Testing on a sandbox

These forums are retired and read-only.
Forum rules
These forums are retired and read-only.
For support, please visit https://www.d7xtech.com/support/

Testing on a sandbox

Postby fluffles » Thu May 07, 2015 2:23 am

I tested a recent Cryptolocker email on my windows 7 sandbox machine w/ cryptoprevent 7.4.20 (bulk/resale edition) & it managed to encrypt all the files in the user profile. The ransom message didn't mention what iteration of Cryptolocker it was. i've attached a screenshot of the ransom message & my cryptoprevent config. can anyone tell me if anything, whats wrong with my config, or is Cryptoprevent v7.4.20 not effective against this iteration of cryptolocker?
crypto.PNG (54.85 KiB) Viewed 2433 times
Crypto8.PNG (387.87 KiB) Viewed 2433 times
Posts: 2
Joined: Thu Mar 12, 2015 11:21 pm

Re: Testing on a sandbox

Postby bored369 » Mon May 11, 2015 2:01 am

You'll want to review our FAQ here:
http://www.foolishit.com/cryptoprevent- ... neral-faq/
as well as the technical FAQ here for more information on what each feature does:
http://www.foolishit.com/cryptoprevent- ... formation/

From the first FAQ this will provide more details on what you are doing/testing:
Will this protect against other ‘Crypto’ type ransomware such as CryptoDefense, CryptoWall, etc., and their newer v2/v3 and future variants??

There are a number of new CryptoLocker clones emerging that can also be prevented by CryptoPrevent. The majority of these are protected against by default protections in their older versions, but newer variants are coming out that can only be stopped by the Maximum Protection + Program Filtering (BETA) option, which uses a definitions based system to keep current with known malware threats. This is however a “BETA” which means it is not fully tested on all platforms. Also note this option is not available with the portable edition of CryptoPrevent.

The newer variants require the Max Protection + Program Filtering BETA because most of this stuff has figured out how to get around the original “Software Restriction Policy” based protections provided by CryptoPrevent at the Max and lower levels. It is the Program Filtering component that protects against these threats by using a pseudo-real-time filter that is definitions based.

The definitions for the Program Filtering component are updated not on a set schedule but as they become available, and they are provided by SaneSecurity.com — currently there are over 7000 unique detections in the definitions, and that number is growing. But it isn’t all-encompassing, because unlike the Software Restriction Policies protection, this won’t get “zero-day” malware that hasn’t previously been detected and added to the definitions, so they can still slip past it I’m afraid.

Right now the Max settings I can’t recommend for daily use to everyone who wants to “set it and forget it” but rather just to those who understand that yes, if you are installing legitimate software you may need to disable the protections temporarily. This is not the fault of Program Filtering, which shouldn’t block ANY legitimate software, but rather mainly due to one of the path rules in the Max settings, which is “Block Temporary Extracted Executables” and is available to disable by itself (while Program Filtering remains enabled) if you used the Advanced interface to configure CryptoPrevent.
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!

User avatar
d7xTech Staff
Posts: 183
Joined: Sat Feb 01, 2014 6:57 am
Location: Anderson, SC

Return to CryptoPrevent for Home Users