If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
CryptoPrevent
To anyone familiar with the CryptoPrevent security utility-
In the CryptoPrevent folder inside the Foolish IT directory, there are the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few others I'm not concerned with here. What is the difference in the two programs? I have run and am using CryptoPrevent.exe, but what is CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA PF |
Ads |
#2
|
|||
|
|||
CryptoPrevent
PrivacyFanatic wrote, On 7/8/2014 2:18 AM:
To anyone familiar with the CryptoPrevent security utility- In the CryptoPrevent folder inside the Foolish IT directory, there are the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few others I'm not concerned with here. What is the difference in the two programs? I have run and am using CryptoPrevent.exe, but what is CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA PF The latter (CryptoPreventEventSvc.exe) supports the former. It is an event monitoring tool within the context of the software's own process and runs as a Windows service. -- ...winston msft mvp consumer apps |
#3
|
|||
|
|||
CryptoPrevent
On 7/8/2014 1:40 AM, . . .winston wrote:
PrivacyFanatic wrote, On 7/8/2014 2:18 AM: To anyone familiar with the CryptoPrevent security utility- In the CryptoPrevent folder inside the Foolish IT directory, there are the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few others I'm not concerned with here. What is the difference in the two programs? I have run and am using CryptoPrevent.exe, but what is CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA PF The latter (CryptoPreventEventSvc.exe) supports the former. It is an event monitoring tool within the context of the software's own process and runs as a Windows service. So I don't ever have to manually start it? PF |
#4
|
|||
|
|||
CryptoPrevent
PrivacyFanatic wrote, On 7/8/2014 2:44 AM:
On 7/8/2014 1:40 AM, . . .winston wrote: PrivacyFanatic wrote, On 7/8/2014 2:18 AM: To anyone familiar with the CryptoPrevent security utility- In the CryptoPrevent folder inside the Foolish IT directory, there are the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few others I'm not concerned with here. What is the difference in the two programs? I have run and am using CryptoPrevent.exe, but what is CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA PF The latter (CryptoPreventEventSvc.exe) supports the former. It is an event monitoring tool within the context of the software's own process and runs as a Windows service. So I don't ever have to manually start it? PF After selecting and running CryptoPrevent.exe look in Task Manager is CryptoPreventEventSvc.exe present ? -- ...winston msft mvp consumer apps |
#5
|
|||
|
|||
CryptoPrevent
On 7/8/2014 4:04 AM, . . .winston wrote:
No, that process or service is not running. I checked both taskmanager and services.msc. no sign of it. I tried to directly start it and a window pops up saying- 'This program must be started as a service". Uh, OK. How? It's not listed anywhere in services.msc. PF |
#6
|
|||
|
|||
CryptoPrevent
On 08-July-2014 8:41 PM, PrivacyFanatic wrote:
On 7/8/2014 4:04 AM, . . .winston wrote: No, that process or service is not running. I checked both taskmanager and services.msc. no sign of it. I tried to directly start it and a window pops up saying- 'This program must be started as a service". Uh, OK. How? It's not listed anywhere in services.msc. PF Did you reboot after install? |
#7
|
|||
|
|||
CryptoPrevent
On 7/8/2014 6:10 AM, MachSpeed wrote:
On 08-July-2014 8:41 PM, PrivacyFanatic wrote: On 7/8/2014 4:04 AM, . . .winston wrote: No, that process or service is not running. I checked both taskmanager and services.msc. no sign of it. I tried to directly start it and a window pops up saying- 'This program must be started as a service". Uh, OK. How? It's not listed anywhere in services.msc. PF Did you reboot after install? Install Cryptoprevent.exe? Yes I installed the main program a while ago, and applied it, etc.. But just today I started wondering about the CryptoPreventEventSvc.exe file that was in the Cryptoprevent folder. PF |
#8
|
|||
|
|||
CryptoPrevent
PrivacyFanatic wrote:
On 7/8/2014 6:10 AM, MachSpeed wrote: On 08-July-2014 8:41 PM, PrivacyFanatic wrote: On 7/8/2014 4:04 AM, . . .winston wrote: No, that process or service is not running. I checked both taskmanager and services.msc. no sign of it. I tried to directly start it and a window pops up saying- 'This program must be started as a service". Uh, OK. How? It's not listed anywhere in services.msc. PF Did you reboot after install? Install Cryptoprevent.exe? Yes I installed the main program a while ago, and applied it, etc.. But just today I started wondering about the CryptoPreventEventSvc.exe file that was in the Cryptoprevent folder. PF What it's doing, is described here. http://www.bleepingcomputer.com/viru...re-information "Fooli**** LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place. C:\Users\User\AppData\Local\random.exe (Vista/7/8) C:\Users\User\AppData\Local\random.exe (Vista/7/8) C:\Documents and Settings\User\Application Data\random.exe (XP) C:\Documents and Settings\User\Local Application Data\random.exe (XP) " The author of the tool describes the components here. http://club.myce.com/f3/crypto-preve...34/index2.html HelloWorld2.exe is in fact a test executable extracted to %appdata% to determine whether or not the protection works. Technically the executable runs and returns errorlevel 9 back to CryptoPrevent to let it know that it succeeded in executing (and the protection fails) or if it was unsuccessful then no errorlevel is returned and CryptoPrevent knows the protection is successfully applied. The executable should be deleted after the test is performed but I've had a report that it remained on one system though I haven't been able to reproduce the behavior, it shouldn't really be an issue. CryptoPreventTestCLI.exe is a command line utility designed to perform the same test as mentioned above, but for people who would script the test with a batch file or as part of their RMM deployment. The joke is on me, the issue with this test executable is that it will only work when deployed via the user or local admin account, but always fails when run under the local system account (how most RMM tools deploy executables by default...) CryptoPreventEventSvc.exe is the event monitoring service for the installer version of CryptoPrevent -- which monitors Windows event logs and emails you (when configured, of course) in real time if an application was blocked via the policies created by CryptoPrevent. It should only ever be "installed" or run as a Windows service with the installer version To my knowledge the only registry based items CryptoPrevent may create yet does NOT remove is the registry key that actually enables software restriction policies (although all of the policy rules themselves are removed -- CryptoPrevent differentiates between policies it creates and only removes those if they have "CryptoLocker Prevention" in the description of the policy rule.) The reason for this is so as not to disturb any existing policies that may be in effect on a system already that were not created by CryptoPrevent. That registry key is: HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\cod eidentifiers That suggests to me, that it isn't essential to have that Service running. As the portable version of the program doesn't include it. HTH, Paul |
Thread Tools | |
Display Modes | Rate This Thread |
|
|