This post is more than 5 years old
2 Intern
•
1.1K Posts
0
34732
Malwarebytes Anti-Malware free version Finds this log on every scan though it has informed as quarantined on each occasion?
I updated to the latest version of the Cryptoprevent to 6.0.1 earlier in the day.
My other layered protection are Microsoft Security Essential
Sandboxie Browser
ZEMANA AntiLogger Free 1.7.2.370
I just did a scan with the Free Malwarebytes Anti-Malware and found the following:
Something to do with registry..
Could this anything to do with my updating to the latest Cryptoprevent earlier in the day?
I re-run the Malwarebytes Anti-Malware second time (after an hour) and again it has found the same items and display it as quarantined? Funny it is find it on my second scan too...
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
1
June 16th, 2014 14:00
As mentioned in the thread on CryptoPrevent, the FREE version comes in two forms:
a PORTABLE version, which can be run from any location,
and an INSTALLER version (with a setup program and uninstaller) that installs in the
C:\Program Files\Foolish IT\CryptoPrevent directory.
The PORTABLE version, which apparently I'm using (or have manipulated mine to be such) does NOT offer the new real-time FILTER module... the FILTER MODULE is only available via the installed version.
So to test things out, I allowed CryptoPrevent to officially "install" itself on my XP system. I reactivated its protection. And then ran MBAM (Hyper Scan) to find the same two "threats" that you did:
But I then when a bit further... I went to the EXPORT LOG drop-down menu, to generate the report as a .TXT file... and here's the key essence of what it showed:
Registry Data: 2
Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5
Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5
-
-
It's now obvious that these "threats" are clearly pointing to the new CryptoPrevent Filter Module!!
So what can you do? There are several options available to you:
1) Having established that these are indeed generated by CryptoPrevent, you can heed its author's advice, and safely tell MBAM to ignore these (as being F/P's). This will allow CryptoPrevent's FILTER module to continue its real-time scanning. [You probably will also have to remove the entries from MBAM's quarantine, placing them back (restoring them) in your registry]. OR:
2) You can open CryptoPrevent to its main screen, and then, on the right-hand side, UNcheck the boxes that "Apply suspicious program filtering" for .SCR files and "Apply constant program filtering" for .PIF files. While you're at it, might as well also UNcheck the box for .CPL files, even though it didn't show up in this particular scan. And APPLY (your revised) protection. This will basically "neutralize" much of CryptoPrevent's FILTER module... it will still be running, but probably never find anything. OR:
3) You can [temporarily] UNDO all of CryptoPrevent's protection. Completely UNinstall the program. Then download the PORTABLE version and run it. This will give you a version of CryptoPrevent, withOUT the FILTER module, which essentially will behave like the earlier version(s) of CryptoPrevent.
Note: While (2) might technically be an option, it really serves no point to have a "neutralized" FILTER module around... so I'd say you should choose between options (1) and (3). It's your choice.
snowshine
2 Intern
2 Intern
•
1.1K Posts
0
June 16th, 2014 13:00
Hi ky 331,
I think what you've said is happening.
However on my first scan (Malwarebytes Anti-Malware) I did not do with the administrator's right and after posting my question in here I went ahead to do a second scan (Malwarebytes Anti Malware) as Administrator and noted the above observation.
Now on my third scan it has not found the same....
Regards
1 Attachment
Scan 3.PNG
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
June 16th, 2014 13:00
Snow,
As I posted elsewhere (in the CryptoPrevent thread), version 6.x introduced a new FILTER MODULE which runs in real time:
"if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent’s [restriction of policy] settings."
Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘, and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
If using the experimental EXE/COM filter, you can also expect to see these keys:
And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand”
If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.
--------------------
So the two entries that MBAM found are definitely consistent with the information above... see the two lines where I have placed the long arrows <==============
-------------------
I did not enable the real-time FILTER MODULE. Let me see if I can run some more tests, to clarify this definitively...
snowshine
2 Intern
2 Intern
•
1.1K Posts
0
June 17th, 2014 01:00
Hello ky331,
Thank you for your time and effort in verifying your initial suspicion.
I would wish for choice one:
I got the know how on how to remove the entries from MBAM's quarantine, placing them back (restoring them) in my registry.
However how do I tell MBAM to ignore these? Is this possible in the Free version of the MBAM?
I do see in MBAM->Settings-> Malware Exclusions->"Add files and folders which will be excluded from detection as malware. All sub files and folders will also be excluded for each folder added. Here I have choices for Add File Add Folder Remove.
I do not know how to locate the file or folder though!1:emotion-6:
Regards
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
1
June 17th, 2014 06:00
Good observation (looking under Malware Exclusions) :emotion-1: , and good question... the problem is that you want to exclude Registry Entries [which are neither "files" nor "folders"].
As I understand things, you've successfully restored the two entries back into your registry.
Run the scan again. When the results appear, the default ACTION suggested is [probably] to quarantine. Instead, use the drop-down ACTION menu to select ADD EXCLUSION. Then click on APPLY ACTIONS.
If you then look under Settings, Malware Exclusions (as you surmised), you should now see the entries listed there. Which means that they should no longer be detected in future scans.
dalem29
2 Intern
2 Intern
•
2.2K Posts
0
June 17th, 2014 08:00
Same story here. Once I saw the results of the hyper scan, I cancelled out without doing anything, and came directly here. I then ran the scan again and let it add the exclusions for the two items per David's suggestion and ran the scan again, which was normal.
snowshine
2 Intern
2 Intern
•
1.1K Posts
1
June 17th, 2014 11:00
Thank you-That has done the trick.
Regards