Solved Malwarebytes Premium issues

[urbanspaceman1]

So, I have to confess to remaining a tad concerned regarding my protection against these CryptoLock style attacks as they sailed past everyones' security systems and were only repulsed by the likes of Foolish IT's CryptoPrevent. There will certainly be another round of fresh attacks and I don't hear any of the security companies shouting about their upgraded defence against them. Just paranoia or what?

 

[ThrashZone]

I'd say you got the last part right "Just paranoia"

Surfing habits are important too,
Knowing which browser add-ons are running all of the time and which ones you actually need help prevent unnecessary risks,
http://www.dedoimedo.com/computers/flash-player-settings.html
And probsbly the biggest security threat that might be installed on your machine,
http://securitygarden.blogspot.com/2013/01/java-zero-day-again-time-to.html
http://blogs.technet.com/b/mmpc/archive/2013/04/16/how-to-protect-your-computer-against-dangerous-java-applets.aspx

 

[urbanspaceman1]

I visited those three sites - thank-you. The Flash site link is inactive and the online settings manager doesn't appear to be current now but I found a settings facility available on my PC. I'm sure I set up high security on that panel some time ago but I'll bet Adobe resets every time they upgrade so I need to remember to check that in future; thank-you for that vital advice. Then I uninstalled Java as it appears that domestic users do not need it any more; if I suddenly discover I need it I will address that issue as and when. Again, much obliged. With regard to browser add-ons, other than Microsoft and Shockwave there is nothing enabled; do I need Shockwave enabled?

 

[ThrashZone]

Hi,
Here's the other link about Shockwave Flash Object which is flash player,
How to configure your Flash Player settings for maximum privacy and security
ie10-11 are more than capable of playing Youtube videos without shockwave flash object enabled,
Most other website will require it to be enabled though,
But it's easy enough to enable and refresh the page so it loads the content you want to watch,
And I believe that's the main security point,
Leaving either disabled until you know you need them and disable when your done and don't want any unknown stuff loading,
Cheers.

 

[DavidE]

@Layback Bear
Nice find on the link about MBAM and CryptoLocker!
Can't rep you right now

@urbanspaceman1
Kudos to you for having Cryptoprevent listed in your SF System Specs. +1
Seems like that info is what got to a solution - MBAM + CP don't play together well.

This is an interesting thread to me.
I'm not a security expert, but here's my thoughts / findings ...

Regarding "Self protection is only an issue if your attempting to remove/ uninstall mbam"

I've used MBAM 2 since the "pre-Beta" release.
With my first MBAM 2 install/test I couldn't even move the MBAM desktop ICON.
I learned it was because "Self Protection" was enabled.
I don't use "Self Protection", I like to be able to change things ...
If you use "Self Protection" and make changes that don't work or stick, turn it off, make changes, reboot, see if they stick, and turn it back on.
If I get attacked that bad, I'll restore an offline system image and data to be sure and get rid of malware.
​

Regarding "I would recommend checking in Setting/Advance settings that Auto quarantine is unchecked"

For me this is difficult to know what is right.
I was hit by the "MBAM FP definition update" a couple of years ago.
The main HTPC was on, running, and all of a sudden it crashed.
It turned out it was a new (bad) MBAM DB file that loaded and crashed the system because of Auto quarantine and the false-positives.

But if I turn off Auto quarantine and CryptoLocker somehow "hits" the PC, won't that allow CL to do the damage ???

So, to me it's a catch-22, crap-shoot.
Auto quarantine may brick the system because of a bad MBAM DB Update.
But without Auto quarantine, might CryptoLocker (or any malware) cause damage before "it's too late" ???
​

