CryptoPrevent, ShadowExplorer, and VSSADMIN
ShadowExplorer (www.shadowexplorer.com) is an awesome application which I’ve used as a PC Technician many times in the past. It is used to provide a graphical ‘front-end’ interface for a rather complicated command line utility called VSSADMIN.EXE (an internal Windows component) which handles “Volume Shadow Copies” of files made by Windows. These are sort of ‘backups’ in a sense and the Volume Shadow Copy service in Windows is indeed used by various backup software to accomplish backup tasks.
ShadowExplorer is especially useful because it cuts your effort by 99% making it easy to find backup copies of files that were encrypted by CryptoLocker and other ransomware/malware. Basically, by using this program, you have a chance to find and restore an unencrypted version of your important files which may have been encrypted by ransomware.
CryptoPrevent on the other hand seeks to block the malware that does the encrypting in the first place, but it ALSO blocks VSSADMIN.EXE from running. This prevents malware from using that file to DELETE Volume Shadow Copies of your files, making it impossible for programs like ShadowExplorer to retrieve any good backups, and leaving you only with the encrypted files.
As the majority of all ransomware does the above, in our opinion it is ESSENTIAL to block VSSADMIN.EXE unless specifically used by certain backup software. Unfortunately we don’t have a list of backup software that relies on VSSADMIN.EXE however if you TEST your backups to ensure they work properly with VSSADMIN.EXE blocked by CryptoPrevent, then you’re ok! Likewise a failed backup means you should disable CryptoPrevent’s protection of VSSADMIN.EXE
Obviously blocking VSSADMIN.EXE with CryptoPrevent will stop ShadowExplorer from operating. With this post I wanted to explain the situation and show you how to use CryptoPrevent to allow normal operation for ShadowExplorer, should it be necessary.
ShadowExplorer (full installation)
For the installed version of ShadowExplorer, CryptoPrevent will allow ShadowExplorer to operate normally even with the block on VSSADMIN.EXE. For this to work however, you CANNOT be using the BETA protection. See pic for proper settings:
Shadow Explorer (portable edition)
For the portable edition of Shadow Explorer, you must also unblock VSSADMIN.EXE by using the Advanced menu in CryptoPrevent to uncheck the option, and re-apply protection. See pics below for the steps:
A note on the PC Restart requirement:
After applying new protection settings, CryptoPrevent will always prompt you to restart the PC. The majority of the time this is NOT necessary, however we prompt you 100% of the time to ENSURE the settings will take effect properly. For situations where you are trying to allow a program like ShadowExplorer to run, if you make protection changes in CryptoPrevent it is perfectly ok to try the blocked app (e.g. ShadowExplorer) without restarting the PC — this usually works right away and might just save you a few minutes. When you are intentionally LOWERING your protection settings to use a particular app, it can’t hurt. Just keep in mind that we strictly recommend the PC restart when applying NEW/Higher level protections (not removing them) as obviously we want the protections you think you are applying to actually be there!
Special thanks to Patrick from www.shadowexplorer.com, for the awesome app, and for pointing out the need to post this for users of both of our software.