This sounds interesting; has anyone here tried it? http://www.sydneybackups.com.au/sbguard-anti-ransomware/ Comments would be appreciated!
It seems to be quite good but not enough stable...no options, no settings just "install, run and forget"...some reviews and info https://malwaretips.com/threads/sbguard-anti-ransomware-hardens-windows.62885/ http://betanews.com/2016/08/30/sbguard-anti-ransomware-is-a-one-click-malware-blocker/ http://www.ghacks.net/2016/08/30/sbguard-anti-ransomware-hardens-windows/
No surprise, I'm not feeling these type of policy based tools. And don't forget that you might have to disable it to install legit apps, so there is no protection during install.
Version 1.4 beta available for download. If anyone is interested to have a look at and play with version 1.4 beta you can download it here: www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe We have added bunch of new restrictions and changes to existing ones. Also added some requested features. Feedback and ideas are welcome for which you will be included in contributors list. sbguard@sydneybackups.com.au Cheers
We would like to shed some light on how SBGuard Anti-Ransomware works. There may have been some misunderstanding at how it protects, hence Cruelsister's bad feedback. Ransomware has 2 stages before it infects and encrypts: 1. Delivery - Ransomware uses social engineering and spear phishing to lure users to click on links, mostly through emails (links or attachments) and browsers. These 2 methods are confirmed to be the case 99% of the times. 2. Payload - Once users click on the link, it executes some sort of script. It could be an exe or vbs or js or scr etc. One it executes it (automatically in the background you don't see this) it downloads Ransomware and delivers the payload (infection). SBGuard protects that 1st stage. It will restrict hundreds of actions Ransomware performs to try and deliver the payload. For example it will not allow certain file types to run from certain locations. It will prevent fake file types (for example pdf.exe). It will protect from running macros automatically within documents etc.. So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you have bigger problems. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD. Once SBguard block the delivery, that behaviour should be caught by your Antivirus and quaranteened. How do we know Ransomware patterns? We have spent a lot of time on research, testing, reverse engineering etc. We also regularly receive Ransomware technical deep dives from awarded Security vendors. Example of the above explanation. User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer. These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware. SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it. The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc. Hope this makes more sense. Any questions please let us know: sbguard@sydneybackups.com.au
Thanks for clearing things up, it's not my cup of tea, but it does sound like a useful tool. But have you guys tested it against legit tools, will it often block the installation? That's what I'm mostly worried about.
We have been running SBGuard in production for some time now and so far apart from Teamviewer (some say it works for them), Spotify and some Norton prodiucts, we haven't had any other issues. We are working on a whitelist feature though. Until that's completed, we recommend watching event log if you believe something legit is blocked, then disable protections and run it again, enable protection. Unfortunately we have to compromise a bit to get the best out of it, but as I have said, we are working on a whitelisting feature. Cheers
We are still working out a good solution to implement whitelisting. The reason why we can't put a default list of popular programs is because the bad guys can impersonate these to try to trick SBGuard and infect the system. We need to have a smarter solution than that. We are thinking of having popups upon detection and asking a user to block or allow, but then we may disadvantage non computer savvy, most vulnerable users, to make a non educated choice which if mistaken can ruin it all... Suggestions welcome.
Someone in some forum has mentioned about a Norton Password Manager os something similar not working with SBGuard enabled. Except for Teamviewer, we haven't had any issues. But even with Teamviewer, we disabled protection, ran Teamviewer again and re-enabled it back. Done.
But if I'm correct, you said that normally speaking it won't interfere with app installs. So why is there then a need to implement a white-list? What exactly needs to be white-listed? I'm a bit confused, sorry about that.
No need to be sorry, it's a valid question. Some people say it blocks certain applications, although we can't confirm that as we haven't had any issues. Before we make a whitelist feature we are trying to get feedback from people about the legit programs SBGuard blocks. So far, we haven't got any specific reports. If anyone has any feedback please send it to us. If you feel something legit is blocked, you can click on the Event Log button that will show you a log list of blocks.
OK I see. I'm sorry I can't help you with this, because I'm not keen on testing new security tools on my main working machine. I've also chosen not to install a virtual machine, but perhaps I can still test it with Sandboxie, I will check it out.
It seems to apply some general block policy for executables in the Temporary folder, because Process Explorer refuses to run with an error: --------------------------- Process Explorer --------------------------- Unable to extract 64-bit image. Run Process Explorer from a writeable directory. --------------------------- OK --------------------------- ProcExp64.exe does get extracted but it doesn't get to run. Also, asking for a name and e-mail every time one wants to download is very annoying. I realize want to have a database of users to send your newsletter to or maybe even sell to spammers but still...
There is a solution for that. Disable SB, run Proc. Explorer, go to the temp folder and copy ProcExp64 to the Proc Explorer folder. Enable SB .
I have been doing this long before SBGuard, simply because I prefer to launch the x64-bit process directly. However, I still consider this to be unnecessary hassle.
I've tested SBGuard, and most apps will install correctly, but some won't. I couldn't install: Privacy Eraser, Thunderbird and Opera 12.18. That's why I'm not into these type of tools.
Does that mean SBGuard will block most of South Korean online games from launching, as they need to be launched from official website. Or Battlefield 4?
"So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you have bigger problems. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD. Once SBguard block the delivery, that behaviour should be caught by your Antivirus and quaranteened." if you go to their homepage and watch the video of it working when enabled. they run teslacrypt from their desktop.
World’s first most complete, actively updated Ransomware prevention tool that protects your Windows PC against all known Ransomware malware, such as CryptoLocker, CryptoWall, TeslaCrypt, CryptoXXX, CTB-Locker, Zepto and many others. https://www.sydneybackups.com.au/wp-content/uploads/2016/09/sbguard_1_4_5.jpg How it works By enabling protection, SBGuard Anti-Ransomware injects a large number of restriction mechanisms and modifies some core Windows components to prevent malicious behaviours and executions which Ransomware viruses use to infect the system. As new Ransomware viruses are released, SBGuard team will work hard and fast to protect against any new sneaky techniques these malicious programs use. SBGuard Anti-Ransomware ENABLED - TeslaCrypt example test https://www.youtube.com/watch?v=T3-2RZT3F6Y http://sbguard.net/downloads/ifkd8nqv1vg1ojtrozyt9slt/SBGuardsetup.exe