Let me explain what I mean. When CryptoPrevent was created and gradually improved, for quite some time it was built around software restriction policies (or at least their implementation at the registry level). for the most part, it blocked the execution of files in the %APPDATA% tree and then elsewhere as necessary.
The beauty of this implementation was that if I installed something, or ran it for the first time, and it puked, I could look in the event log for event 866 SW Restriction Violation, which would confirm that the problem was CryptoPrevent.
If it's now doing other "definition based" filtering it won't be so simple. Not impossible, just not so simple. Is this the case.?