Batu69 Posted August 30, 2016 Share Posted August 30, 2016 Australian backup vendor Sydneybackups has released SBGuard Anti-Ransomware 1.3.0, claiming it "protects your Windows PC against all known Ransomware malware, such as CryptoLocker, CryptoWall, TeslaCrypt, CryptoXXX, CTB-Locker, Zepto and many others". How does it work? According to the developer, the program "injects a large number of restriction mechanisms and modifies some core Windows components to prevent malicious behaviors and executions". It seems to us that’s a description more designed to impress newbies than provide any useful information, but we decided to take a look anyway. The program is simple and lightweight. There’s no bulky Settings dialog, no resource-heavy background process -- just an "Enable Protection" button to lock down your system, and a "Disable" button to turn the protection off. If you do risk enabling protection, we don’t think the program does any "injecting" or modifies any system files. Instead it seems to change various system permissions and policies, in particular preventing software launching from unexpected places. This isn’t a new idea, and the good news is it will block at least some ransomware, as well as many other threats. The bad news is that it will also conflict with some legitimate software. The developer warns of this, saying: Quote Important: SBGuard Anti-Ransomware could block legitimate programs from installing. It is recommended to disable protection before installing new Windows applications and then re-enabling it back after. Unfortunately, this may not be enough, and the program could still cause other unexpected and hard-to-diagnose issues. For example, on our test PC password manager Norton Identity Safe wouldn’t open when SBGuard’s protection was enabled, complaining of a "network error". Overall SBGuard Anti-Ransomware isn’t for security beginners, but if you’re more experienced, ready to handle any problems and would like to see if it’s doing anything new, the program could be interesting. SBGuard Anti-Ransomware is a free package for Windows Vista and later. Article source Another source: SBGuard Anti-Ransomware hardens Windows Link to comment Share on other sites More sharing options...
Petrovic Posted August 30, 2016 Share Posted August 30, 2016 SBGuard Anti-Ransomware v.1.3.0 Download: Site: https://www.upload.ee Sharecode[?]: /files/6116243/SBGuardsetup.7z.html Link to comment Share on other sites More sharing options...
stylemessiah Posted August 30, 2016 Share Posted August 30, 2016 Who wants to bet its another CryptoPrevent/VoodooShield type pseudo SoftWare Restriction Policy tool...umm yes Like discussed here only days ago.... Why not actually use the proper GPO instead of half assd psuedo GPO stuff, it works, and doesnt cost a cent Windows built in tools, underutilised by people who are too lazy and want to press a single button instead of learning how a PC works.... From their HP: Quote More details about what SBGuard actually does at this stage: It injects around 700 registry entries to force Windows Group Policy to use inbuilt software execution restriction capabilities in certain locations and prevent certain file types from executing. On top of that it will disable Windows Gadgets (known vulnerability) and disallow several other system actions Ransomware will attempt to perform to encrypt your data. We have gathered all possible tricks Ransomware uses to execute it’s payload and we believe our software will prevent execution of most known Ransomware if not all. We are actively monitoring new ways Ransomware enters the system and we will keep adding more exclusions. We do however have a work in progress on some more advanced techniques that will require SBGuard to run as a service. Another feature on it’s way is to provide live notifications when SBGuard blocks any execution, including from legitimate softwares. This will help novice users to diagnose any issues quickly. Let me debunk this for you 700 registry entires....wtf??????????, wait ill ad a few more ?????? To "force" windows GPO to use inbuilt software restriction capabilities...again wtf...this is nonsense...theyre saying basically "their software" has to be used to enforce Software Restriction via GPO...horse shit Software Restriction GPO doesnt need a service to do its job, this program does. any time you add a program to "fix" a windows problem (which doesnt exist in this case), you actually increase the attack vector...simple as that, all someone has to do in this instance is figure out a vulnerability in this and have this program unrestrict windows SR GPO...which has to my knowledge never been exploited...that shit is secure. On top of that Windows Gadgets was disabled by a security advisory and hotfix 2 years ago.... This is nonsense software, only for the terrninally lazy who like clicking buttons... Link to comment Share on other sites More sharing options...
straycat19 Posted August 30, 2016 Share Posted August 30, 2016 5 hours ago, Batu69 said: SBGuard Anti-Ransomware is a free package for Windows Vista and later. Don't walk away from this software, RUN! I have posted many times before how you can stop malware with SRPs in GPO without installing a third party program and have extensively tested this by trying to install malware/ransomware on my system. Not once has one ever installed. As a caveat, I also mention that none of them will install in a VM since they are designed to detect a VM and not install, even going so far as to destroy their original payload, so malware examiners cannot look at what it does. VMs were our best and easiest test platforms for viruses and malware till the coders started detecting them. I use to provide infected VMs to train techs on malware detection and removal but now have to use actual machines and then do a p2v conversion after they are infected. It is more time consuming. I read the original article and the author makes the following comment in closing statements. Quote Also, the devs should consider publishing a list of changes that the program makes as many users and most admins won't install it otherwise. He has hit the nail on the head here since no one should install anything without knowing what changes it is going to make to their system. Link to comment Share on other sites More sharing options...
tiliarou Posted August 30, 2016 Share Posted August 30, 2016 Some legit installers may use local and roaming appdata folders, is your method with windows GPO enabling certain type of legit install ? For example, updating Witcher 3 through gog galaxy will try to unpack a temporary installer in appdata, even though both gog galaxy and witcher 3 are not installed in appdata. I'm guessing the GPO policy will block any exe from installing/copying files in appdata is that right ? Link to comment Share on other sites More sharing options...
stylemessiah Posted August 31, 2016 Share Posted August 31, 2016 13 hours ago, tiliarou said: Some legit installers may use local and roaming appdata folders, is your method with windows GPO enabling certain type of legit install ? For example, updating Witcher 3 through gog galaxy will try to unpack a temporary installer in appdata, even though both gog galaxy and witcher 3 are not installed in appdata. I'm guessing the GPO policy will block any exe from installing/copying files in appdata is that right ? Yes, some programs wiill temporarily use appdata. for things that will do this regularly, like flash etc, you can make exception rules for them. On the occasion you have a one off install you need to do, you can simply add a rule which you later remove, or disable the GPO and do a gpupdate /force at the command prompt, install and then reenable the GPO and do gpupdate /force to update the policy again... Or you can do as suggested at the end of this article...https://blog.windowsnt.lv/2011/06/01/preventing-malware-with-srp-english/ im too used to gpupdate... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.