Bundaburra

Emsisoft anti malware and CryptoPrevent

Recommended Posts

Since the ransomware scare I have been using CryptoPrevent (free version) from Foolish IT, in addition to Emsisoft anti-malware.  I now find that the free version of CP is discontinued, so I would like to know if I really need it?  Does EAM provide the same or similar protection as CryptoPrevent, or should I switch to the paid version?

Share this post


Link to post
Share on other sites

Hello,

No CyptoPRevent is no longer necessary to use.  Emsisoft's Behavior Blocker provides protection against Ransomware and will prevent all known Ransomware variants from making changes to a system protected by Emsisoft Anti-Malware.

Share this post


Link to post
Share on other sites

In addition to what Kevin said, I would believe that the free version of CryptoPrevent hadn't been updated since CryptoLocker was still in the wild (this was years ago). Newer ransomwares have adapted their techniques, and the worst of them haven't been stopped by CryptoPrevent for years.

Really, all CryptoPrevent did was create a bunch of Group Policies to keep things from executing out of certain folders. Bypassing this sort of "protection" is rather easy. By contrast, out Behavior Blocker is significantly more advanced than this, gets updated on a regular basis, and will detect ransomware-like behavior from any executable running out of any folder on the system.

Share this post


Link to post
Share on other sites

Thanks for the heads-up.  I have now completely disabled and uninstalled CryptoPrevent, and will see how I go.  One other question:  the reply from GT500 mentions Group Policies.  Would the uninstall have removed or reverted these?  If not, should I do so and what are they? 

Share this post


Link to post
Share on other sites

Bundaburra, 

To answer your question, yes CryptoPrevent will remove the Software Restriction Policies (aka "group policies" as mentioned above, or "SRP" for short) as well as all other provided protections during uninstall of the software.  This does assume that CryptoPrevent is allowed to run normally and is not otherwise inhibited by another product that is a little too restrictive in it's protection mechanisms, which to my knowledge would not be the case with Emsisoft products, though I could be mistaken (we do not use nor do we typically test with Emsisoft products for compatibility as we have never been presented with a reason to...)  

---

There are however a few major misconceptions presented here regarding CryptoPrevent that we would respectfully request both you and the Emsisoft staff to consider.  I can understand to a point that these misconceptions exist, because much like the Emsisoft staff, we at Foolish IT (d7xTech) are not at all familiar with the Emsisoft product line and feature set, just as they seem entirely unfamiliar with ours. 

1.  Software Restriction Policies are only one of 4 major protection types in use by CryptoPrevent, as well as a few nice but more minor protection perks and not counting related options and additional features, none of which interfere with any known anti-virus/anti-malware product to our knowledge.  Protection features are listed on the software's home page in the left column under the "CryptoPrevent v9 Features" section.  

2.  CryptoPrevent protects against all forms of malware, not just "ransomware" alone, yet despite this fact CryptoPrevent is not a competitor to other products, but rather a supplement to their functionality.  This is important in that we also make no claims whatsoever that CryptoPrevent can or should replace other more traditional anti-virus or any anti-malware type products or protections, and in fact we do strongly recommend that these products are also used in conjunction with CryptoPrevent (in addition to at least one or more tested backup methodologies.)  Therefore usage of CryptoPrevent is always worthwhile as a valid and an additional layer of security.

I do not believe the last point can seriously be debated unless these exact same protection types and features are copied from our product for use in other products.  Even in cases where other products use Software Restriction Policies (as Emsisoft products may use) as more and more are doing these days, the policies are not necessarily the same that we use, unless through specific investigation and effort our policies are copied after creation by our software with the intent of duplication in the other product, and of course they would need to be duplicated in the same way after each new version of our software is released.  Due to the staff's unfamiliarity with CryptoPrevent, I would highly doubt that their software's protections, and in particular the Software Restriction Policies (if used by Emsisoft) are exactly the same as those created by CryptoPrevent, nor would they interfere with our product's policies. 

In addition to the SRP protections, to our knowledge Emsisoft does not interfere with nor duplicate CryptoPrevent's 3 other main protection types either, all of which are enabled even in the free edition of CryptoPrevent.  Although currently free updates to CryptoPrevent are discontinued, it is entirely current and even more effective than ever as of the last release this month, and as-is it will will be valid protection for years to come.      

In the future if you (or anyone else) should have questions or experience any issues with our products, even the free versions as you were using, we encourage you to first use our own support channels for assistance.  

