Why haven’t you mentioned CryptoPrevent?

//

Why haven’t you mentioned CryptoPrevent?

While CryptoPrevent is an interesting tool for preventing the CryptoLocker malware from encrypting everything on your machine, I have some issues with it. My issues are not with the software itself, but with some of the side effects of actually using it.

Become a Patron of Ask Leo! and go ad-free!

What CryptoPrevent is

CryptoPrevent is really just a utility that prevents CryptoLocker from running.

It’s fine. If you want to run it, by all means, go ahead and run it. There are a couple of side effects that I discuss below, but they’re probably not the kind of side effects that are going to impact you in any tangible way.

My concern is twofold: One, that we’re spending a lot of effort focusing on only one specific piece of malware. And two, running CryptoPrevent might be giving us a false sense of security when it comes to actually understanding how safe our machines are.

How CryptoPrevent works

A little bit about how CryptoPrevent works.

CryptoPrevent works by blocking the execution of programs from certain locations; locations that are not normally used by legitimate software. Apparently, people have found out that these are locations that are used specifically by CryptoLocker.

As such, for now what CryptoPrevent represents is a way to prevent CryptoLocker from running on your machine and encrypting all your files.

My opinion is that it’s actually the wrong solution to the problem.

The right solution

The issue is that you should not be trying to avoid just one specific kind of malware. Cryptolocker is malware with particularly bad effects, but it’s malware nonetheless. We should be doing what we can to avoid all malware, not just CryptoLocker.


.. if CryptoPrevent were to actually make a difference on your machine it’s because you already allowed CryptoLocker to be downloaded …
The problem is of course, that the next malware that comes along could be as bad or worse and not do it the same way that CryptoPrevent is preventing. My concern is that running CryptoPrevent will just give people a false sense of security. It prevents one very specific class of malware, and that’s it.

In fact, if CryptoPrevent were to actually make a difference on your machine it’s because you already allowed CryptoLocker to be downloaded on to your machine! That is what needs to be prevented, because the things that prevent you from downloading Cryptolocker are the kinds of things that prevent all malware.

The right way to deal with CryptoLocker is to treat it just like any other malware. Remember, only you can prevent malware. Don’t open email attachments that you aren’t absolutely certain are safe, and as I understand it CryptoLocker currently propagates most commonly via email attachments.

In general, remember to use the internet safely and with a healthy degree of skepticism. My article, “Internet Safety: 8 Tips to Keep Your Computer Safe on the Internet” covers the basics of how to keep your machine safe not just from CryptoLocker but from all malware.

If you’re interested, you can find a discussion of CryptoLocker, how it works, why it works, and how CryptoPrevent works, in excruciating detail at bleepingcomputer.com.

I want to provide that as interesting information, but it’s not the approach I want most people to follow. What I truly care about is that people learn to stay away from malware in general. Those techniques will work not just for CryptoLocker, but for all the other malware that’s out there as well.

35 comments on “Why haven’t you mentioned CryptoPrevent?”

  1. Cryptolocker is just malware (I hesitate to say just as its effects can be so devastating) and as such should be detected and stopped by any decent AV program by now. I use Avast and their website specifically says it detects and blocks Cryptolocker. As my driving instructor told me years ago: “the car that hits you is the one you don’t see coming.” In other words, it’s best to be prepared for the next one we don’t know about yet by following all-around safe computer and internet practices.

  2. I use CryptoPrevent on 2 PCs and I know I didn’t let CryptoLocker already be downloaded into my machine – I disagree strongly. I think CryptoPrevent is a good piece to have, but staying safe online (& creating backups) is the best way to make sure CryptoLocker doesn’t effect you.

      • Agreed, Cryptoprevent does nothing if you can avoid downloading malware in the first place. However, avoidance is not always possible
        1. there are so many sneaky ways the baddies use which evolve faster than you can learn about them. In the latest PCPitsop articles, there is an article entitled “10 Socially Engineered Cyber Attacks Coming in 2014”. Can can fool experienced PC users
        2. Most AV software miss some things – you only have to read a recent PCPitstop sponsored article “http://blog.knowbe4.com/bid/355390/The-Antivirus-Industry-s-Dirty-Little-Secret” to learn that not even the top AV products are 100% (even PCPitstop). I use several products to check my PC. Some miss malware which others pick up.
        Therefore, because AV software cannot keep up and be 100% and because the smart baddies are evolving into geniuses who can fool your above average internet user, I will use Cryptoprevent as a failsafe. No doubt the baddies will produce encrypting malware which avoids detection and launches in places that Cryptoprevent doesn’t block but that may take a while. I’m sure the baddies who propagate Cryptolocker are well aware of Cryptoprevent and are already working on a bypass.
        In summary, prevention is always best as you say but it can’t always be achieved even by an informed internet user or top AV software – Cryptoprevent is harmless and for the time being a good failsafe in my opinion for cryptolocker or it’s ilk which launches in places which cryptoprevent blocks. All the best! James

      • Its easy to claim that the best piece of advice is to follow good practices. Its easy and then you work with the clients that I work with – Nurses who know nothing about technology and have access to a corporations global network share which everyone else has access to. They click on an email (and the new cryptowall emails, they look 100% legit that even my security team said they would be tempted to click on it) and once that attachment is interacted with it starts with encrypting the entire network share. In this case Mcafee does not (and even states that any antivirus that states they can catch it is lying) catch it. So far the only success we have had is in the trial runs of cryptoprevent we are running. Heck while investigating the latest infection I accidentally interacted with the malware attachment and without cryptoprevent my machine would have been lost. Thankfully I took the precaution and went with it. So Antivirus + Antimalware + cryptoprevent + healthy computer habits are great – when they are followed. But I can never count on my users to follow safe computer practices.

        • Wow. That’s a good point. Your case definitely calls for the extra protection. My only worry would be that people install Cryptoprevent, and then think they are “protected.” We are never completely protected because the malware writers are constantly improving their tools!

          And always have a recent image backup to fall back on! Nothing will ever beat that as a safety net for the regular computer user.

  3. Leo, what about providing *every* computer with a ‘beartrap’: when an invading malware attempts to phone home (as most of them do) this anti-infectant transmits back to *their* server and encrypts it? They are shut down for good! Shouldn’t we be taking the fight to the perpetrators instead of simply erecting bigger and costlier defenses that don’t – can’t – be 100% effective? As has been said “the best defense is a good offense”.

    • I agree with Sal. It’s a great idea. It seems that the prompt for Leo to write his excellent article is an oversight in mentioning Cryptoprevent. To me the biggest elephant in the room is that nobody is writing about the efforts to find who is behind Cryptolocker. It seems to be dismissed as operatives in lax countries but there does not seem to be an effort by authorities to track down where and to see if their servers can be blocked. Perhaps there are efforts to detect the origins of Cryptolocker but no one seems to be expanding upon them publicly.

      • There are hundreds of thousands of viruses and trojans in existence. The cost of tracking them all down, especially in countries with almost no law enforcement, would be prohibitive, many times more than all the money lost from malware. As Leo said, this is just one more trojan among many. Where would law enforcement draw the line as to what to go after? Actually law enforcement is working to fight cybercrime, but if they are going after a perpetrator, they wouldn’t advertise it to the world as it would defeat their efforts if they tip off the criminals to what they are doing.

