Please take special note of a major change introduced in CryptoPrevent version 6:
◦New real-time ‘Filter Module’ that can filter certain executables against hash based definitions, can also filter based on other criteria using a more complex rule set, and allow user the option to run the file anyway. Enabled for CPL, SCR, and PIF files by default – advanced options allow to enable for EXE/COM files also (experimental!)
"if you have the Filter Module enabled in v6 and above, your anti-malware software may report several false positives related to CryptoPrevent’s [restriction of policy] settings."
Specifically, these registry keys may be detected as ‘modified‘ or ‘hijacked‘, and the value data will point to the CryptoPreventFilterMod.exe file in your installation directory.
If using the experimental EXE/COM filter, you can also expect to see these keys:
And any key above may also have “runas” where “open” is, and affected values may include “(Default)” and “IsolatedCommand”
If these fit the category of your anti-malware detection, then they are definitely CryptoPrevent’s settings, and it is safe to tell your anti-malware software to ignore them and/or whitelist them.
Indeed, MBAM scans are coming up with [at least] the following two registry entries:
Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5
Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5
which must then be added to MBAM's Exclusions list.