Secure Folders to protect folders (and use as anti-executable)

You're welcome and thanks for your explanation on how Secure Folders works, yet my other questions aren't answered:

I locked a whole USB drive with X:\ letter.
1. I'm wondering if a malware, specially cryptomalware, could be able to change drive letter to have access to it? In case it has the power/ability to run despite any security measure.
2. If so, could that malware make use of diskmgmt.msc to attempt to change the letter?
3. Is it possible for malware to accomplish that by any means other than diskmgmt.msc?
4. If so, those other means can circumvent Secure Folders protection?

 

Ah do you mean a malware making use of diskpart? Wow!

 

Yes. Anyway I added C:\Windows\System32\diskpart.exe to Vulnerable Processes in ERP. Thanks a lot.

Any other means to change drive letter?

 

Added to Vulnerable Processes too, thanks a lot.

 

Mister X, you seem to appreciate Secure Folders as much as I do. Thank you very much for your investigative questions, most/all of which have not been answered yet. Maybe some program guy will drop by who continues where the Secure Folders guy stopped a year or so ago.

 

Both added. I also use SF whole drive proection on backup drives in the hope this will protect against possible ransomware encryption. Also thanks for the investigative questions @Mister X. And solutions @Dzp5t !

No source code so he will have to start from the ground up. But Kees's post #226 is enlightening in this regard.

 

@Dzp5t great answers, you need to have UAC on full though (on default UAC allows windows binaries).

@Mister X @paulderdash Note that I said seems to work (my guess is based on grey box testing, not on reverse code engenering).

Telling to ease up NVT on Wilders is like "calling names in a church", but setting up NVT that it auto allows on Windows & Program Files and auto allows trusted vendors in user folders wil make NVT+SecureFolders a quiet no pop-up solution.

 

When using SecureFolders with another Anti-Executable or Software Restriction Policy
- run Office apps in a limited user sandbox (no-execution)
- protect personal folders/data partition (read-only)



Allow Windows Explorer and Office Applications access

 

Yes you are right

 

That's weird, I thought I already posted this, but here is another tool. I did not test it.

http://www.subisoft.net/securefolder.aspx

 

Thanks! Someone qualified could check it out? Please @anyone? And open a new thread.

 

@Mister X

Secure Folders not same as SubiSoft Secure Folder; you will not want it.

 

Yes I was skimming on that website and don't like it, it seems to have a lot of features I don't need.

 

If there is a rootkit element to the malware, the answer is yes.

You can use the old Comodo Leak Test(CLT) to test with. Test no. 4 of the rootkit series of tests is titled "ChangeDrvPath." Almost everyone fails that test.

 

Thanks for your reply.
Yes it failed. But is this test related to my question about malware changing the drive letter (not driver path)? Look:

 

I would think the drive letter is integral to its path within the Windows file system, but, of course, things IT are not always based on common sense... LOL.

 

To me, the result is one and the same. However, using a rootkit to change the path via a driver is much more effective since the activity would be completely hidden. Also this technique defeats most conventional security products.

 

So if I have drive X:\ protected by Secure Folders or any other security product then a very clever cryptomalware detects X:\ as a protected drive then it could change the letter to any other and encrypt my files. This is absolutely nasty and scary.

 

Another way malware could change drive path/letters is if it installed a service such as this one: http://www.uwe-sieber.de/usbdlm_e.html

 

Alright, I can see there could be many ways to circumvent already in-place Windows mechanisms (diskpart and diskmgmt.msc) to change them. But, malware should be able to install its own mechanisms to achieve changing of drive path/letters then I think ERP should be able to stop that.

 

I read all 10 pages about this software.
I have tested in Win 7 and Win 10 and it protect very good against Ransomware.
Last test I made is vs Locky and SF did good.
If You want I could make a video test about that.

 

I have felt all along that it was plenty good enough for such bad malware but not actually tested it yet to be certain.

Thanks for sharing your own results but when you say "SF did good" are you confirming it 100% stopped it cold?

Thanks Again

Regards, EASTER

 

I'm not sure that understand what you are saying, sorry?

 

It would be so nice if you could make it, please.

 

For the love of God, who is willing to take over this software or create a very close to similar one with the same power and don't abandon it. Sometimes I wish I was a developer, sigh. Not enough grey matter up there ...