        • Mark I agree with you, there are lots of malware to track and it would be costly to taxpayers like us for our government agencies to act. Perhaps software companies should help. For the past 35 years I have been buying and subscribing to Microsoft products & US based AV software. Cryptolocker is special and deserves serious attention. There is no fix except restoring from a back-up (if available). I have heard those who pay the ransom may not get all their files back as the un-encryption key the Cryptolocker baddies provide is not 100% effective. Also, since Cryptolocker came on the scene, my PCPistop newsletter has had dire warnings in every edition. This has never happened before with any malware I know of. Even my local media is regularly providing reports (news media & not just IT media). Many authors are saying it’s the worst malware they have seen. The problems have mainly appeared in the US and Europe but now Australia is experiencing attacks from Cryptolocker. One university had many IT staff spending days to restore data in their computer network. See http://www.abc.net.au/news/2013-12-20/rising-tide-of-ransomware/5170422. It has also affected an Australian local government network. Who know when it will appear in defence networks?
          So Cryptolocker in my humble opinion is different and deserves tracking. It should not be lumped with other malware that AV software can easily deal with. So Cryptolocker baddies should be traced because:
          1. It can slip through AV software and fool even experienced internet users (see my previous post)
          2. The damage is severe. There is no apparent fix except to pay the ransom if there are no back-ups. I reject any blame on ordinary people for not backing up because regular backups may occur before Cryptolocker is detected and the back up will be affected. Cloud backups can also be affected by Cryptolocker from the ground PC.
          3. It is spreading fast despite many media warnings. Not many people are aware that they can use a fail-safe like Cryptoprevent and most current AV software will not detect it (see โ€œhttp://blog.knowbe4.com/bid/355390/The-Antivirus-Industry-s-Dirty-Little-Secretโ€)
          4. It is wrong to let the baddies get away with it as potentially it is the biggest money making ransomware/malware to hit the internet
          5. Not doing anything to capture the Cryptolocker baddies will allow them to morph it to bypass any fixes AV software designs. The previously cited article clearly shows that AV software takes a while to provide a fix.
          etc etc Cheers, James

  4. While I agree with you for the most part, Leo, I think that for most users it’s not a bad idea. All it does is set group policy rules that disallow exes from running from specific directories. It’s targeted at CryptoLocker, but would be just as effective against any malware that tries to run from non-standard paths. Which, is something I always do for any temp folders and appdata anyway whenever I do a fresh install. And since it’s just writing group policy, it doesn’t need to be run multiple times, unless you want to update it to the newest version to prevent new versions of CryptoLocker at bay. I’d recommend it only because in my opinion, exes shouldn’t be running from these paths regardless.

  5. It’s true, of course, that careful trekking through the cyber-world is the best malware prevention, but if we did this perfectly, we might not get infected by anything, ever. Why, if not this program, bother to recommend any of the antivirus or anti-spyware programs? Why is this particular software a “no”, but other programs “yes”?

    • I agree entirely. I have suffered from ransomware in the past, as have friends and family, while simply following Google links while innocently searching for items on the web. It can happen to anyone. If CryptoPrevent can vaccinate our computers against the latest, and most damaging, variety, then we should all have it. I have recommended it to computer users I know and have installed it on several machines.

  6. First I should state that I am the developer of CryptoPrevent.

    For an educated and experienced PC user with the proper universal prevention tools in place, the chances of getting infected are slim and CryptoPrevent won’t be of that much use. While I agree with that statement somewhat, the fallacies here are that the prevention tools are not cutting it in many cases, new tricks such as RLO exploits are fooling even experienced users, and finally it isn’t always an experienced PC user using your PC either, or there are other PCs you need to worry about, family members, friends, anyone could use them, etc. and they can fall victim to a fake file extension or other simple tactic in use by malware distributors even through emails with attachments that may initially look legitimate.

    CryptoPrevent only protects against CryptoLocker (and you should be concerned about all malware.) Actually CryptoPrevent with it’s fake file extension protection alone actually protects against at least 400 different malware samples found in the wild by a security researcher at sanesecurity.com a maker of anti-virus definitions, who suggested that feature of CryptoPrevent. Then the location based prevention is found to protect not only against CryptoLocker but a lot of other similar trojan based malware as well. This idea for CryptoPrevent was first pitched to me by a PC repair technician and business owner who is familiar with cleaning lots of different malware from these particular locations, and wanted a quick and convenient way to lock them down for his customers.

    Since that time I have seen hundreds of PC repair shops and IT service providers and consultants promote and use CryptoPrevent for all of their customers, because they are in the trenches of real-world scenarios involving not only CryptoLocker but tons of other malware. I have also worked with dozens of system administrators at businesses that need the protection, because when you’re working with 50 – 100 users and you provide them the current prevention tools, education and training, and still at least one will manage to fumble it up and get infected and then you’ve got mapped drives in danger.

