SBGuard

Discussion in 'other anti-malware software' started by LM1, Aug 31, 2016.

  1. LM1

    LM1 Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    34
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    Read here... Cruelsister knows what she's talking about, she is very experienced in malware testing
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    No surprise, I'm not feeling these type of policy based tools. And don't forget that you might have to disable it to install legit apps, so there is no protection during install.
     
  5. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    Version 1.4 beta available for download.
    If anyone is interested to have a look at and play with version 1.4 beta you can download it here:


    www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe


    We have added bunch of new restrictions and changes to existing ones. Also added some requested features.


    Feedback and ideas are welcome for which you will be included in contributors list.
    sbguard@sydneybackups.com.au

    Cheers
     
    Last edited by a moderator: Sep 4, 2016
  6. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We would like to shed some light on how SBGuard Anti-Ransomware works. There may have been some misunderstanding at how it protects, hence Cruelsister's bad feedback.
    Ransomware has 2 stages before it infects and encrypts:
    1. Delivery - Ransomware uses social engineering and spear phishing to lure users to click on links, mostly through emails (links or attachments) and browsers. These 2 methods are confirmed to be the case 99% of the times.
    2. Payload - Once users click on the link, it executes some sort of script. It could be an exe or vbs or js or scr etc. One it executes it (automatically in the background you don't see this) it downloads Ransomware and delivers the payload (infection).

    SBGuard protects that 1st stage. It will restrict hundreds of actions Ransomware performs to try and deliver the payload.
    For example it will not allow certain file types to run from certain locations. It will prevent fake file types (for example pdf.exe). It will protect from running macros automatically within documents etc..

    So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you have bigger problems. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD.
    Once SBguard block the delivery, that behaviour should be caught by your Antivirus and quaranteened.

    How do we know Ransomware patterns? We have spent a lot of time on research, testing, reverse engineering etc. We also regularly receive Ransomware technical deep dives from awarded Security vendors.

    Example of the above explanation.
    User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
    These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
    SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it.
    The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
    Hope this makes more sense.

    Any questions please let us know:
    sbguard@sydneybackups.com.au
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks for clearing things up, it's not my cup of tea, but it does sound like a useful tool. But have you guys tested it against legit tools, will it often block the installation? That's what I'm mostly worried about.
     
  8. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We have been running SBGuard in production for some time now and so far apart from Teamviewer (some say it works for them), Spotify and some Norton prodiucts, we haven't had any other issues. We are working on a whitelist feature though. Until that's completed, we recommend watching event log if you believe something legit is blocked, then disable protections and run it again, enable protection. Unfortunately we have to compromise a bit to get the best out of it, but as I have said, we are working on a whitelisting feature. Cheers
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    Which Norton products...and what issues with Norton...?
     
    Last edited: Sep 5, 2016
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    But how will this look like? Will you make a whitelist of popular apps or something?
     
  11. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    We are still working out a good solution to implement whitelisting. The reason why we can't put a default list of popular programs is because the bad guys can impersonate these to try to trick SBGuard and infect the system. We need to have a smarter solution than that.
    We are thinking of having popups upon detection and asking a user to block or allow, but then we may disadvantage non computer savvy, most vulnerable users, to make a non educated choice which if mistaken can ruin it all... Suggestions welcome.
     
  12. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    Someone in some forum has mentioned about a Norton Password Manager os something similar not working with SBGuard enabled.
    Except for Teamviewer, we haven't had any issues. But even with Teamviewer, we disabled protection, ran Teamviewer again and re-enabled it back. Done.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    But if I'm correct, you said that normally speaking it won't interfere with app installs. So why is there then a need to implement a white-list? What exactly needs to be white-listed? I'm a bit confused, sorry about that.
     
  14. SBGuard

    SBGuard Registered Member

    Joined:
    Sep 4, 2016
    Posts:
    6
    Location:
    Sydney
    No need to be sorry, it's a valid question. Some people say it blocks certain applications, although we can't confirm that as we haven't had any issues.
    Before we make a whitelist feature we are trying to get feedback from people about the legit programs SBGuard blocks. So far, we haven't got any specific reports. If anyone has any feedback please send it to us. If you feel something legit is blocked, you can click on the Event Log button that will show you a log list of blocks.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    OK I see. I'm sorry I can't help you with this, because I'm not keen on testing new security tools on my main working machine. I've also chosen not to install a virtual machine, but perhaps I can still test it with Sandboxie, I will check it out.
     
  16. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    It seems to apply some general block policy for executables in the Temporary folder, because Process Explorer refuses to run with an error:

    ---------------------------
    Process Explorer
    ---------------------------
    Unable to extract 64-bit image. Run Process Explorer from a writeable directory.
    ---------------------------
    OK
    ---------------------------

    ProcExp64.exe does get extracted but it doesn't get to run.

    Also, asking for a name and e-mail every time one wants to download is very annoying. I realize want to have a database of users to send your newsletter to or maybe even sell to spammers but still...
     
  17. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    392
    Location:
    Croatia
    There is a solution for that.
    Disable SB, run Proc. Explorer, go to the temp folder and copy ProcExp64 to the Proc Explorer folder.
    Enable SB ;).
     
  18. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    I have been doing this long before SBGuard, simply because I prefer to launch the x64-bit process directly. However, I still consider this to be unnecessary hassle.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I've tested SBGuard, and most apps will install correctly, but some won't. I couldn't install: Privacy Eraser, Thunderbird and Opera 12.18. That's why I'm not into these type of tools.