With the recent havoc caused by the new nasty Malware Cryptolocker, a computer technician which runs FoolishIT has noticed this problem in that Antivirus products are simply not doing enough to stop booby trapped ZIP attachments and has decided to do something about it by creating CryptoPrevent.
While this utility has been designed to prevent one getting infected by Cryptolocker, it also has the ability to stop the vast majority of Malware from being able to infect a PC, even if the booby trapped ZIP file has already been extracted. The way it works is that it prevents Malware from being able to hide itself into various hidden directories a normal non-Admin user has write access to, such as the Appdata paths and recycle bin.
In its ‘Maximum protection’ mode, it prevents executables (including .SCR, .COM and .PIF extensions) from launching inside a ZIP file, whether attached or downloaded.
As a test, I sent myself two e-mails - One with ‘Autoruns.exe’ inside a ZIP file and the other with a modified ‘Robocopy.exe’ to simulate an infected legitimate application. With the Robocopy executable, I used a binary file editor to change the word ‘Files’ to ‘files’ where I came across some plain text inside. This should trigger any Antivirus product that does checksum (e.g. SHA1) tests against a whiltelist, like IE10’s SmartScreen technology.
One PC with Windows 7 has Avast Internet Security 2014 and the other PC with Windows 8.1 is running AVG Business Edition 2013. After a minute, I received both e-mails in my Inbox on the two PCs and neither virus checker reported anything unusual.
Before using CryptoProtect, I tried opening the ZIP file and launching the EXE file inside. On my Windows 7 PC with Avast, I had no problem launching both executable files. On my Windows 8 PC with AVG, the Autoruns file launched (as shown earlier in the first post above), but the modified Robocopy.exe file threw up Windows 8 Smart Screen warning:
To start with, it looks like Windows 8 already does a pretty good job at blocking dodgy executable files, at least this slightly modified file anyway.
I then gave the free portable version of CryptoProtect a try with its Maximum setting on both PCs, which is where I tick the following field to block temporarily extracted executable files:
I rebooted both PCs and everything seemed fine, so I then tried opening the two e-mails I sent myself and launching the executable file inside. Not this time:
So far the only problem I have run into is that some self-extracting software will not launch, giving a group policy warning. The following example is when I tried running the AVG setup file:
For an advanced user, i.e. one who knows not to open executable files they find in Zip attachments claiming to be from DHL, Amazon, etc. the “Block temporarily extracted files” setting can remain unchecked, but for the novice PC users, especially those who regularly call for help to install new software, updates, etc. anyway, this setting should remain checked.
Should this group policy issue occur with a legitimate installer, it’s just a matter of launching CryptoProtect and unchecking that setting, then installing the affected software and finally running CryptoProtect again to re-enable the setting. This takes just several seconds and no more hassle than unlocking a boiler room door to let a plumber service it.
So far I haven’t actually tried CryptoLocker with actual Malware infections, but you can see a video of it in action against the Cryptolocker virus in this thread.
Ideally, I would still like to see the Antivirus product makers implement the missing mail scanner option, i.e. Quarantine all archive (ZIP, RAR, etc) attachments that contain any executable file.