---

Now specifically to the Emsisoft staff I would like to point out that we do not generally make it practice to comment on others' products nor recommend removing them, unless we find that they are harmful to our users or entirely ineffective, as has been the case in the past, however when there is any benefit to our users (of course we definitely believe Emsisoft products can be beneficial to our users in addition to our own product's functionality) we would never recommend removal of an additional layer of security.  This would almost be equivalent to advising removal of Emsisoft products in lieu of the free Windows Defender, which is built-in to every modern version of Windows and available to most older ones still found today as a free add-on/update, all on the (possibly incorrect) assumption that it does the same thing and renders all 3rd party anti-virus/malware apps unnecessary.  In fact this isn't the same but worse, since with CryptoPrevent we are discussing an additional layer of security that co-exists peacefully with Emsisoft, not a replacement layer as the above given example.  

We hope that rather than recommending removal of a potentially helpful product for no apparent reason, that the Emsisoft staff would instead recognize that other non-interfering additional layers of security (including having tested and yes even redundant backup methods in place) are always a good idea when one's data security is of any concern, or at the least refuse to comment where knowledge is scarce on others' products that shouldn't even be considered as "competing." 

We also wish to extend the offer to assist Emsisoft should CryptoPrevent ever interfere or become redundant to one or more of their features by working with the them to resolve an issue and even to allow for an automated or easy to disable option (for the user) regarding the specifically redundant bits of functionality when the other product is detected, providing the user has a choice and is informed correctly of the options at that time.  

---

We do wish both you and the Emsisoft staff the best no matter what your stance is regarding our software, and we would also like to thank the Emsisoft staff for allowing this post to remain visible to clear up the misconceptions presented above, as well as any future consideration towards not perpetuating them.  

Edited by d7xTech
Confused Emsisoft Anti-Malware with Bitdefender
  • Upvote 1

Share this post


Link to post
Share on other sites

@d7xTech this may not be the best place to discuss this, however please note that my comments were directed towards the old "freeware" version of CryptoPrevent (version 1.x). I have not kept up with changes to CryptoPrevent over the years, so as you mentioned I am not able to comment on its protection capabilities or features in current versions.

Also, please note that Emsisoft's products for Windows are not rebranded BitDefender products. We develop our own interface and protection technologies, and merely integrate BitDefender's Anti-Virus scan engine to increase detection capabilities. We don't use any of their other technologies.

Share this post


Link to post
Share on other sites
13 minutes ago, GT500 said:

@d7xTech this may not be the best place to discuss this, however please note that my comments were directed towards the old "freeware" version of CryptoPrevent (version 1.x). I have not kept up with changes to CryptoPrevent over the years, so as you mentioned I am not able to comment on its protection capabilities or features in current versions.

Also, please note that Emsisoft's products for Windows are not rebranded BitDefender products. We develop our own interface and protection technologies, and merely integrate BitDefender's Anti-Virus scan engine to increase detection capabilities. We don't use any of their other technologies.

I believe you're correct about discussion location, however I doubt Bundaburra had referred to CryptoPrevent v1.x from 5 years ago (which I would agree isn't very useful) but rather Bundaburra's comment seemed to refer to the last free edition (v9.1) released only a few weeks ago.  

Also please accept my apologies, I didn't mean reference "BitDefender" in place of "Emsisoft Anti-Malware" and in fact I wasn't aware that BitDefender A/V was in use by Emsisoft until today, which is how familiar I am with your current offerings as well as theirs!  I am not sure why that stuck in my head as I replied; will edit the previous post right away.  

Share this post


Link to post
Share on other sites

Holy smoke! That was an informative, well stated - and polite - exchange! Well worth the investment of time to read and absorb.

Share this post


Link to post
Share on other sites
5 hours ago, d7xTech said:

... I doubt Bundaburra had referred to CryptoPrevent v1.x from 5 years ago (which I would agree isn't very useful) but rather Bundaburra's comment seemed to refer to the last free edition (v9.1) released only a few weeks ago.

The last time I had checked Foolish IT's website, the free version of CryptoPrevent was still v1.x, and hadn't been updated since its initial release years before. I was unaware that the free version was now receiving updates along with the premium version.

Share this post


Link to post
Share on other sites
On 5/16/2018 at 9:24 PM, GT500 said:

The last time I had checked Foolish IT's website, the free version of CryptoPrevent was still v1.x, and hadn't been updated since its initial release years before. I was unaware that the free version was now receiving updates along with the premium version.