I still believe an important "Defense/Recovery" approach is to have offline backups.
Preferably the OS and Data separately.
I keep monthly backup images for the (OS) drive, and [D] (data) drive as needed ... That allows restoring either the OS or Data independently, if and when needed. Some people depend on Windows System Restore. System Restore points are saved in the [C] drive, and, for whatever reason may disappear or not recover when needed. Also, malware can infect restore points ... or anything online ... I wouldn't trust Restore Points. Again, I'm no security expert (or any expert) but I am security conscious and looking for things I can recommend to people I help ... I look for the "Best Bang for the Buck". Most people I help are Senior Citizens, limited income, but they have children/grandchildren that may use the PC and do who knows what. From what little I know a "Layered Approach" is best. Given that, here is what I am using for a "Best Bang for the Buck Layered approach"[INDENT] Real-Time security: ONE free ANTI-VIRUS program - Panda, MSE, or Avast Malwarebytes (paid) - AntiMalware (the new annual Ver 2 license cost may change that ...) EMET - Anti Exploit - free from MS WinPatrol - System changes monitor - free or lifetime license [/INDENT]@urbanspaceman1 There is a CryptoPrevent Portable version. I don't know how it compares to using the installed version ... Anyway, I was curious so I ran the Portable version and it didn't cause me any issues. I played with this using: Win 7 32 Bit, MBAM Premium, Panda free, EMET, WinPatrol (free) Sorry for the long-winded reply :geek:

 

[urbanspaceman1]

@Thrash Zone: the link to the article on Flash settings manager works but the link in there to the Adobe site is dead because I think the online system is no longer active; the more I try to remember the more I recall that it was the system I used a good long while ago but since then it's been in the download. As I mentioned earlier: it appears to default with every upgrade so beware folks, check your settings afterwards.I'll leave Shockwave enabled and take a risk.
@DavidW7ncus: your long-winded reply is actually comprehensive, no apologies necessary; I noticed you closely monitoring this thread and I was hoping you'd have some input. I'll disable Self-Protection; as you say, anything hitting that hard needs major surgery.
Auto-quarantine is certainly a difficult one now I have two POV, both equally valid; I think I'm going to leave it on.
The business of disabling my gadgets is what has turned me off CP.If there's something in its settings panel that might get around this issue then I am not capable of finding it. Does anyone have any experience of this latest version of CP?It may be that putting the updated version back in after MBAM Premium is activated will not cause any conflicts and I may live without my gadgets long enough to try it out.If I do I will report back.
Incidentally, I had not listed it - but I will now: I am using MBAM anti-exploit and have been for some months now: it hasn't caused any problems anywhere to my knowledge.

 

[DavidE]

For MBAM I set the real-time Auto Quarantine on.
For Scheduled scans I turned Auto Quarantine off.
I figure if it got past my real-time protection, BAD, BAD, BAD

I don't use Gadgets, so can't help there.

I compared Malwarebytes Anti-Exploit to MS EMET.
MBAE (free) didn't offer me much protection, so I chose EMET.
It is more complicated, but no problems so far ...

Depending when you downloaded CP, maybe a newer version ...
7.1 was released

Current Version: 7.1 released Aug 23rd 2014

Source: https://www.foolishit.com/vb6-projects/cryptoprevent/

 

[urbanspaceman1]

Hi David. That's what I had set on MBAM scheduled scans for exactly the same reason.
I will have a look at MS EMET: I know nothing about it; but then I know precious little about the MB version too also.
I upgraded CP to the 7.1 version last week;,that was what disabled my gadgets; prior to that ,I had the first release installed and to be honest, I didn't consider that there was anything more to do with it. I got the impression it was like MB Anti-exploit: install it, activate it and forget it. If it hadn't been flagged a potential source of conflict (thank-you Bear) I would have gone on ignoring it. I think I will try re-installing the early version of CP (now MBAM Prem' is installed, rather than the other way round) and see what happens. It's kept me safe so far and left my gadgets alone; watch this space.

 

[urbanspaceman1]

OK, I installed the early version of CP now that MBAM Premium is in and active, and as well as leaving my gadgets alone, it seems to be behaving very well. I added it to MBAM Exclusions just to be on the safe side, but even before that it was OK. It appears that adding the premium upgrade to MBAM with the old CP running was creating the problem. I'll give a day or so and while I'm waiting, find out how I can update it and retain my gadgets. I'm also considering adding CryptoGuard, which supposedly runs alongside CP and adds an additional layer of defence; considering it anyway. Just to indicate what a belt and braces individual I am, I frequently back everything up to my hot-swappable HDD that lives in the drawer when not in use. At worst I might lose a couple of weeks worth of data depending on my schedule.