    It isn’t just PC repair techs and IT service providers who are actively using and praising CryptoPrevent, but security bloggers like Brian Krebs of KrebsOnSecurity.com recommend it, as do tech podcasters like Mike Tech Show all the way up to the great Steve Gibson of GRC Research and the Security Now! podcast.

    Do I personally use it? Yes, only because it doesn’t affect or slow down my system in any way. I do not personally even use anti-virus software if that tells you anything, because I’m that confident in my abilities and that my family won’t be using my computer for anything while I’m not looking, but I still use CryptoPrevent as a fail-safe.

    To close, while CryptoPrevent doesn’t protect against ALL malware, a flu shot doesn’t protect against all strains of the flu going around during any given year. Still, for both the experts agree, you should opt for the immunization just in case.

    • Nick, it’s good to see the developer of Cryptoprevent join in. I’m pleased you have made it available for free. Hence, I am an unashamed supporter even though I’ve never heard of FoolishIT before. With respect, people should know that what Cryptoprevent does can be done manually. No need to use Cryptoprevent. However, I checked the manual procedure but it was too complicated for me, an experienced PC user. I can edit the registry for simple things but doing a manual cryptoprevent is time consuming and involves a learning curve. Using your free tool is easier and I like the ability to white list legit software that needs to launch from places Cryptoprevent blocks. You make a good point that savvy internet users usually realise when they come across malware and avoid it. My wife and kids are smart people but they are not so savvy. They are always using my PCs when I’m not around. All the best and keep updating and making a free version of Cryptolocker! James

    • Nick, thanks for posting … I completely support your side of the CryptoPrevent argument and was ready to comment that I have run CP on my shared home computer and laptop only because my wife and kids aren’t as savvy as myself, but you made that point for me.

      Also, thanks for making CP freely available … you’re an internet hero! ๐Ÿ™‚

      Greeting from Montreal, Canada!

      Greg Rajewski

      P.S. Congrats on your recognition from the “great Steve Gibson”! You know you’ve done well when you’ve earned his endorsement. ๐Ÿ˜‰

    • Hi Nick,

      Thanks for stopping by – I really appreciate your comments and will be including them in my next weekly newsletter.

      To clarify, I’m not arguing against using CryptoPrevent. If people feel that they want to run it I see no reason not to. I think it’s fantastic that you have the track record and the endorsements that you have. That speaks a lot to what you’ve done, and I’m not trying to speak ill of that in any way.

      CryptoLocker got a lot of press, and caused a lot of panic among average computer users. From my perspective it was frustrating in that it remains “just” malware – malware that is absolutely particularly destructive – but malware nonetheless. All of a sudden everyone was looking for a way to protect themselves from this malware when in my opinion it’s an opportunity for raising awareness of how to stay safe from all malware.

      CryptoPrevent is awesome at preventing CryptoLocker, and as you point out, several forms of malware that use similar techniques – after they’ve actually arrived on your machine. My goal, my preference, is to continue to educate people to avoid that ever being necessary. That was the point of my article.

      To piggy-back onto your analogy, I’m not arguing against a flu shot at all. I’m arguing that not exposing yourself to the flu in the first place is perhaps even more important since those habits will protect you from a lot more than just the flu. (And I definitely don’t want people to think for a moment that having gotten the flu shot they can run off and engage in risky behaviors.)

      As others have echoed here, thank you for creating CryptoPrevent and making it free.

      PS for site visitors: since I have no reason to believe that Nick would return here, I’ve emailed him my comments as well.

      • If you don’t want to expose yourself to the flue, you’d have to stay indoors at all times and not meet any other people.

        Prevention alone doesn’t cut it, when you can get infected by a drive-by download while surfing a perfectly legitimate website or by simply clicking an ad.