It's odd to get that impression, the paid features weren't even introduced until v3, and both versions have always been the exact same download package/URL offered freely on our website, as well as 3rd party mirrors.  No worries though it's fine, but we thank you again for allowing us to clear this up.  

Share this post


Link to post
Share on other sites
On ‎5‎/‎15‎/‎2018 at 7:15 PM, Kevin Zoll said:

Hello,

No CyptoPRevent is no longer necessary to use.  Emsisoft's Behavior Blocker provides protection against Ransomware and will prevent all known Ransomware variants from making changes to a system protected by Emsisoft Anti-Malware.

What about "unknown" Ransomware???   I thought that is the job of a Behavior Blocker is  block "unknown" malwares.

As long as the malware is known, there is a signature for it and can be blocked traditionally.

Share this post


Link to post
Share on other sites

There is no way to test against "unknown" threats.  However, our BB has blocked emerging ransomware threats in the past.  We have rules that cover traditional ransomware behavior, such as monitoring for file encryption and other things.  Much of today's malware does not need a traditional signature, malware behavior is well established at this point and behavioral rules can and do cover much of today's malware.  The idea is to intercept it before it can infect a system, once the system is infected then that is when traditional signatures and definitions come into play.

Share this post


Link to post
Share on other sites
4 hours ago, d7xTech said:

It's odd to get that impression, the paid features weren't even introduced until v3, and both versions have always been the exact same download package/URL offered freely on our website, as well as 3rd party mirrors.  No worries though it's fine, but we thank you again for allowing us to clear this up.

That does appear to track with what I'm seeing on archive.org, but for some reason that's not what I remember. I'll just assume that I'm not remembering something right, since archive.org is usually fairly reliable. ;)

 

3 hours ago, andone said:

What about "unknown" Ransomware???   I thought that is the job of a Behavior Blocker is  block "unknown" malwares.

As long as the malware is known, there is a signature for it and can be blocked traditionally.

It is very rare for us to find new ransomware that our Behavior Blocker doesn't catch, and if we do we have the capability to update the Behavior Blocker rules whenever we need to without releasing a new program update.

Share this post


Link to post
Share on other sites

Wow.  I had no idea that I would be stirring up such a hornets nest.  The only reason I asked the original question was when Foollish IT said that the free version of CP would no longer be receiving updates, and I thought there is nothing more useless than an AV/ransomware detector which is not being updated.  As I already had a paid subscription to Emsisoft Anti Malware, I did not want another such.  I am happy with the above description of the Behaviour Blocker, and in any case I take regular backups (with the internet disconnected) which could be restored if necessary.  

BTW, up until then I had been receiving occasional updates to the CP free version..  The last version I had was 9.1.  

Share this post


Link to post
Share on other sites
On 5/19/2018 at 10:18 PM, Bundaburra said:

... I take regular backups (with the internet disconnected) which could be restored if necessary.

Regular backups are always a great step to protect your data. Especially if you store the backups in some way that prevent software running on the computer from having access to them (such as on removable media that you leave disconnected from the computer when you are not using it).

Share this post


Link to post
Share on other sites

Using the CryptoPrevent kills the Shadow Copy subsystem in Windows XP. Restore the functionality of VSS after this is impossible by any method found on the Web. When I reported this to the developers, they simply waved me away, making it clear that I was a fool and that's my problem.

Attempts to protect themselves against Ransomware by this program had the following consequences:

1) a huge loss of time for its installation and configuration - both work unbearably slowly;
2) the software installed on the company's computers ceased to be updated;
3) in order to update any program on one computer, you need to spend a lot of time. When computers are dozens, and every one with a dozen programs that need updating, this turns into a sysadmin's nightmare;

4) even to remove this program in a normal way it turned out to be impossible - it's not software, but some kind of collection of errors!
5) after removing CryptoPrevent VSS still does not work. The only way out is to reinstall the operating system, software and configure everything again. How much it takes time, you know. And now multiply by the number of computers with Windows XP, where I had the imprudence to install CryptoPrevent.

So, dear Bundaburra, having refused to CryptoPrevent, you just save your time and nerves!

*****

Использование программы CryptoPrevent убивает подсистему теневого копирования в Windows XP. Восстановить работоспособность VSS после этого невозможно ни одним найденным в Сети способом. Когда я сообщил об этом разработчикам,те просто отмахнулись от меня, дав понять, что я сам дурак и это мои проблемы.

