- Jul 21, 2016
- 53
Hi, guys. I'd like to share some information that may be useful for some Kaspersky users.
First of all, we should point out how powerful Kaspersky App Control can be if configured correctly. You can prevent an undetected ransomware from encrypting your files just creating the correct rules.
The first two tips focus on people that often change their PCs or frequently format them. The idea is to allow usage of the same config file on every PC you use.
*Important Windows Folders = Library folders (Documents, Pictures, Videos...)
IMPORTANT:
> DO NOT DO STEP 1) IF THE FOLDER YOU WANT TO PROTECT IS NOT ON DEFAULT LOCATION
> DO NOT DO STEP 1) OR 2) IF YOU ARE USING THE BUILD IN ADMINISTRATOR ACCOUNT OR IF (FOR SOME REASON) YOU HAVE DIRECT ACCESS TO A DIFFERENT USER FOLDER. Since Windows Vista, not build in Administrator accounts (normal admin accounts) do not have direct access to other user's file by default.
> This worked for me. I've tested with new ransomware samples and it did the job. Please don't blame me if something goes wrong. If you are not sure, DO NOT DO IT.
1) The first tip I found useful is to configure resources (like protected Windows folders) using environment variables instead of common folder address. For example:
Instead of adding the folder "C:\Users\Walter White\Documents\*" use "%USERPROFILE%\Documents\*".
This is a good practice to protect the currently logged user without the need of adding multiple users folders and it is useful if you want to reuse your config file in another PC and do not want to config resources again.
2) If you keep your important folders in a different location (maybe because you installed Windows on a SSD and want to move the important windows folders to other location) you should use registry values.
Open regedit.exe and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
See in the "name" column, on the right side of the window, what is the name of the registry entry that links to the folder you want to protect. The folder address can be found in the "data" column (also in the right side of the window)
Now, if you want to protect your Documents, Pictures, Videos and Desktop for example, go to Kaspersky manage resource windows, click in Add > File or Folder (Yes, folder, not registry) and add the following entrys:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Personal%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Pictures%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Video%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Desktop%\*
This will keep your folders protected even if you change its locations.
3) Create a folder inside your user root folder and fill it with 20+ txt files. This will be your Ransomware Bait folder. I'll explain why you need it.
Suppose all your important files are kept in Documents and Pictures folders. Both folders are protected with Application Control component, that is, restricted applications do not have permission to create, write, or delete, inside that two folders.
If a ransomware (not detected by Kaspersky) tries to encrypt your files Application Control will block its action and your files will be safe (it does not matter if the Ransomware is detected or not). This sounds good right? Yes, and it is, but there is a problem: since the ransomware was not able to encrypt, or even try to encrypt your files, System Watcher will not flag it as a malware. So, despite your files and system are safe, you may not know you are dealing with a dangerous file. (I've already sent this information to Kaspersky. Let's see if they do something about it).
That is why you need a bait folder. If you have a folder with lot of useless files, ransomware will try to encrypt them. System Watcher will now be able to intercept that action and deal with the malware. If system watcher fails (what is very unlikely, I mean, very!), the only files you would lose would be that useless txt
That's it.
If you find something wrong, please let me know. I'm just trying to help.
First of all, we should point out how powerful Kaspersky App Control can be if configured correctly. You can prevent an undetected ransomware from encrypting your files just creating the correct rules.
The first two tips focus on people that often change their PCs or frequently format them. The idea is to allow usage of the same config file on every PC you use.
*Important Windows Folders = Library folders (Documents, Pictures, Videos...)
IMPORTANT:
> DO NOT DO STEP 1) IF THE FOLDER YOU WANT TO PROTECT IS NOT ON DEFAULT LOCATION
> DO NOT DO STEP 1) OR 2) IF YOU ARE USING THE BUILD IN ADMINISTRATOR ACCOUNT OR IF (FOR SOME REASON) YOU HAVE DIRECT ACCESS TO A DIFFERENT USER FOLDER. Since Windows Vista, not build in Administrator accounts (normal admin accounts) do not have direct access to other user's file by default.
> This worked for me. I've tested with new ransomware samples and it did the job. Please don't blame me if something goes wrong. If you are not sure, DO NOT DO IT.
1) The first tip I found useful is to configure resources (like protected Windows folders) using environment variables instead of common folder address. For example:
Instead of adding the folder "C:\Users\Walter White\Documents\*" use "%USERPROFILE%\Documents\*".
This is a good practice to protect the currently logged user without the need of adding multiple users folders and it is useful if you want to reuse your config file in another PC and do not want to config resources again.
2) If you keep your important folders in a different location (maybe because you installed Windows on a SSD and want to move the important windows folders to other location) you should use registry values.
Open regedit.exe and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
See in the "name" column, on the right side of the window, what is the name of the registry entry that links to the folder you want to protect. The folder address can be found in the "data" column (also in the right side of the window)
Now, if you want to protect your Documents, Pictures, Videos and Desktop for example, go to Kaspersky manage resource windows, click in Add > File or Folder (Yes, folder, not registry) and add the following entrys:
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Personal%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Pictures%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Video%\*
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Desktop%\*
This will keep your folders protected even if you change its locations.
3) Create a folder inside your user root folder and fill it with 20+ txt files. This will be your Ransomware Bait folder. I'll explain why you need it.
Suppose all your important files are kept in Documents and Pictures folders. Both folders are protected with Application Control component, that is, restricted applications do not have permission to create, write, or delete, inside that two folders.
If a ransomware (not detected by Kaspersky) tries to encrypt your files Application Control will block its action and your files will be safe (it does not matter if the Ransomware is detected or not). This sounds good right? Yes, and it is, but there is a problem: since the ransomware was not able to encrypt, or even try to encrypt your files, System Watcher will not flag it as a malware. So, despite your files and system are safe, you may not know you are dealing with a dangerous file. (I've already sent this information to Kaspersky. Let's see if they do something about it).
That is why you need a bait folder. If you have a folder with lot of useless files, ransomware will try to encrypt them. System Watcher will now be able to intercept that action and deal with the malware. If system watcher fails (what is very unlikely, I mean, very!), the only files you would lose would be that useless txt
That's it.
If you find something wrong, please let me know. I'm just trying to help.
Last edited: