Secure Folders to protect folders (and use as anti-executable)

Discussion in 'other anti-malware software' started by Windows_Security, Oct 21, 2014.

  1. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    No problem...and thank you for your signature where I saw this great program ;)
     
  2. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
  3. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Here is one similar program like this, it's made be the same guys who did Shadow Defender:
    Easy File Locker
     

    Attached Files:

  4. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Have you tried this? how do you like it?
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Nice finding thanks! :thumb:

    Although this is a showstopper for me, from FAQs:
    I use SecureFolders precisely to lock a whole drive. Namely a USB drive. Imagine if I had 50 folders in the root of it...
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Similarly, I need to lock my USB drive.
    Also the ability to set trusted applications ... this doesn't appear to have that feature.
    Secure Folders implementation of this needed improvement e.g. trusted application per folder, but alas that will never happen now.
     
  7. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
  8. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I just tested it and it seems to do what it says it does very well.
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  10. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I analyzed that IP - CLICK
    It try to connect because cheeking Update.
     

    Attached Files:

  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Ah yes I do remember now. I unchecked that "Update" case and SF stopped calling to updates server.
     
  12. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia

    Attached Files:

    Last edited: Feb 27, 2016
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This sounds a bit weird, so basically you're saying that the ransomware could encrypt files except for the protected data? So you didn't get to see any alert about code injection into explorer.exe and svchost.exe? The weird part is that if explorer and svchost.exe were modified (process hollowing) then in theory SS should have failed to protect private data, because encrypton was done by a trusted process. If I don't trust explorer.exe then I can't even access protected data myself.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Nice video, but what happens if you trust explorer.exe? A question to the people that use SF: Is it necessary to make explorer.exe a trusted process in order to get access to protected folders?

    Deepviz looks interesting. When I look at the behaviors that were monitored, I noticed that SF injects code. So does SF load a DLL file into running processes?
     
  15. hjlbx

    hjlbx Guest

    On 64 bit system SpS cannot alert to code injection: Action Types 29 & 36.

    In response to what you said here - I retested using different samples.

    It is weird result.

    It depends upon sample.

    The one sample there was no encryption.

    Other samples there is encryption - because of explorer.exe and svchost.exe (process hollowing) have SpSFW file modification allow rules.

    And I did verify that all samples were, indeed, ransomware; for whatever reason(s) that one sample doesn't encrypt protected folders.

    @Online_Sword had best suggestion when launching files ("from User Space") that are unknown - don't allow them to execute system files - like explorer.exe or svchost.exe.

    Against ransomware, I think that is best one can do with SpSFW.

    Anyhow, in its current version, SpSFW implementation of protected folders is problematic because of "trusted" processes with generic allow rules for file\folder access\modification.

    For protection against ransomware, Secure Folders is better solution - as long as you don't designate Trusted Application.
     
  16. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I made a test with extension protection and Explorer added to Trust.
    I run Locky, it drop some files but nothing got encrypted.
     

    Attached Files:

  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks a lot for these useful tests! :thumb:
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Are you serious about Action Types 29 & 36? So it can't protect against all types of code injection? And yes, I already expected that SS doesn't protect against process hollowing. This is something that the developers should fix, because it allow to bypass data protection. A dedicated anti-ransomware feature like in HMPA would also be nice.

    Very weird, I really wonder how SF manages to do this.
     
  19. hjlbx

    hjlbx Guest

    On 64 bit system, no detection by SpS of Action Types 29 & 36.

    @Online_Sword tested - and his tests appear to confirm.

    You can verify specific details regarding these Action Types with support.

    I have no further technical infos - and curious about all of this as well.
     
  20. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    This statement is not precise enough.:D More precisely, what I found was that, on 64-bit systems, when a parent process takes Action 29 & 36 to its child process, then this operation would not be alerted.

    That is why I think we need to prevent unknown processes in user space from launching vulnerable system processes, such as svchost.exe and explorer.exe. In such case, we can prevent the system process from becoming the child process :)
     
  21. hjlbx

    hjlbx Guest

    Parent process A => executes => Child process B; no detection Action Types 29 & 36

    Process A => modifying process memory (29) or injecting dll (36) => Process B; detection Action Types 29 & 36 - correct @Online_Sword o_O
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Good Stuff to know. Quite useful.

    Beautiful YT Vid too. Great overview in action!

    All this is encouraged another look for me even deeper into SF and not just reply for it On Demand as been the case.
     
  23. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I'm not sure if you mean on .exe file or others?
    On Win 10_x64 I could run .exe if that folder is Read Only.
     

    Attached Files:

  24. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep, I noticed that also.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.