CryptoPrevent Portable Edition (v7.x only!)
A “portable” application generally refers to any application that does not require an installation process to function, nor an uninstallation process to remove. This means you can typically run the program from any location, and its files (and in some cases, settings) will stay in the folder where you put them, so that you can easily move them around if you so desire for organizational purposes, and finally you can simply delete the files when you are finished using them, as there is no need to uninstall anything.
Portable applications are most utilized by computer repair technicians, system administrators, and IT providers who are using them for automation / scripting purposes. If you don’t fit in that category, then please download the standard (installer) version here.
CryptoPrevent portable only creates Windows policies, (the portable edition does not support the new real-time Filter Module in v6+.) Because of this, it can be ran on any system (remotely, from a network share, etc.) and never even copied to the local system.
Automation / Scripting
CryptoPrevent when run by itself will display a user interface, but command line parameters may be utilized (in v1.1 and above) for optionally silent automation. Command line parameters accepted are:
NOTE: command line parameters and syntax has changed since v6+ Most importantly, the /apply switch no longer applies all default protections, they must each be specified individually now.
- /apply – this option applies the settings specified by additional command switches.
- /silent – forces silent operation.
- /reboot – executes a forced mandatory reboot after applying protection silently.
- /undo – this option obviously removes all protection policies (but does not remove whitelist policies or the disable Sidebar policy,) and can be combined with the /silent parameter.
- /undoall – this option removes all protection policies AND any whitelist policies defined as well (except the disable Sidebar policy; the /enablesidebar switch must also be specified to remove that policy.)
- /nogpupdate – skip the group policy update after modifications are made.
Location based protection switches:
- /appdata – %appdata%
- /appdatadeep – %appdata%* (covers any first-level subdirs of appdata)
- /appdatalocal – %localappdata%
- /localappdatadeep – Protect subdirs in %localappdata% (also blocks %temp% as a consequence, not recommended)
- /programdata – %programdata%
- /userprofile – %userprofile%
- /startup – Startup Folder (in the Start Menu)
- /bin – Recycle Bin
- /fakeexts – Fake file extension executables and RLO exploit protection.
- /tempexes – Temp Extracted Executables block. (NOT recommended – may interfere with some app installations!)
- /known – Blocks several known malware processes in certain locations.
Individual file execution prevention switches:
- /bcdedit – bcdedit.exe (NOT recommended – may interfere with backup apps)
- /syskey – syskey.exe
- /cipher – cipher.exe
- /vssadmin – vssadmin.exe (Prevents Crypto malware from deleting shadow copies/previous versions of files after encryption.)
Misc protection switches:
- /disablesidebar – Creates a policy to disable the Windows Sidebar and Gadgets in Vista+ (recommended practice, by Microsoft themselves.)
- /enablesidebar – Removes the disable policy on the Windows Sidebar and Gadgets. This switch is necessary as /undo or /undoall do not perform this function!
Filter Module switches: (Note these have no effect on the portable version as the program must be installed for the filter module to function properly.)
- /fc=[ext] – where [ext] = a file extension (CPL, SCR, or PIF) enables CONSTANT filter module protection for that file type.
- /fs=[ext] – where [ext] = a file extension (CPL, SCR, or PIF) enables SUSPICIOUS filter module protection for that file type.
- /exefilter – Enables new Program Filtering (BETA) for EXE/COM files.
- /whitelist – whitelist all EXEs currently located in %appdata% / %localappdata% and their first level subdirectories.
- /w=[pathfilename.exe] – whitelist a specific file in %appdata% or %localappdata%.
- The path/filename may not contain wildcards.
- If no path is specified (e.g. /w=foo.exe ) then both %appdata%foo.exe and %localappdata%foo.exe will be whitelisted.
- If a path is specified it should be only one first level subdirectory from either %appdata% or %localappdata% (e.g. /w=FooBar.exe ) which will actually whitelist both %appdata%FooBar.exe and %localappdata%FooBar.exe
- /p=[filename.exe] – whitelist a specific file in %programdata%
- /u=[filename.exe] – whitelist a specific file in the %userprofile%
- /s=[filename.exe] – whitelist a specific file in the Start menu > Startup folder
Premium version switches:
- /b=[custom block policy rule] – (Premium version only, see this thread for syntax and examples.)
- /a=[custom allow policy rule] – (Premium version only, full path/filename required, no wildcards!!)
These parameters may be used in most any logical combination, e.g.
- CryptoPrevent.exe /whitelist /reboot
- CryptoPrevent.exe /undoall /silent
- CryptoPrevent.exe /apply /appdata /appdatadeep /silent /whitelist /w=FooBar.exe /w=FooBar2.exe
Apply default protections and whitelist existing items, no reboot:
- CryptoPrevent.exe /apply /appdata /appdatadeep /appdatalocal /programdata /userprofile /startup /bin /syskey /cipher /vssadmin /fakeexts /whitelist
IMPORTANT NOTE: If you are pushing out CryptoPrevent.exe through Labtech’s RMM tool, there may be a problem with the /whitelist parameter not working as intended. You must use the ‘Process Execute as Admin’ or ‘Shell as Admin’ option to deploy properly. This is confirmed to work properly when running under the local system account as deployed via Kaseya. I do not have any feedback on other RMM deployment tools or methods.
This is a console application designed to test for the protection, designed to be scripted, and included in the latest portable download. Perfect for usage with your RMM software (maybe, see note below,) when protection tests successful, it will output to the console “Prevention Successfully Applied!” and exit with errorlevel 0. If unsuccessful, it exits with errorlevel 1 and prints to the console “Prevention Not Applied or Unsuccessful!”
NOTE: This test will always return unsuccessful when run from the local system account, as many RMM tools will do by default. It must be run from a standard user or admin account to test properly. This is because the local system account is NOT restricted by the policies set by CryptoPrevent. Labtech users may still experience an inaccuracy in the output from this app.
Request the link to download the portable version below (recommended for scripting/deployment):
Please enter a valid email address to receive the download link.
This will not be used for Spam but you will also receive an email requesting to confirm signing up for our newsletter (you can ignore this confirmation if you do not wish to receive our newsletter).
NOTE: The portable edition does NOT include the new Filter Module in v6, you must get the standard (installer) version to use that.
Find knowledgeable professionals, using the best tools in the industry, who proudly stand behind their top quality work.
Subscribe to our newsletter to receive emails on the latest big news about CryptoPrevent and other Foolish IT products and current events!