CryptoPrevent

To anyone familiar with the CryptoPrevent security utility-
In the CryptoPrevent folder inside the Foolish IT directory, there are
the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few
others I'm not concerned with here. What is the difference in the two
programs? I have run and am using CryptoPrevent.exe, but what is
CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA
PF

PrivacyFanatic wrote, On 7/8/2014 2:18 AM:
To anyone familiar with the CryptoPrevent security utility-
In the CryptoPrevent folder inside the Foolish IT directory, there are
the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few
others I'm not concerned with here. What is the difference in the two
programs? I have run and am using CryptoPrevent.exe, but what is
CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA
PF

The latter (CryptoPreventEventSvc.exe) supports the former. It is an
event monitoring tool within the context of the software's own process
and runs as a Windows service.

--
...winston
msft mvp consumer apps

On 7/8/2014 1:40 AM, . . .winston wrote:
PrivacyFanatic wrote, On 7/8/2014 2:18 AM:
To anyone familiar with the CryptoPrevent security utility-
In the CryptoPrevent folder inside the Foolish IT directory, there are
the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few
others I'm not concerned with here. What is the difference in the two
programs? I have run and am using CryptoPrevent.exe, but what is
CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA
PF

The latter (CryptoPreventEventSvc.exe) supports the former. It is an
event monitoring tool within the context of the software's own process
and runs as a Windows service.


So I don't ever have to manually start it?
PF

PrivacyFanatic wrote, On 7/8/2014 2:44 AM:
On 7/8/2014 1:40 AM, . . .winston wrote:
PrivacyFanatic wrote, On 7/8/2014 2:18 AM:
To anyone familiar with the CryptoPrevent security utility-
In the CryptoPrevent folder inside the Foolish IT directory, there are
the files CryptoPrevent.exe & CryptoPreventEventSvc.exe, plus a few
others I'm not concerned with here. What is the difference in the two
programs? I have run and am using CryptoPrevent.exe, but what is
CryptoPreventEventSvc.exe used for? Do I also need to use it? TIA
PF

The latter (CryptoPreventEventSvc.exe) supports the former. It is an
event monitoring tool within the context of the software's own process
and runs as a Windows service.


So I don't ever have to manually start it?
PF
After selecting and running CryptoPrevent.exe look in Task Manager is
CryptoPreventEventSvc.exe present ?


--
...winston
msft mvp consumer apps

On 7/8/2014 4:04 AM, . . .winston wrote:

No, that process or service is not running. I checked both
taskmanager and services.msc. no sign of it. I tried to
directly start it and a window pops up saying-
'This program must be started as a service". Uh, OK.
How? It's not listed anywhere in services.msc.
PF

On 08-July-2014 8:41 PM, PrivacyFanatic wrote:
On 7/8/2014 4:04 AM, . . .winston wrote:

No, that process or service is not running. I checked both
taskmanager and services.msc. no sign of it. I tried to
directly start it and a window pops up saying-
'This program must be started as a service". Uh, OK.
How? It's not listed anywhere in services.msc.
PF

Did you reboot after install?

On 7/8/2014 6:10 AM, MachSpeed wrote:
On 08-July-2014 8:41 PM, PrivacyFanatic wrote:
On 7/8/2014 4:04 AM, . . .winston wrote:

No, that process or service is not running. I checked both
taskmanager and services.msc. no sign of it. I tried to
directly start it and a window pops up saying-
'This program must be started as a service". Uh, OK.
How? It's not listed anywhere in services.msc.
PF

Did you reboot after install?

Install Cryptoprevent.exe? Yes I installed the
main program a while ago, and applied it, etc..
But just today I started wondering about the
CryptoPreventEventSvc.exe file that was in
the Cryptoprevent folder.
PF

PrivacyFanatic wrote:
On 7/8/2014 6:10 AM, MachSpeed wrote:
On 08-July-2014 8:41 PM, PrivacyFanatic wrote:
On 7/8/2014 4:04 AM, . . .winston wrote:

No, that process or service is not running. I checked both
taskmanager and services.msc. no sign of it. I tried to
directly start it and a window pops up saying-
'This program must be started as a service". Uh, OK.
How? It's not listed anywhere in services.msc.
PF

Did you reboot after install?

Install Cryptoprevent.exe? Yes I installed the
main program a while ago, and applied it, etc..
But just today I started wondering about the
CryptoPreventEventSvc.exe file that was in
the Cryptoprevent folder.
PF



What it's doing, is described here.

http://www.bleepingcomputer.com/viru...re-information

"Fooli**** LLC was kind enough to create a free utility called
CryptoPrevent that automatically adds the suggested Software Restriction
Policy Path Rules listed below to your computer. This makes it very easy
for anyone using Windows XP SP 2 and above to quickly add the Software
Restriction Policies to your computer in order to prevent CryptoLocker
and Zbot from being executed in the first place.

C:\Users\User\AppData\Local\random.exe (Vista/7/8)
C:\Users\User\AppData\Local\random.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\random.exe (XP)
C:\Documents and Settings\User\Local Application Data\random.exe (XP)
"

The author of the tool describes the components here.

http://club.myce.com/f3/crypto-preve...34/index2.html

HelloWorld2.exe

is in fact a test executable extracted to %appdata% to determine whether or
not the protection works. Technically the executable runs and returns
errorlevel 9 back to CryptoPrevent to let it know that it succeeded in
executing (and the protection fails) or if it was unsuccessful then no
errorlevel is returned and CryptoPrevent knows the protection is
successfully applied. The executable should be deleted after the test
is performed but I've had a report that it remained on one system though
I haven't been able to reproduce the behavior, it shouldn't really be an issue.

CryptoPreventTestCLI.exe

is a command line utility designed to perform the same test as mentioned above, but
for people who would script the test with a batch file or as part of their RMM
deployment. The joke is on me, the issue with this test executable is that it will
only work when deployed via the user or local admin account, but always fails when
run under the local system account (how most RMM tools deploy executables by default...)

CryptoPreventEventSvc.exe

is the event monitoring service for the installer version of CryptoPrevent -- which
monitors Windows event logs and emails you (when configured, of course) in real time
if an application was blocked via the policies created by CryptoPrevent. It should
only ever be "installed" or run as a Windows service with the installer version

To my knowledge the only registry based items CryptoPrevent may create yet
does NOT remove is the registry key that actually enables software restriction
policies (although all of the policy rules themselves are removed -- CryptoPrevent
differentiates between policies it creates and only removes those if they have
"CryptoLocker Prevention" in the description of the policy rule.) The reason for
this is so as not to disturb any existing policies that may be in effect on a
system already that were not created by CryptoPrevent. That registry key is:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\cod eidentifiers

That suggests to me, that it isn't essential to have that
Service running. As the portable version of the program
doesn't include it.

HTH,
Paul