So basically , if i understand well; SBGuard monitors and blocks the various entrances (attack vectors) taken by the terrorist (malwarewriter) to put the bomb (Ransomware) in the building (OS), then the security guards (AVs) are supposed to find (quarantine) the bomb. But if the bomb is already in the building, SBG is useless.
Am i right?
Sounds like Counter Strike
SBGuard injects a whole load of registry entries to Windows and once SBGuard is closed, Windows does the rest.
These entries consist of execution restriction policies, processes modification and many other changes within OS backend.
These injections will block Ransomware from delivering the payload.
Example:
Once you click on a malicious link, it will automatically drop a java script (or exe or cmd or wsf or scr or bunch of other extensions) executable into your OS. Once dropped it will attempt to auto open itself. This is where SBGuard's rules come in play and block that execution. Once that happens it will create a log (ID 866). AVs should monitor this type of behaviour and once a process attempting to run is blocked, AVs have enough time to detect and remove these attempts. If the AV doesn't do the job, script will keep attempting to run, but will get blocked by these rules until someone notices it and deletes the file. We recommend looking at the logs or monitoring this ID 866 until we get the notifications service operational to give these alerts.
We keep monitoring new variants and how they deploy. Once we have enough information we add more rules.
At the moment, this is how it works, however we are working on some advanced mechanisms that will have SBGuard running as a service.
We recommend using 1.4.0 beta (download from our website) which has some really useful features. For example it let's you lock Downloads and Documents, in case users download an attachment and try to open it, it will be blocked.
Also, disabling WHS (Windows Host Service) prevents malicious Java and VBS scripts from running anywhere in the system.
Macros need to be disabled, users very often click enable once asked to do so, this will not give them a choice, it will just disable it.
Another one, we prevent hidden file extensions. Very often "terrorists" hide malware in PDF or image files. Our rules will make it visible, so it will clearly state if it contains an executable.
There is a lot more in the background, we have over 6000 lines of code in this piece of software and growing.
Hope this was clear