Попытки защититься от шифровальщиков посредством этой программы имели следующие последствия:

1) огромные потери времени на её установку и настройку - и то и другое работает невыносимо медленно;
2) перестало обновляться программное обеспечение, установленное на компьютерах компании;
3) для того, чтобы обновить любую программу на одном компьютере, нужно потратить уйму времени. Когда компьютеров десятки, и на каждом с десяток программ, нуждающихся в обновлении, это превращается в кошмар сисадмина;
4) даже удалить эту программу нормальным образом оказалось невозможно - это не софт, а какая-то коллекция ошибок!
5) после удаления CryptoPrevent VSS всё равно не работает. Единственный выход – переустанавливать операционную систему, ПО и настраивать всё заново. Сколько это отнимает времени, вы знаете. А теперь умножьте на количество компьютеров с Windows XP, где я имел неосторожность установить CryptoPrevent.

Так что, уважаемый Bundaburra, отказавшись от CryptoPrevent, Вы только сохраните свои время и нервы!

Share this post


Link to post
Share on other sites
4 hours ago, Владислав said:

Using the CryptoPrevent kills the Shadow Copy subsystem in Windows XP.

I feel obligated to mention that it is extremely dangerous to use Windows XP, and must caution anyone who does to upgrade to a newer and still-supported Operating System.

Share this post


Link to post
Share on other sites

It would be nice, but in due time, a lot of licenses for Windows XP were purchased, and the company does not want to spend money for the purchase of Windows 10 again - it has many other items of expenses (for example, the purchase of corporate antivirus).

In addition, for the new operating system will need to buy new, more modern computers, and this increases the investment by several times. And if you consider that every major Windows 10 update puts its customers in the knee-elbow position, then it would be better to use this OS less often.

In addition, users mostly use their computers as Terminal Server RDP clients, and it's pointless to invest money and time of the system administrator to replace the operating system on such computers. I generally plan to remake old Windows XP computers into diskless workstations that will be boot over the network (see http://syselegance.com/en/products/thinstation/comparefeatures.php).

The same in Russian:

Это было бы неплохо, но в своё время было приобретено достаточно много лицензий на Windows XP, и повторно тратить деньги на покупку Windows 10 компания не хочет - у неё есть много других статей расходов (например, приобретение корпоративного антивируса).

Кроме того, для новой операционной системы потребуется покупать новые, более современные компьютеры, а это увеличивает капиталовложения ещё в несколько раз. А если учесть, что каждым крупным обновлением Windows 10 ставит своих клиентов в коленно-локтевую позицию, то лучше бы использовать эту ОС пореже.

Кроме того, пользователи в основном используют свои компьютеры как RDP-клиенты сервера терминалов, и вкладывать деньги и время системного администратора в замену операционной системы на таких компьютерах нецелесообразно. Я вообще планирую переделать старые компьютеры с Windows XP в бездисковые рабочие станции, которые будут загружаться по сети (смотри http://syselegance.com/ru/products/thinstation/).

Share this post


Link to post
Share on other sites
7 hours ago, Владислав said:

... a lot of licenses for Windows XP were purchased, and the company does not want to spend money for the purchase of Windows 10 again ...

Would the cost of upgrading to a new version of Windows now being more or less than the cost of dealing with security breaches, ransomware, stolen/lost data, bad press, etc? And if the systems are easily compromised due to holes in the Operating System, won't the company be forced to incur the added expense of not only dealing with the consequences of a major security breach, but also upgrading the systems to make sure it doesn't happen again?

 

7 hours ago, Владислав said:

And if you consider that every major Windows 10 update puts its customers in the knee-elbow position, then it would be better to use this OS less often.

Windows has what they call update "rings", and the "Critical" ring is sort of like a delayed update feed that updates less frequently. Microsoft has some information about that at the following link:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates

 

8 hours ago, Владислав said:

In addition, users mostly use their computers as Terminal Server RDP clients, and it's pointless to invest money and time of the system administrator to replace the operating system on such computers. I generally plan to remake old Windows XP computers into diskless workstations that will be boot over the network ...

As long as the server is at least Windows Server 2008 R2, then that is a perfectly acceptable option for replacing your old Windows XP systems.

In theory you could also run a minimal Linux, Solaris/Unix, or BSD on the workstation and use one of the Open Source tools on their repositories to connect to the server over RDP.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.