SBGuard

Discussion in 'other anti-malware software' started by LM1, Aug 31, 2016.

  1. LM1

    LM1 Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    40
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Read here... Cruelsister knows what she's talking about, she is very experienced in malware testing
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No surprise, I'm not feeling these type of policy based tools. And don't forget that you might have to disable it to install legit apps, so there is no protection during install.
     
  5. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    Version 1.4 beta available for download.
    If anyone is interested to have a look at and play with version 1.4 beta you can download it here:


    www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe


    We have added bunch of new restrictions and changes to existing ones. Also added some requested features.


    Feedback and ideas are welcome for which you will be included in contributors list.
    sbguard@sydneybackups.com.au

    Cheers
     
    Last edited by a moderator: Sep 4, 2016
  6. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We would like to shed some light on how SBGuard Anti-Ransomware works. There may have been some misunderstanding at how it protects, hence Cruelsister's bad feedback.
    Ransomware has 2 stages before it infects and encrypts:
    1. Delivery - Ransomware uses social engineering and spear phishing to lure users to click on links, mostly through emails (links or attachments) and browsers. These 2 methods are confirmed to be the case 99% of the times.
    2. Payload - Once users click on the link, it executes some sort of script. It could be an exe or vbs or js or scr etc. One it executes it (automatically in the background you don't see this) it downloads Ransomware and delivers the payload (infection).

    SBGuard protects that 1st stage. It will restrict hundreds of actions Ransomware performs to try and deliver the payload.
    For example it will not allow certain file types to run from certain locations. It will prevent fake file types (for example pdf.exe). It will protect from running macros automatically within documents etc..

    So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you have bigger problems. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD.
    Once SBguard block the delivery, that behaviour should be caught by your Antivirus and quaranteened.

    How do we know Ransomware patterns? We have spent a lot of time on research, testing, reverse engineering etc. We also regularly receive Ransomware technical deep dives from awarded Security vendors.

    Example of the above explanation.
    User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
    These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
    SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it.
    The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
    Hope this makes more sense.

    Any questions please let us know:
    sbguard@sydneybackups.com.au
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for clearing things up, it's not my cup of tea, but it does sound like a useful tool. But have you guys tested it against legit tools, will it often block the installation? That's what I'm mostly worried about.
     
  8. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We have been running SBGuard in production for some time now and so far apart from Teamviewer (some say it works for them), Spotify and some Norton prodiucts, we haven't had any other issues. We are working on a whitelist feature though. Until that's completed, we recommend watching event log if you believe something legit is blocked, then disable protections and run it again, enable protection. Unfortunately we have to compromise a bit to get the best out of it, but as I have said, we are working on a whitelisting feature. Cheers
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Which Norton products...and what issues with Norton...?
     
    Last edited: Sep 5, 2016
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But how will this look like? Will you make a whitelist of popular apps or something?
     
  11. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We are still working out a good solution to implement whitelisting. The reason why we can't put a default list of popular programs is because the bad guys can impersonate these to try to trick SBGuard and infect the system. We need to have a smarter solution than that.
    We are thinking of having popups upon detection and asking a user to block or allow, but then we may disadvantage non computer savvy, most vulnerable users, to make a non educated choice which if mistaken can ruin it all... Suggestions welcome.
     
  12. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    Someone in some forum has mentioned about a Norton Password Manager os something similar not working with SBGuard enabled.
    Except for Teamviewer, we haven't had any issues. But even with Teamviewer, we disabled protection, ran Teamviewer again and re-enabled it back. Done.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But if I'm correct, you said that normally speaking it won't interfere with app installs. So why is there then a need to implement a white-list? What exactly needs to be white-listed? I'm a bit confused, sorry about that.
     
  14. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    No need to be sorry, it's a valid question. Some people say it blocks certain applications, although we can't confirm that as we haven't had any issues.
    Before we make a whitelist feature we are trying to get feedback from people about the legit programs SBGuard blocks. So far, we haven't got any specific reports. If anyone has any feedback please send it to us. If you feel something legit is blocked, you can click on the Event Log button that will show you a log list of blocks.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see. I'm sorry I can't help you with this, because I'm not keen on testing new security tools on my main working machine. I've also chosen not to install a virtual machine, but perhaps I can still test it with Sandboxie, I will check it out.
     
  16. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    It seems to apply some general block policy for executables in the Temporary folder, because Process Explorer refuses to run with an error:

    ---------------------------
    Process Explorer
    ---------------------------
    Unable to extract 64-bit image. Run Process Explorer from a writeable directory.
    ---------------------------
    OK
    ---------------------------

    ProcExp64.exe does get extracted but it doesn't get to run.

    Also, asking for a name and e-mail every time one wants to download is very annoying. I realize want to have a database of users to send your newsletter to or maybe even sell to spammers but still...
     
  17. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    There is a solution for that.
    Disable SB, run Proc. Explorer, go to the temp folder and copy ProcExp64 to the Proc Explorer folder.
    Enable SB ;).
     
  18. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    I have been doing this long before SBGuard, simply because I prefer to launch the x64-bit process directly. However, I still consider this to be unnecessary hassle.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've tested SBGuard, and most apps will install correctly, but some won't. I couldn't install: Privacy Eraser, Thunderbird and Opera 12.18. That's why I'm not into these type of tools.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Is this product still being developed? Wondering how it now compares to CryptoPrevent v8.
     
  21. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    130
    Does that mean SBGuard will block most of South Korean online games from launching, as they need to be launched from official website.

    Or Battlefield 4?
     
  22. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you have bigger problems. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD.
    Once SBguard block the delivery, that behaviour should be caught by your Antivirus and quaranteened."

    if you go to their homepage and watch the video of it working when enabled. they run teslacrypt from their desktop. :eek:
     
  23. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    344
    World’s first most complete, actively updated Ransomware prevention tool that protects your Windows PC against all known Ransomware malware, such as CryptoLocker, CryptoWall, TeslaCrypt, CryptoXXX, CTB-Locker, Zepto and many others.

    https://www.sydneybackups.com.au/wp-content/uploads/2016/09/sbguard_1_4_5.jpg

    How it works
    By enabling protection, SBGuard Anti-Ransomware injects a large number of restriction mechanisms and modifies some core Windows components to prevent malicious behaviours and executions which Ransomware viruses use to infect the system. As new Ransomware viruses are released, SBGuard team will work hard and fast to protect against any new sneaky techniques these malicious programs use.

    SBGuard Anti-Ransomware ENABLED - TeslaCrypt example test

    https://www.youtube.com/watch?v=T3-2RZT3F6Y

    http://sbguard.net/downloads/ifkd8nqv1vg1ojtrozyt9slt/SBGuardsetup.exe
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've read the vendors explanations about how it should be tested. It will never go near my systems.
     
  25. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Hasn't been updated since August last year, shame it looked to have potential.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.