Discussion in 'other anti-malware software' started by Windows_Security, Apr 5, 2015.
Go to www.securefoldersfree.com Some URL filters warn, but VT upload says it is clean
Secure folders allows you to protect folders. When you set a folder as read only, ransom ware can't encrypt the files.
Idea is to trust a few programs which write to your data partition. Seperating your documents from system folders by creating an extra data partition is good practice. When you don't know how to create a data partition, then this program is no good for you, because the configuration only works correctly when you have seperate partitions
See picture on how to add trusted programs. I don't have my Mediaplayer and PDF reader added to these programs, because these programs only read the files, so they don't need to have write/delete access. Besides my office programs, I have allowed Windows Explorer (is my file manager) and syncback free (is my backup program).
Next protect your data partitions. I have set a read only to my D and M partition (D=documents, M=media files). Now ransomware can't encrypt these data partitions anymore. As an extra I have also set a deny execution to my the Users folders (no-execution see first line in picture).
By allowing write access to Appdata (located in C:\Users), you only have to allow a few programs write access to your data partitions. By setting a deny execute on (all) User folders, all places normally accessible by internet facing programs are protected by a deny execute, so they don't need to be in the trusted list.
Mail programs, write their content to a directory somewhere in your C:\Users\[your name]\Appdata. Browsers do the same and they drop stuff in your downloads folder, normally located in C:\Users\[your name]\Downloads.
This is a nice catch 20-20 situation, internet facing programs can't do any harm:
a) They can't execute in C:\users (user folders) (anti-drive by execution)
b) They can;t write to your data partitions (anti-drive by and anti-ransomware)
Wait Kees, you have created a hole in your no-execution defense, Windows Explorer is able to start progams. Correct see picture, I have moved Wordpad to temp folder and it is allowed to start by a trusted program as Windows Explorer.
But here is the trick, I assume Secure Folders sets ACL's these are set on user. In the advanced settings there is an option to enable Secure folders in safe mode (NEVER DO THIS). So I wondered whether an elevated user was also allowed to execute, so I tried RUN AS ADMIN and setting a RUN AS ADMIN in the compatibility options (see picture 1 and 2).
And voila, Secure folders did not allow to run. This implies that the trusted programs are only able to run as medium level programs. UAC protects Windows folder and Program Files folder. So again a catch 20-20. Secure folders does not allow a program to run elevated and UAC does not allow an unelevated program to touch Windows and Program FIles.
Right click run as admin
Compatibility mode run as admin
Next password protect Secure Folders.
PLEASE: DON'T FORGET TO DISABLE PROTECTION BEFORE UPDATING WINDOWS/PROGRAMS
Now we want to harden the trusted programs, so first step is to add anti-exploit protection. Anti-exploit protection, by block loading scripting DLL's) harden trusted programs.
Download EMET 5.2, disable Certificate trust pinning and remove your browsers from the Aps list (use MBAE free for that). Next use ASR's option of EMET to block loading scripting DLL's
Anti-exploit protection step 2: move problematic scripting DLL's from ASR to EAF+) in EMET to harden the trusted programs
Some programs will give you trouble, because they need that DLL, solution remove the DLL displayed in EMET pop-up (including wildcard *) and ADD these DLL's to EAF+ protection: typical candidates are Media-Players and Mail-Readers. See picture where i have removed
MSHTML.DLL and JSCRIPT*.DLL at ASR and added it at EAF+
Complete anti-exploit protection (step 3): Download MBAE free and disable command: see http://www.sevenforums.com/tutorials/87750-run-command-enable-disable.html
Because MBAE free protects your browsers in an intelligent way, you have the benefits of the smart protection in your browsers with full functionality, while using EMET's ASR (attack surface reduction) for dumb blocking of scripting DLL's in your trusted programs. Downside is that you can't run scripts in office documents, but that is the price you pay for free (buy MBAE PRemium when you need scrpts to run).
Use a browser with a (free built-in) sandbox, like Chrome and you are good to go.
Nice tutorial, Kees. Thnx
Good clear step by step info.
I wonder has there been any testing of this set-up, not that it needs it, more just to see in action ?
Testing such a scenario would require quite some 'custom' code and time. And I don't think that any researcher would spent time testing a set-up which does not yield a profit in any way.
Bingo, you nailed it.
That is part of the beauty, use OS-mechanisms to add extra protection without adding much code, this reduces the chance that an intrusion is successful, simply because the effort to evade this non-standard setup does not yield a profit (target group to small with to much hassle).
So an attacker would have to pass targeted application, like Chrome of Winword (1) & MBAE or EMET (2) & SecureFolders using ACL (3):
a) drive/by & social engineering = download + obfuscated user triggered execution of malware (MBAE + no execution)
b) ransomware = obfuscated user triggered execution of malware (no execution) and encryption of user folders (read only)
c) exploits = execute script (EMET-ASR) + exploit bug (MBAE/EMET) + access to shell (7 forum regtweak) + drop payload (MBAE+read only) + execute payload (MBAE + no-execute)
Maybe someone with win 8.1 could test
- set smartscreen to admin approval
- check whether securefolders would block UAC prompt of smart screen when running a program downloaded from the internet
(this would turn it into an even more secure default deny on Win 8/8.1)
I've tested it on Windows 8.1 in VM. If I set my download folder to no-execute, execution is blocked before I get any message from UAC.
Thanks for testing, so on Win 8/8.1 this setup is even stronger as on Win7, great, so
On win7 = anti-exploit, anti-ransomware and anti-elevate (user space)
On win8 = anti-exploit, anti-ransomware and anti-execute (internet zone)
I tested the same configuration on Windows 7 and got same results as on Windows 8.1: "Windows can not access the specified device..."
Maybe I didn't understand what you wanted us to test?
Did you add windows explorer as trusted?
I'm a bit skeptical about using "file and folder" protection tools as anti-ransomware tools. If malware injects code into trusted processes it's game over.
No, that was a problem. After adding Explorer.exe to list of trusted Apps I get UAC request on both systems. After elevating, Secure folder blocks execution on both system also.
AFAIK at the moment most ransomware launches it's own processes and doesn't try to inject it's code into other processes. Some new variants do use file infection technique to spread themselves but that's the most I have read about it.
That's a very good point. I like your explanation on the difference. I have always disabled UAC in the past because I used Online Armor, and it protects the system space, and program files folders. Now that i'm no longer using Online Armor anymore I think I should enable UAC again.
No doubt it works, but it's the easy part I wonder about. Using Appguard's privacy protection does this and seems to be much easier to me. Thoughts?
Well easy in terms that in six steps, you get exploit/ransomware/execution protection for free, so when you have AppGuard + HMPA providing simualr protection (I do believe you have SBIE as well), than this freebie setup is completely redundant for you.
@Rasheed187 is right, CTB-Locker and CryptoWall 3 are by far the most prevalent crypto-ransomware threats at the moment, and they both inject themselves in legitimate processes - meaning the encryption is actually performed by trusted processes. A limited overview:
CTB-Locker performs encryption from C:\Windows\Explorer.exe
CryptoWall 3 performs encryption from C:\Windows\System32\svchost.exe
VaultCrypt performs encryption from C:\Windows\System32\cmd.exe
TeslaCrypt performs encryption from its own process
CryptoFortress performs encryption from its own process
Separate names with a comma.