Secure Folders to protect folders (and use as anti-executable)

No the folder should be locked instead of read only.

 

I just tested in VirtualBox, Win 7_x64
Explorer.exe added to trust apps, folder set on Lock.
Files are protected.

 

Thanks Djigi for your tests and useful info.

 

No problem .

@Rasheed187
Hope that the was good.

 

In meantime I tested
* Secure Folder
* Folder Lock

Both suffering from WInPE bypass, can someone maybe Djigi test and report back. Because if that also works, then this means the software is useless and only VeraCrypt or encryption in general seems effective.

 

Why do not you make a test?
If it is problem I may try, just tell me what and how to do?

 

@CHEFKOCH. When software uses Windows security mechanisms, how can it protect when you bypass the Windows Preinstalled Environment?

Reminds me of that Swiss farmer who I met some time ago. He told me he used special anti-elephant seed to protect the Swiss cows and enlarge the holes in the swiss cheese. I said to him, but there are no elephants over here. He said: "exactly, great stuff, ay".

 

I not have any dl link and the page seems once and for all offline, so I can't test.
Well, I agree in the statement that if it uses Windows mechanism that it possibly can be bypassed with external stuff but then they should clearly mention it on their homepages and not fool/betray people which payed for it.

Btw not all WIndows own mechanism are bypassable, especially not with WINPE.

 

Got confused about your remark paying for it (since Secure Folders is free). I now see you tested Secure Folder without the S (I thought you were complaining about SecureFolderS). So my response was inappropriate, sorry.

 

Very weird, so my theory was wrong. Can you still access folders and modify files when explorer.exe is trusted while in lock mode? Because like I said, SF is not designed to block code injection, so you would think it would fail.

 

I can modify/delete/rename file when settings are like this.

 

UPDATE:
I now run some new CTB-Locker with this settings above and it crypted all files

 

UPDATE 2:
This machine above was already infected so I return snapshot to clean state i run the test again.
Now it is protected...funny...I have to test little more.
It would be nice if someone else did a similar test.

 

If explorer.exe can modify files, then ransomware can also do this, so this is no surprise. Perhaps you didn't test it correctly the first time. In other words, only the "read only" option would protect your files. But this would be inconvenient for me.

End conclusion: It's better to use dedicated anti-ransom software combined with folder protection. Protection against the "hollow process" code injection method also helps. HMPA offers this, while SpyShelter does not.

 

Did you check UPDATE 2?

 

I'm not sure what to think. It's best to use a clean VM and run all of your samples again. If ransomware is not using explorer.exe to do the encrypting, then SF should pass the test. But if not, it should fail.

 

I agree with you, fully.

For that reason I don't allow or trust any program and locked a whole USB drive which I do't want to be plugging in and out, so I think it would be safe (not really tested).
And for this latter reason there's need more SecureFolders development to have more granular control for trusted programs, files, folders and drives.

 

I said it that snapshot is returned to clean state and that SF did protect files.
I'm testing it right now and SF is protecting files.

 

Well, SecureFolders is protecting because explorer.exe hasn't been exploited...

 

Now for sure, I can certainly confirm that SF is not protecting Locked files if Explorer.exe is placed under Trusted apps.

 

This is what I expected.

 

Also if folder is set on Read-Only it can be crypt with CTB-Locker.

 

How about in Lock mode and none Trusted Applications?

 

Protected

 

Same I suspected, thanks a lot.