 

[urbanspaceman1]

I contacted Foolish IT and asked if it was possible to prevent their latest (7.1) version from removing my gadgets, that was on Monday and I haven't had a response. Maybe they'll move a little faster if you are giving them money - which I'm not, of course.
Otherwise: the early incarnation of CryptoPrevent is co-existing happily with MBAM Premium.
I haven't explored Crypto Guard yet.

 

[Callender]

Cryptolocker

I contacted Foolish IT and asked if it was possible to prevent their latest (7.1) version from removing my gadgets, that was on Monday and I haven't had a response. Maybe they'll move a little faster if you are giving them money - which I'm not, of course.
Otherwise: the early incarnation of CryptoPrevent is co-existing happily with MBAM Premium.
I haven't explored Crypto Guard yet.

Cryptolocker: I tried a few solutions including Cryptoguard but in the end settled for Bitdefender's Anti-Crypto portable and still have it. I don't use it though.

I use a couple of other methods.

Detect any executable (any extension) without a valid signature that's not in the trusted certificate list and prompt for action if it attempts to run:



I can't actually recommend this software without testing the new version. I'm sticking with the old version for now.

Warning if any executable (any extension) is created or modified with the option to quarantine:



I'm the sort of person who likes pop-ups! I like to know what's going on.

Also I use EMET. I've noticed that a beta version of flash player has been released - that usually means that there will be a new patched version released within a few days.

There's a flash exploit currently doing the rounds. See:

https://blog.malwarebytes.org/explo...rceforge-redirects-to-flash-pack-exploit-kit/

 

[urbanspaceman1]

@Callender
I thank you for your input but I'm afraid I don't understand it.
I may have given the impression I was more accomplished than is actually true; it happens a lot I'm afraid.

 

[Callender]

Hitman Pro Alert

@Callender
I thank you for your input but I'm afraid I don't understand it.
I may have given the impression I was more accomplished than is actually true; it happens a lot I'm afraid.

No problem! I've just remembered another solution that I use. HitmanPro.Alert has built in CryptoLocker prevention. All you need to do is configure the settings screen.

Download: HitmanPro.Alert 2 - SurfRight

To adjust settings when HitmanPro.Alert is up and running just click the following:

C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe

 

[urbanspaceman1]

Hi Callender. Thank-you for your perseverance, it is much appreciated. I've downloaded HMPalert2 because, apart from all else, I didn't receive a reply from Foolish IT: am I out of line for being rather peeved that they just ignored a request for info via their internal communications portal?
Anyway, I just wondered if I should remove CryptoPrevent? I read that CryptoGuard works in a totally different fashion and can happily co-exist with CP. HMPalert2 looks like some good protection; I am much obliged.

 

[Callender]

CryptoPrevent

CryptoPrevent creates software restriction policies that prevent executables from running from certain locations like those listed on page 2 here:

Cryptolocker: How to avoid getting infected and what to do if you are | Computerworld

The problem is that sometimes a safe application will need to execute from one of those locations but will be blocked from doing so by CryptoPrevent.

Both work in different ways so in theory it should be possible to run both.

 

[urbanspaceman1]

I've uninstalled CP for the moment and installed HMPalert2. After reading the article you linked (thank-you) I am still uncertain if I need both or that HMPalert2 will cover all bases; as I said, fundamentally, I am something of a novice , I just prefer to seek out the experts for advice and follow it regardless of incomprehension. Again, your indulgence of my vagueness is much appreciated.

 

[Callender]

CryptoPrevent

I just downloaded CryptoPrevent and see that if you're having problems it's possible to add blocked executables to a whitelist.



There's also an option elsewhere to allow gadgets. Personally I've disabled gadgets after reading some time ago that there could be a security issue.

Tip: Reset gadgets to default if you ever need to:

http://www.sevenforums.com/tutorials/10215-gadgets-restore-default-gadgets.html

 

[urbanspaceman1]

Sorry, you've lost me again: 'add blocked executables to a whitelist' is a language I don't speak. Also 'reset gadgets to default' is lost on me too.

 

[urbanspaceman1]

OK, sorry, I clicked on the restore gadgets link and discovered it was a tutorial; thank-you that bit is now clear.

 

[urbanspaceman1]

Is the 'add blocked executables to a whitelist' the same as an exclusion list?