weakness of the gpCode

[Guest]

[harsha_mic]

This is very sad to know. Now, we have malwares (stuxnet,gpcode, i don'i know how many others are there) where Comodo D+ (the strongest part of Comodo which is not based on signatures) cannot contain it.

[Ronny]

This has been discussed here also;
weakness of the gpCode

I also have proposed a few, q&d fixes that advanced users can apply.
This issue should be fixed in a regular update of CIS if you ask me.

[harsha_mic]

Thanks for the link. But new in this test, it actually fails even when Sandbox set to untrusted.

I am surprised that not a single peep from dev team in that long lenghty thread.

[aigle]

Honestly I have made two threads on Wilders to give a stimulus to Comodo developers.

First is about Stuxnet, 2nd is about gpcode. My main purpose was to draw the attention of comdod guys as I know if some thing like this is posted on wilders, it,s shared here and vice versa.

There is still a third thread on the way very soon that will show another Comodo defence plus failure, Sadly the developers are quiet and deny to fix these while OA people did it so smartly and rapidly.

It reminds me of Conficker that was fixed immediately by OA but Comodo took many months before they could fix it( comodo was intercepting it but the pop up alert was not so clear like OA at that time) and that was even after so many forums posts and my PMs to the developers. It was finally OK in v 5.

Let,s hope for the best.

[harsha_mic]

first of all a sincere thanks in trying to point out the D+ cons and your effort in letting Comodo know it.  

probably its time to look towards OA again.   I'm always confused to which product i should use when it comes to Comodo and OA. I really like both the products. It was clearer when there was no x64 support from OA. But now ... Competition is always good for  us (we, the end consumers).

[aigle]

I have made three thraed on Wilders forums showing how Comodo Defence Plus is bypassed by three different malware.

Last thread is about blackday.exe trojan that can bypass Defence Plus and can make a mess of system.

Blackday trojan versus HIPS (at Widers Security Forums)

I wonder when these issues will be fixed. BTW OnlineArmor stops all these malware dead.

Other two threads at Wilders are here.

Gpcode trojan versus HIPS

Stuxnet .(lnk exploit malware) versus HIPS

Other threads in comodo forums are here.

Would Comodo have stopped the Stuxnet worm?

weakness of the gpCode

CFW fails in GPCode ransom test


_{Edit by EricJH: I edited the bare url's to url's with topic names in it for clarification and quick overview}

[morphiusz]

It's so sad that CIS failed those tests so badly
And devs don't do anything...
Can we have a response here?

I will bump this topic from time to time 

[aigle]

Thanks.

Very nice signature. 

BTW is comodo forum dead? I don,t see many responses here as I used to be in the past.

If comodo fans don,t become angry, I will like to ask if CIS is still in active development or is soon going to be dead just like so many other comodo products in the past? It,s just a sinsiter feeling that I am getting. Hope it,s not the case. Comodo might be in trouble due to recent issues related to stolen certificates.

[Peter5]

Great work aigle. We need more people doing this kind of tests.

Can you test the Manual Sandbox (Virtualizattion) to see if it makes any difference?

Thanks

[aigle]

Will try later. I think it will pass.

[Peter5]

Will try later. I think it will pass.

Thanks

[HeffeD]

I will like to ask if CIS is still in active development or is soon going to be dead just like so many other comodo products in the past?

Well, since the mods have the version 5.4 pre-release, I'd say it's still in active development...

[EricJH]

Thanks.

Very nice signature.  

BTW is comodo forum dead? I don,t see many responses here as I used to be in the past.

If comodo fans don,t become angry, I will like to ask if CIS is still in active development or is soon going to be dead just like so many other comodo products in the past? It,s just a sinsiter feeling that I am getting. Hope it,s not the case. Comodo might be in trouble due to recent issues related to stolen certificates.

The mods are testing v5.4 (a bug fix release; nothing spectacular). Version 6 is in the making. Valkyrie has been given to the public for testing, the same for Site Inspector. Then there was Comodo Unite beta released, another update for Programs Manager.... then there is something cooking with Comodo Round the Clock... Melih is very enthusiastic about the possibilities of Valkyrie for the cloud file analysis....

CIS is Comodo's flagship. You seriously think that would become abandonware? I want what you were smoking..... can you hook me up with your man?

I think Comodo is pretty active.

[wasgij6]

well i really hope they do something about this

seeing this kinda quote kinda worries me

I was talkng with egemen and he said that there is no need to improve D+ against Gpcode  
So, there are officialy malware which can bypass Comodo, and Comodo actually doesn't want to deal with this. Sad.
Wath's about Melih's statement, that they would  fix CIS when it had  some vulnerabilities?

[egemen]

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants.  Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of *SOME* automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

[Tags:]