There are many ways in which you can customize CryptoDrop to your particular environment and workflow. Starting from the main CryptoDrop window, which you can access by double-clicking the tray icon, you can access the options window by clicking the Options button.
From the Options Window, you will see four tabs. Let's talk about each of these in turn.
The General tab gives a list of all directories on your computer that are being protected by CryptoDrop. If you are running the CryptoDrop Fast Recovery version, by default the Documents, Music, Pictures, and Videos directories are protected for all users on the system.
If you would like to add or remove directories from protection, click the + or - buttons, which will bring up a window allowing you to select the folders that you are interested in adding or removing from ransomware protection. When you are finished making your changes, click the Save button to ensure that your choices are stored.
There are a couple of check boxes on this tab that you should leave checked unless you have an uncommon situation. The Enable Self-Protect checkbox ensures that CryptoDrop cannot be deleted by ransomware or any other malicious code. Only if you need to uninstall should you un-check this box. The Alert on bulk file modification checkbox lets CryptoDrop know to alert you if it sees a large number of files being written to or deleted. This is typical of many ransomware behaviors. There might be times when you are performing operations over a large number of files (for example, deleting a directory with a lot of files or rewriting the metadata to a lot of media files) when CryptoDrop, seeing this bulk activity, would be triggered. You can un-check the box if you are planning to do these activities, but make sure to re-check it as soon as you're done to ensure that you are protected.
If you are using the Free version of CryptoDrop, the General tab is greyed out. By default, your Documents folder will be protected by CryptoDrop. To access expanded directory protections, you can upgrade to the Fast Recovery version.
DropSafe(TM) is our innovative solution to ensuring that your files can be recovered, even if they are encrypted by ransomware. DropSafe is only available in the CryptoDrop Fast Recovery version. Recovery is turned on by default in the Fast Recovery version, but you can enable or disable it with the Recovery Enabled checkbox.
The DropSafe Location is pre-defined by the software. This directory is protected and cannot be accessed by any malware, ensuring that any files written to DropSafe will be safe from modification.
The amount of storage assigned to the DropSafe directory is initially 2048 MB. You can change this amount in the Maximum Storage field. If more files are being placed in DropSafe than you have storage allocated for, you will be notified as to whether to increase the amount of dedicated storage.
The goal of DropSafe is to ensure that files can be recovered for up to 24 hours based on the size of the DropSafe directory. If files are being written into DropSafe that will exceed the size of the storage put aside, the oldest files written to DropSafe will be removed from there first. If a file will be removed that has been in DropSafe for less than 24 hours, you will be notified. If you would prefer to be notified for a shorter or longer window, you can define your own notification period in numbers of hours. Please note that activating DropSafe after a ransomware attack cannot recover lost files. DropSafe must be running before an attack takes place.
Rules provide a powerful way for you to ensure that processes you trust are able to access your data without causing ransomware alerts. They are also a way to ensure suspected ransomware is blocked from modifying your data. If you enter Lockdown mode, the process triggering the Lockdown alert is automatically blocked from writes through a rule created by CryptoDrop.
In addition to the system rules provided by CryptoDrop, you have the ability to add your own rules. You can add an unlimited number of rules in the CryptoDrop Fast Recovery version, while with the Free version, you are able to add up to 5 additional rules.
If you would like to add a rule, click the + button in the Rules window. This will create a blank row for you to fill in. The ProcessName field is the name of the process that you would like the action to be performed upon. This should include the full path name. To select all files, type in "*.*".
The ProcessID identifier can be useful if you are sure that your process will always be assigned its own ID (this would be very rare). Note that the value -1 means "all process IDs".
The TargetFile field further narrows process activity events to those relating to the specified file. If all files are supposed to be subject to this rule then please type "*.*" into this field.
Next is the Action field, and this will present you with a drop-down message box asking you how you want to apply the rules that you have generated. You have the following potential actions that are available to you, in order of increasing constraints placed by CryptoDrop:
- DoNothing: The rule is not enforced in any way by CryptoDrop.
- Ask: The user is prompted whether to allow any activity described by the rule to occur.
- Allow: CryptoDrop explicitly allows the action described by the rule to take place.
- ReadOnly: The TargetFile can only be read by the Process described in the rule; CryptoDrop enforces that no writing to the target can occur.
- Block: All activity described by the rule is blocked by CryptoDrop.
The rules are enforced in the order shown above, such that the most contained rule has the highest priority. For example, if a rule A was written from process Logger.exe to TargetFile * with the action DoNothing, while another rule B was written for process Logger.exe to TargetFile logs.txt with the action ReadOnly, rule B would take priority because ReadOnly is a more constrained rule than DoNothing.
Note that if ransomware is detected on your computer and you enter Lockdown mode, a rule is automatically generated by CryptoDrop for the process suspected of performing the ransomware operations and a block action added for that process.