    • Nick & Leo: Thanks to both for discussing this — and Nick for CryptoPrevent, which I just loaded today on our 3 home computers. Clearly Leo is right about prevention, and no one disagrees with that. But as an only slightly better than average computer nerd, I’m the family/friend guy who helps when their machines start glitching (and I have the t-shirt “Every time you call tech support, a kitten dies”). The worst I see is the redirect web malware or other assorted popup ad stuff. But, however much I tell people to be careful; try to load the most effective background malware/virus software, they still — STILL! — get infected with something.

      The critical difference is that, on the whole, frustrating as it can be to remotely clean up, say, the redirect malware, it can be done and there’s no permanent harm to the computer. Even a computer taken over by a botnet is still usable. But this cryptolocker essentially deletes your files (unless you pay the ransom). That is catastrophic. There’s no comparison to any other malware and a specific preventative fix is absolutely justified. None of my friends/relatives back up their files. I was alerted to this yesterday by another friend who, like me, takes care of the neighborhood. A 73 year old woman couldn’t get to her photos etc. No backup, of course.

      The point, of course, is that 90% (I made that up) of home computer users don’t do adequate backup; don’t have adequate malware/virus protection; and have no clue how their machine works. That’s why I’m now a major fan of CryptoPrevent and, after testing on my machines, will recommend it for friends.

  7. “From my perspective it was frustrating in that it remains โ€œjustโ€ malware โ€“ malware that is absolutely particularly destructive โ€“ but malware nonetheless.”

    Hi Leo and Nick,
    It’s the destructiveness of Cryptolocker that put the scare into me.
    That puts it apart from other malware I’ve seen before.
    I’m pretty savvy and pretty careful but this was waaay worse than anything I’ve seen and why I use Cryptoprevent (Thanks Nick).
    I paid the fee to upgrade because my home network is pretty open so if the worst did happen and one of the PCs got infected the rest would be somewhat safe.

    I agree with not opening email attachments unless you’re sure of the source. But I’ve also heard of drive by downloads involving cryptolocker so all things being equal, an once of prevention is worth a pound of cure.

  8. I think you have hit the nail right on the head Leo.

    One of the problem’s I’ve seen is people want a security suite that does everything and importantly they expect a security suite that protects them from everything. They ignore the reality that you can never be 100 percent safe and if they get infected blame the antivirus program.

    I’m always fixing my dad’s computer for this reason as he’ll click on anything, pop-ups, dodgy links etc. Until people release you need to actually be security aware problems like this will happen. Take all the hacking the likes of anonymous and others do. People think it’s a simple hack, password hack but 99 percent of the time its simply social engineering, trickery really.

    I’ve often compared security suites to sex even if a little crude. Even with protection if you sleep around, your bound to put yourself at risk. It’s the same with security. The more dodgy sites, links, attachments etc. you view the more chance you’ll be infected even with up to date security tools.

  9. I have used cryptoprevent successfully on all my machines and all the client machines I work on are immunized routinely. All it does is change system policies that prevent cryptolocker from executing. So far it has not interfered with anything, but if it does, it is easy to re-run the utility and revert to an unprotected state. Because the malware is constantly evolving, antivirus programs may not always be able to catch it. Cryptoprevent is another layer of protection for this most devastating type of malware. I strongly recommend it in addition to all other best practices.

  10. Sorry, but I disagree with you Leo.

    Cryptoprevent sits there waiting for a type of execute that is used by many malware not just cryptolocker.

    You can’t be vigilant on the internet 24 hrs a day, you may only scan once a week, otherwise you will be scanning all day every day, and not everybody buys the premium editions of anti mal/virusware, which will run in the background and provide live protection.

    Having a simple program that does nothing but sit there waiting for a particular execute function from within the group policy filter can only be a good thing and a useful addition to one’s defenses.
    Yes, it only works if you have inadvertently downloaded the malware, but it will prevent auto-execution of Cryptolocker and many other similar types from encrypting your hard drive in this way, for now.

    Anyone who has googled this type of defense will be pretty much keyed up on internet security and preventative measures anyway and will realise that just one program is not enough.

