- Feb 15, 2012
- 2,128
I'll relay your message to the tester
SBGuard Anti-Ransomware hardens Windows
- Thread starter Av Gurus
- Start date
- Status
- Aug 31, 2016
- 29
Thank you. If they need more info, please get them to contact us.
- Mar 1, 2014
- 1,708
This method reminds me of Avast's current Cybercapture.
If that is the case, then SBGuard only looks into browsers and email clients, and not as a system-wide watch. Am I correct?
- Aug 31, 2016
- 29
Sorry XhenEd, I may have not explain it right. Let's start from the beggining.
Example.
User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it.
The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
Hope this makes more sense
Example.
User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it.
The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
Hope this makes more sense
- Aug 31, 2016
- 29
This method reminds me of Avast's current Cybercapture.
If that is the case, then SBGuard only looks into browsers and email clients, and not as a system-wide watch. Am I correct?
NewSorry XhenEd, I may have not explain it right. Let's start from the beggining.
Example.
User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can't just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer's antivirus should pickup this behavior and quarantine it.
The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
Hope this makes more sense
- Aug 31, 2016
- 29
Another useful feature is that it won't allow fake extensions anywhere on the system.This method reminds me of Avast's current Cybercapture.
If that is the case, then SBGuard only looks into browsers and email clients, and not as a system-wide watch. Am I correct?
If users was to get a PDF file that is actually an executable, it won't open. File types like jpg.exe or doc.exe etc. which are very often used by Ransomware are also blocked. There are thousands of lines of code that block every possible scenario.
- Aug 31, 2016
- 29
We don't deny that Ransomware will change, but for as long as the delivery is done the same, SBGuard will block it. And at the moment, Ransomware's power lies into it's sophisticated delivery. We a part of CLOUDSEC 2016 yesterday which confirms everything we have said here. 99% of Ransomware delivery is via email. There is nothing new about it.This method reminds me of Avast's current Cybercapture.
If that is the case, then SBGuard only looks into browsers and email clients, and not as a system-wide watch. Am I correct?
I'll stop spamming now
any questions please let us know.
- Jul 3, 2015
- 8,153
I really like the sound of it.We don't deny that Ransomware will change, but for as long as the delivery is done the same, SBGuard will block it. And at the moment, Ransomware's power lies into it's sophisticated delivery. We a part of CLOUDSEC 2016 yesterday which confirms everything we have said here. 99% of Ransomware delivery is via email. There is nothing new about it.
I'll stop spamming now
I am looking forward to a version that allows you to monitor and unblock unwanted actions, because I have certain software that likes to execute from TEMP, and this looks mighty suspicious to many security solutions.
- Sep 22, 2014
- 1,767
Here are just some picture of couple reg changes (not all):
- Aug 31, 2016
- 29
Zepto likes to use WSF extensions for example, which we have included as well. There are a lot more reg addons in different locations that do different things with system processes.
- Aug 31, 2016
- 29
Version 1.4 beta available for download.
If anyone is interested to have a look at and play with version 1.4 beta you can download it here:
www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe
We have added bunch of new restrictions and changes to existing ones. Also added some requested features.
Application is still not operating as a service, that is coming in next version, 1.5
Feedback and ideas are welcom for which you will be included in contributors list.
sbguard@sydneybackups.com.au
Cheers
If anyone is interested to have a look at and play with version 1.4 beta you can download it here:
www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe
We have added bunch of new restrictions and changes to existing ones. Also added some requested features.
Application is still not operating as a service, that is coming in next version, 1.5
Feedback and ideas are welcom for which you will be included in contributors list.
sbguard@sydneybackups.com.au
Cheers
- Aug 31, 2016
- 29
p.s this is a beta release - test it in a safe environment first
- Jun 21, 2013
- 1,492
It looks very promising. I'm excited to try it.
I'm excited to try it.
- Jun 9, 2013
- 6,720
Okay i think it is time to give SBGuard a try and see what it is like.
- Sep 22, 2014
- 1,767
Good news.Version 1.4 beta available for download.
If anyone is interested to have a look at and play with version 1.4 beta you can download it here:
www.sydneybackups.com.au/downloads/sbguard-1-4-beta/SBGuardsetup1_4_beta.exe
We have added bunch of new restrictions and changes to existing ones. Also added some requested features.
Application is still not operating as a service, that is coming in next version, 1.5
Feedback and ideas are welcom for which you will be included in contributors list.
sbguard@sydneybackups.com.au
Cheers
Why do you want to have services?
Isn't this only Reg tweak?
I like it without any new services in the background.
- Aug 31, 2016
- 29
At the moment it is only based on reg tweaks, however we are working on some new techniques that will require a service.
It will be optional though, nothing will install automatically.
One of the features we are working on is to create a layer between Windows and potential Ransomware behaviour, to trick it into thinking the computer location and language is Russian. A large number of Ransowmare families leaves the computer alone if it detects Russian language, pretty funny but true. For this type of algorithm and behaviour detection we need to run as a service.
Another feature coming is Panic mode. It's a watchdog type feature that monitors large quantities of file type changes (encryption) and once it does, it will isolate the computer from the network. It needs a service for that too.
There are other features we are working on, but will reveal some when ready.
Anyhow, it will all be optional.
We are also thinking of making this a community project, to heavily involve people to do research, testing, coding etc. and we would make a contributors list on the application.
- Sep 22, 2014
- 1,767
- Mar 15, 2011
- 13,070
Well programs like these may hold pretty good against tricky behavior of ransomware but it should not put everything blame on developers.
Ransomware from now have changes a lot of behavior and it can hold trick to bypass software programs by imitate as legitimate process.
So not surprise when SBguard may able to detect some threat of ransomware but not majority since techniques are difficult to obtain.
Ransomware from now have changes a lot of behavior and it can hold trick to bypass software programs by imitate as legitimate process.
So not surprise when SBguard may able to detect some threat of ransomware but not majority since techniques are difficult to obtain.
- Aug 2, 2015
- 4,286
@SBGuard
Please keep the Update notices coming to this thread weather they are Beta or not as I
like to keep mine updated as soon as humanly possible.
I have cloned HD's so running betas is not a risk that worries me. Thanks SBGuard.
Nice changes in 1.4.0, very nice.
PS: yep that's your logo in my Sig
(SBG Sig Bar courtesy of Huracan)
Please keep the Update notices coming to this thread weather they are Beta or not as I
like to keep mine updated as soon as humanly possible.
I have cloned HD's so running betas is not a risk that worries me. Thanks SBGuard.
Nice changes in 1.4.0, very nice.
PS: yep that's your logo in my Sig
(SBG Sig Bar courtesy of Huracan)
Last edited:
- Aug 31, 2016
- 29
No worries, will keep you guys updated here, but it would be good to subscribe on our website as we will be sending official changelogs, update info, works in progress etc. (no spam though, we hate spam)..@SBGuard
Please keep the Update notices coming to this thread weather they are Beta or not as I
like to keep mine updated as soon as humanly possible.
I have cloned HD's so running betas is not a risk that worries me. Thanks SBGuard.
Nice changes in 1.4.0, very nice.
PS: yep that's your logo in my Sig
(SBG Sig Bar courtesy of Huracan)
Sorry mate I can't see your Sig anywhere? Where do I click? Cheers
- Status
Similar threads
