Secure Folders to protect folders (and use as anti-executable)

+1

 

Any request what to test?
I have so far tested only folders with "Read Only" setting and a little "No Execution"

 

Nothing special. Just do what you think more threatening like Locky and similar cryptomalware.

 

I just test another one and SF protect folder (Read Only settings).

 

Very Nice.

And thanks. This app seems SOLID as a rock and it's so stupid easy to enter settings and let it protect.

 

Just to mention this is Portable version.
It also protects the entire partition (eg. D: )

 

When set folder to "Deny Execution" You can't run any executable in that folder but you can renamed or deleted with no problem.

 

This is no surprise to me, because folder protection should be able to block access to private date. For example, SpyShelter also offers this. But it get's tricky when ransomware uses code injection to make trusted apps like explorer.exe perform the encryption. Does Locky use code injection?

 

I didn't set any trusted apps in SF...

 

OK I see, perhaps you can perform the test with explorer.exe being trusted. I wouldn't be surprised if SF would fail then. And do you use HIPS? If so, you can check if Locky makes use of code injection.

 

I have one picture from today when I run Locky and checking what is happening on C: drive with monitor directory program.
Maybe it could help...

 

I suggest test against - if you can locate the sample types:

• CTB Locker
• TeslaCrypt
• Ransom32 (javascript)
• Locky

 

Which file system monitoring soft you use ?

 

OK, tnx
I did test all accept Ransom32.

2. I use Directory Monitor2

 

#2 - from South Africa !

Now that is really rare !

$149 US for PRO lifetime license !

Still, looks interesting...

 

I tested SpSFW against CTB Locker. CTB executes Windows Explorer and svchost.exe. Even if you allow CTB file to execute explorer.exe and svchost.exe, the worst that happens is that the ransom screen files are downloaded from the net - and that harmless rubbish is on your system in AppData along with the start-up registry entry to display the ransom message; file encryption of designated protected folders does not occur.

Same with other ransomware mechanisms.

 

Not bad.

I still use an old Windows 98 named FileChangeAlarm which basically does exactly the same thing (sound alerts on events, logging, extensions etc. with details instantly the moment they happen) and more absolutely FREE!

It goes way back but it's been a critical vital files/folder monitoring tool for my malware testings and just general purpose tracking which works like a charm on ALL WINDOWS!

This is a first introduction here on Wilders of it:
https://www.wilderssecurity.com/threads/file-change-alarm-beta-6.760/

 

...I use free? version (portable)...

 

+1

 

As I remember if you run app that is "new" for protected file/folders you received two alerts - first for explorer.exe and second for specific app...so you can block suspicious action.

 

Free ver. won't log or identify the source process which is performing the modification: https://directorymonitor.com/compare.html . That's a "show stopper" for me. Also, the software is .Net based.

 

I made a quick video about this program vs some Ransomware.
Watch it here - CLICK

 

Thank you, nice video. Btw where did you get those right click options?

• Scan with VirusTotal
• Check File Hash

 

VT Hash Check

You will need Virus total API key

 

Done. It works great! Thank you.