Jump to content

CryptoLocker Prevention


Recommended Posts

Hey Guys,

 

Here is a script to deploy the CryptoLocker Prevention settings by FoolishIT

http://www.foolishit.com/vb6-projects/cryptoprevent/

 

Just 3 basic scripts and some EDF's to keep track of the results.

- Install

- Uninstall

- Test

 

Install and Uninstall both require restarts to take effect to the end user is prompted to do so.

Test just checks to see if the prevention policy has been applied correctly.

 

You can view the EDF under the AV section under the computer Info.

I didn't think it warranted a Custom Tab, although it would look pretty.

CryptoLocker Prevention.zip

Link to post
Share on other sites
  • 4 weeks later...

I ran an Execute Script step for downloading the util, here is the PS code snippet:

(New-Object Net.WebClient).DownloadFile('http://www.foolishit.com/download/cryptoprevent/','C:\Windows\System32\CryptoPrevent.zip');(new-object -com shell.application).namespace('C:\Windows\System32\').CopyHere((new-object -com shell.application).namespace('C:\Windows\System32\CryptoPrevent.zip').Items(),16)

 

Some of our clients are "Road Warriors", making the LTShare thing a little cumbersome. Thanks for the script tho! :D

Link to post
Share on other sites

Is anyone having issues with the testing part?

I downloaded and tweeked a set of crypto preventer scripts from the LT forums and it works pretty well, but there are some false negatives running the testcli.exe.

I know it does not run with just a shell or process execute because that's as the system account, but I've tried scripting it as admin, a local admin account,the specific user I am logged onto the machine as and get message the protection is not applied.

I write the results of testcli to a txt file, then I append the results of running WHOIS to verify the user I ran the test as.

 

I have not tried screwlooose' script, so I guess I'll have to at least take a look.

 

TIA,

 

-Joel

Link to post
Share on other sites
  • 2 weeks later...

I run the TestCLI daily on our machines to make sure they are protected, if it fails, it checks an EDF and puts them in a group to reapply CryptoPrevent.

 

I ran into an issue with the event log monitor blowing up with alerts regarding "HelloWorld.exe". TestCLI.exe uses this to verify protection is applied.

 

For anyone with the same issue, add the regular expression below to the monitor and it will exclude any events with "HelloWorld".

 

^(??!HelloWorld).)*$\r?\n?

 

zenDzv9.png

Link to post
Share on other sites
  • 1 month later...

Testing is a PITA...

UAC is a PITA especially for scripting. Here's what I've found: (Using my own script with a simple Console Shell, which seems to be the only way to work.

- Without a logged in user it just plain fails.

- UAC enabled system (Vista+)- they get the UAC prompt to run the Foolishit app, which most users (shockingly!) click no. The problem here is that we actually do want to run, but users finally have sense to prevent something unknown from running. Maybe it's finally kicked in...maybe in a few more years they won't open the fedex tracking email...

- Non UAC (XP)- runs just fine...

 

Wonder how we can test this as system account or without raising UAC...

Link to post
Share on other sites

Just thought of something after dinner, and started to do a bit of research. What if we setup the testcli as a scheduled task? I came across this: http://gallery.technet.microsoft.com/scriptcenter/To-start-a-script-command-54837868. Perhaps a script could be written to run this from the master. Not sure if it will actually run scheduled without prompting for elevation, or if we'll even see the status.

 

The command can be captured by running CryptoPreventTestCLI.exe > clpresult.txt and then reading the file.

 

WHy it might not work:

- The user creds are needed to create the scheduled task

- Can the task be setup to run as a known admin and actually interact with a desktop? This way it would require the user to be logged in?

 

Thoughts?

 

Carlos.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...