  11. Hi Leo,
    i’m a pro photographer with 10 of thousands images and videos on a Win7 workstation, which is not used for any internet access, but from there i run a Linux Mint distro inside a virtual machine which is used for all internet traffic, mail, downloads etc. In you pro opinion, am i in danger of getting affected? I was thinking of using cryptoprevent as an extra failsafe. Thank you in advance.

    • A malware infection may not be your biggest worry. Hardware failure can actually cause a lot more damage. Make sure you have those files backed up. If they are only in one place they are not backed up.

    • Cryptoprevent is fine. No, you’re not 100% safe. The problem is, for example, that you probably share drives between Linux and Windows, and you probably have both visible or accessing your local area network. Those points of cross-connect are also points that malware can sometimes take advantage of. I HOPE HOPE HOPE you have complete backups of your images. All malware aside, a hard disk failure could be disastrous if not.

  12. Leo, I believe that your point of view is too idealistic. There is not and in all likelihood never going to be a comprehensive defense against malware and/or general virus assaults on computer systems.

    What I believe is that no one defense will provide complete protection.

    My recommendation would be to use Cryptoprevent along with an anti-virus program, Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and also make sure you run regular scans with Malwarebytes and your anti-virus program. And also occasionally scan with another anti-malware program.

    I do think that Cryptoprevent is beneficial. But as part of an array of defenses.

    In short, why not use Cryptoprevent if you don’t intend to rely on it exclusively.

  13. I am not sure what CryptoPrevent actually does, does it do what Windows Pro users can do anyway and make entries in the Local Security Settings to prevent CryptoWall from exploiting loop holes in the basic Windows security?

    One thing I would say for organizations that are perhaps being a little complacent thinking that because they have the latest firewall and anti-virus installed they are immune, CryptoWall is able to break through, normally with human help admittedly, but it can cause absolute havoc considering all network disks can be exposed.

    The only real defense once you are infected is in having a robust and recent backup system, but that cost time and effort which is why some people decide to pay up.

    For Windows Home users who do not have the Local Security Settings available CryptoPrevent may be a good investment.

    The CryptoWall virus is becoming more sophisticated and so therefore more sinister. The people behind CryptoWall are absolute scum and their indiscriminate virus will at some point cost lives were to rip through a medical or emergency establishment.

    • Martin Asks, “does it do what Windows Pro users can do anyway?” Yes, CryptoWall accesses the same files the use can access, and if the user has read/write access to those files, it encrypts them. If the user has access to a network (or backup!) files, it will encrypt those too. Bad stuff indeed.
      CryptoWall is technically interesting as it does not need admin rights to run and executes from the user’s own AppData folder. That is what CryptoPrevent stops – and any other valid program that uses that means to run.

  14. This discussion should also include “EMET”, Microsoft’s Enhanced Mitigation Experience Toolkit. EMET “is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.” (Microsoft.com)
    Like Cryptoprevent, EMET stops many of the techniques that Malware uses to worm its way onto your system. Unfortunately, malware isn’t the only software that uses these techniques, and EMET, like Cryptoprevent, will break some programs.

  15. I understand that CryptoPrevent will also prevent some (not all) other ransomware, as some ransomware (probably from less qualified authors) tends to copy previous ransomware, so this application actually detects more than one piece of malware. It thus raises the bar bit on the use of the ransomware type of malware, and hopefull it will help to discourage ransomware. For these reasons, I believe it is useful.

    Regards,

  16. CryptoPrevent v.8 is now released and looks to offer far more than earlier versions. I’ve got the Pro version installed on a Windows 7 x64 Home Premium laptop where it seems to beand be working happily alongside Avast AV and Malwarebytes AM Pro.

    • Have you noticed any slowdown on your computer since upgrading to Version 8?

      My office has CryptoPrevent on all 100 computers and since the upgrade to Version 8 we’ve had nothing but issues with slowdowns. We use MSE for our anti-Virus as we also have Kerio Firewall with Anti-Virus at the gateway level. All of our users are running Dual Core AMD CPU’s with 4GB of RAM and Windows 7 Professional 64-bit.

Leave a reply: