Secure Folders to protect folders (and use as anti-executable)

Discussion in 'other anti-malware software' started by Windows_Security, Oct 21, 2014.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,633
    +1:thumb:
     
  2. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Any request what to test?
    I have so far tested only folders with "Read Only" setting and a little "No Execution"
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Nothing special. Just do what you think more threatening like Locky and similar cryptomalware.
     
  4. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I just test another one and SF protect folder (Read Only settings).
     

    Attached Files:

    • sf.png
      sf.png
      File size:
      226.2 KB
      Views:
      57
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,870
    Location:
    U.S.A. (South)
    Very Nice.

    And thanks. This app seems SOLID as a rock and it's so stupid easy to enter settings and let it protect.
     
  6. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Just to mention this is Portable version.
    It also protects the entire partition (eg. D: :thumb: )
     
  7. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    When set folder to "Deny Execution" You can't run any executable in that folder but you can renamed or deleted with no problem.
     

    Attached Files:

  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    This is no surprise to me, because folder protection should be able to block access to private date. For example, SpyShelter also offers this. But it get's tricky when ransomware uses code injection to make trusted apps like explorer.exe perform the encryption. Does Locky use code injection?
     
  9. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I didn't set any trusted apps in SF...
     

    Attached Files:

    • 1.png
      1.png
      File size:
      9.6 KB
      Views:
      28
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    OK I see, perhaps you can perform the test with explorer.exe being trusted. I wouldn't be surprised if SF would fail then. And do you use HIPS? If so, you can check if Locky makes use of code injection.
     
  11. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I have one picture from today when I run Locky and checking what is happening on C: drive with monitor directory program.
    Maybe it could help...
     

    Attached Files:

  12. hjlbx

    hjlbx Guest

    I suggest test against - if you can locate the sample types:
    • CTB Locker
    • TeslaCrypt
    • Ransom32 (javascript)
    • Locky
     
  13. hjlbx

    hjlbx Guest

    Which file system monitoring soft you use ?
     
  14. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    OK, tnx
    I did test all accept Ransom32.

    2. I use Directory Monitor2
     
  15. hjlbx

    hjlbx Guest

    #2 - from South Africa !

    Now that is really rare !

    $149 US for PRO lifetime license !

    Still, looks interesting...
     
  16. hjlbx

    hjlbx Guest

    I tested SpSFW against CTB Locker. CTB executes Windows Explorer and svchost.exe. Even if you allow CTB file to execute explorer.exe and svchost.exe, the worst that happens is that the ransom screen files are downloaded from the net - and that harmless rubbish is on your system in AppData along with the start-up registry entry to display the ransom message; file encryption of designated protected folders does not occur.

    Same with other ransomware mechanisms.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,870
    Location:
    U.S.A. (South)
    Not bad.

    I still use an old Windows 98 named FileChangeAlarm which basically does exactly the same thing (sound alerts on events, logging, extensions etc. with details instantly the moment they happen) and more absolutely FREE!

    It goes way back but it's been a critical vital files/folder monitoring tool for my malware testings and just general purpose tracking which works like a charm on ALL WINDOWS!

    This is a first introduction here on Wilders of it:
    https://www.wilderssecurity.com/threads/file-change-alarm-beta-6.760/
     
    Last edited: Feb 25, 2016
  18. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    ...I use free? version (portable)...:shifty:
     

    Attached Files:

  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    +1
     
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,981
    Location:
    Poland - Cracow
    As I remember if you run app that is "new" for protected file/folders you received two alerts - first for explorer.exe and second for specific app...so you can block suspicious action.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,430
    Location:
    U.S.A.
    Free ver. won't log or identify the source process which is performing the modification: https://directorymonitor.com/compare.html . That's a "show stopper" for me. Also, the software is .Net based.
     
  22. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I made a quick video about this program vs some Ransomware.
    Watch it here - CLICK
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Thank you, nice video. Btw where did you get those right click options?
    • Scan with VirusTotal
    • Check File Hash
     
  24. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Done. It works great! Thank you.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.