the alternative zip file is truly an equivalent, I would expect it to produce the same results.
After checking into it, I have deployed CryptoPrevent on numerous systems (mostly Win7, one XP) and have not encountered any problems. The only rare issue people are expected to face would be if they have a legitimate program running from one of the restricted directory locations. And if that’s the problem, you should be able to handle it via CryptoPrevent’s whitelisting mechanism.
On my main/personal PC, I am also running MBAM PRO, which separately offers real-time protection against CryptoLocker.
“If Avast could come up with a proven effective shield - why can’t they emulate CryptoPrevent as part of the next version??? - it would be a major advance and comfort.”
No program is going to catch everything… we need to rely on layers of protection. As for avast “emulating” CryptoPrevent, I see two issues:
- The critical research in battling CryptoLocker was done by Lawrence Abrams of Bleeping Computer. There may be an issue of intellectual property rights if avast were simply to include it. CryptoPrevent was written with permission from — and acknowledgement to — Mr. Abrams.
- If, as you report, CryptoPrevent is “buggy” on your system… and if avast were to emulate the same mechanism… you might find yourself in the position of having to disable avast itself — rather than just the separate CryptoPrevent — in order to make your system work again. Surely, you wouldn’t want that.
CryptoPrevent can be downloaded from http://www.foolishit.com/vb6-projects/cryptoprevent/
(download links are toward the bottom of the page).
Definitive Guide to CryptoLocker (by Lawrence Abrams [aka “Grinler” ]): http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
There is nothing bundled with the programme, you can get it either direct from Foolishit or MajorGeeks
What it does is put in a group policy to disable files running from appdata or any double extensions
In most instances I have come across it is an e-mail attachment with a PDF.EXE double extension so the usual rules of scanning any attachment before you even think of opening it apply
But as usual there are several look alike programmes so do not download from anywhere bar certified sites
I have installed it on my 8.1 system so it does work. There was a recent update to the programme but a manual check every few weeks should suffice using the programme updater
A little explanation here http://krebsonsecurity.com/tag/cryptoprevent/ and here http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
FoolishIT appears to be down at the moment, not sure why
Great link…thx: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow
If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user’s profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program’s executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below
So how many programs did you guys find that you had to add good programs to ?
What happens when you try to run something that is not permitted ?..on-screen error or do you have to go into Event Viewer ?
I’m an IT guy but this seems like there would be a lot manual entries ?
Also, when you install a new program is there only a problem if not in Program Files ?
New Path Rule… You should then add a Path Rule for each of the items listed below.
Can you expand on the how-to of the above…doesn’t really lay it out on what you enter for a new program…perhaps couple examples.
Thx !
P.S Because of the severity of this to all Windows PCs it would seem Microsoft would be working on a security update to block this…any rumors or threads on this in the O/S forums ?
As it stands in the two weeks that I have had the programme on my system I have not had to do anything at all… All my normal programmes, plus a few specialist ones run perfectly
Although with the foolishit programme an easier way is to undo cryptoprevent
Run the affected programme and then re-apply cryptoprevent and it will automatically add that programme
Can you run “real time” MBAM PRO with real time Avast ?..I thought having two A/Vs was a big NO-NO ?
I know MBAM is MW & Avast A/V…but those lines are real cloudy now-a-days.
Thx, now if their Server would come up I could get the installer…any chance to attached in ZIP to this thread ?
MBAM is anti-MALWARE, and its authors have taken great pains to make it compatible with just about any anti-VIRUS program. If you check our signatures here, you’ll find many people happily running MBAM PRO along with avast.
I have run the PRO (realtime) version along with avast8 on both WinXP and Win7. I did NOT have to set-up any exclusions in either program… they’re running just fine together for me.
Having said that, MBAM does offer a detailed suggestion (setting up mutual exclusions in each program), SHOULD you find there’s a conflict or slow-down: https://forums.malwarebytes.org/index.php?showtopic=10138&page=1&#entry417798
Thx, are you also running CryptoPrevent ?
Any chance you have the installer you can zip/post ?..the server is down.
Yes, I am using CryptoPrevent. “Running” isn’t an accurate description: It runs once, sets up its restrictions/policies, and automatically protects you without continually “running”.
No, this forum will not accept .exe nor .zip files —
Allowed file types for upload are: txt, jpg, gif, png, log
Just keep trying the CryptoPrevent site. The problem is that it’s being bombarded by so many people, it can’t handle all the requests.
CrytoPrevent offers two versions: a .ZIP file, from which you have to extract the executable; and an .exe file which offers setup/installer, which places easy-to-find links to CryptoPrevent on your START Menu and Control Panel (Add/Remove). If you know/remember where you extracted/unzipped the file, I see no real need for an acutual “installation”.
It’s the easiest thing to use:
Download it. Run the executable program (after extracting it from the .ZIP file, or directly from the START Menu if you opted for the installer);
Click the APPLY button (accepting the checked defaults).
And basically you’re done.
Periodicially [e.g., once a week], you can use its updater function to check for updates, and APPLY them as well (on top of the exisiting protection).
Hopefully, you won’t encounter any problems (blocking of legitimate programs).
Basically, the CryptoLOCKER malware is running itself from non-standard locations/directories. What CryptoPrevent does is “instruct” Windows not to allow ANY programs to run from these locations [unless whitelisted]. So it’s Windows itself that’s subsequently running and doing the actual blocking.
Can this be defeated, if the CryptoLOCKER malware “gets wise” and places itself in alternative locations? Yes, that would certainly seem possible. But it has yet to do so. And if/when it does, we can hope that CryptoPrevent will add protection for these locations as well (if practical).
Cryptoprevent is hosted on Majorgeeks http://www.majorgeeks.com/files/details/cryptoprevent.html
I installed it on my XP machine with no apparent problems.
However, on my Win7, the test function froze… test thru very quickly on XP,stalled on Win7
After numerous tries and restarts, I uninstalled with Revo.
Wonder why?