weakness of the gpCode

[Guest]

[Melih]

This is an attack on data, rather than the system.

of course its still not desirable.

I will discuss it with the guys to see what their plan is

Melih

[wasgij6]

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants.  Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of *SOME* automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

well this is good to hear that the autosandbox is going to be virtualized eventually. its just a threat now becuz most people are running in default settings and if there happens to be a new variant that cis doesnt detect then the user is going to get infected.

[harsha_mic]

thanks for your reply and suggestions egemen. very much appreciated for prompt response.
sadly, i'm using OA premium now. but, hope to come back to Comodo Firewall soon.

[harsha_mic]

i have a question reg method 2 approach with browsers -

suppose, a malware bypasses AV detection and is executed to creates the files on virtual file system (as the browser is run in the manual sandbox). Would the files created by the malware be removed after system restart automatically?

[egemen]

i have a question reg method 2 approach with browsers -

suppose, a malware bypasses AV detection and is executed to creates the files on virtual file system (as the browser is run in the manual sandbox). Would the files created by the malware be removed after system restart automatically?

The files it creates will be in your virtual folder. they wont be cleaned automatically but they are inactive so you can delete them manually. Consider them as some TEMPORARY files.

[wasgij6]

what happened to the other 2 topics you moved here?

[harsha_mic]

The files it creates will be in your virtual folder. they wont be cleaned automatically but they are inactive so you can delete them manually. Consider them as some TEMPORARY files.

Thanks egemen

[morphiusz]

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

Egemen,
i don't see ANY single problem there.
When application is whitelisted user don't get any popups.
Prompts abour direct disk acces, hook setting also can be very problematic for avreage joe but they are exist. Other firewalls (like OA) have it, and i don;t see anyone who complain about this alert...
The same will be with getting the list of the files. Another method to protect the user's files - TO PROTECT the user finally.

You mentioned about AV, as we  (you especially) know AV is very unreliable .
Some day it may not detect new variant of Gpcode etc. (this is why you create a deafult deny system - Melih was talking about this in his video).

So, i don't see any reason to not to do this D+'s funcionality. It will be a prompt as any other (will not be appear with whitelisted apps, etc. - just like others prompts now!).
Here are the good sites:

-it'll prevent the GpCode (user won't lose all his/her pics, docs, movies),
-it'll prevent blackday virus (vulnerabilites mentoined by aigle in this topic)
-and any other unknown Threats...which want to do bad thing with you files

bad sites?
-alert as any other... (actually bad site? good site!)


none which i can see.


Thanks!


mod edit: 15pt changed to 12pt for readability. kail

[kail]

what happened to the other 2 topics you moved here?

They are all here, please check the Subject of the posts. See this topic for more details.

[mkowalski8]

I don't understand one thing. Comodo owns a cloud, so when someone is attacked by new malware/virus/etc the unknown file should be sent to Comodo servers and analyzed by experts. After that, it is marked as dangerous and every user, who uses cloud is protected. Does it really work, because I see that there are trouble with new malware, but it should be blocked by cloud even if automated software doesn't recognize it (I think, that there are people at Comodo, not only computers).

[kail]

Hi mkowalski8

You are correct. However, I believe the guys above are specifically talking about Defense+ only (ie. CIS without the AV component).

[aigle]

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants.  Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of *SOME* automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

Hi egemen! Thanks for your response.

1- I think if you use the HACK, user will not get many pop ups due to the white list. Right? I fail to understand why there will be pop ups about the photo editor of MP3 player when they will be in the white list( in all probability).

2- The method you are going to use in future( method 2) has one flaw. It will be good for the users who are using default config of Defence Plus as malware will run virtualized and can,t touch the actual system or data files. Bt what about uesrs who are not using sandbox and are using just proactive HIPS feature of Defence Plus. It is not very much practical to add all your sensitive files in one folder and then protect this folder. One might have many .doc, .txt and image files scattered here n there on hard disk. Besides what you will do about blackday trojan that is targeting so many types of files.


To be honest I don,t see any good reason for not adding the HACK to protect against such malware. Gpcode n blackday trojan are just an example, one might face a very similar trojan but more clever, more destructive and more nasty.

[egemen]

Hi egemen! Thanks for your response.

1- I think if you use the HACK, user will not get many pop ups due to the white list. Right? I fail to understand why there will be pop ups about the photo editor of MP3 player when they will be in the white list( in all probability).

Sure. If whitelisted, there wont be a problem. Howevver we have all the whitelist + cloud and yet there are popups causing the users simply shutdown or uinstall the protection. In this case, less is more.

2- The method you are going to use in future( method 2) has one flaw. It will be good for the users who are using default config of Defence Plus as malware will run virtualized and can,t touch the actual system or data files. Bt what about uesrs who are not using sandbox and are using just proactive HIPS feature of Defence Plus. It is not very much practical to add all your sensitive files in one folder and then protect this folder. One might have many .doc, .txt and image files scattered here n there on hard disk. Besides what you will do about blackday trojan that is targeting so many types of files.


To be honest I don,t see any good reason for not adding the HACK to protect against such malware. Gpcode n blackday trojan are just an example, one might face a very similar trojan but more clever, more destructive and more nasty.

Hack is a hack. Not a solution. Putting such a hack into 30 million computers for just a few detectable trojans which are already easily detected already is not preferable. Why? Because it will detect more white files then bad files. Guaranteed.

Btw, it is already detected by the cloud based behavior analysis. So for example, if a user does not use an AV and does not use Sandbox, still, cloud based analysis will alert the user about the trojan.

So there are many ways that a default user is being protcted now hence no need for hacks. The problem is protecting the data of the user. And this requires a more sophisticated method of prevention which is what we are doing now.

The upcoming solution is not specificaly designed for this threat however it prevents much more important data attacks as well as this one.

[loverboy]

Sorry for the stupid question, but if I run Internet Explorer in the sandbox what will happen if I save a file on the Desktop?
Will it go there or will it go somewhere in a "virtual" folder? 

[egemen]

Sorry for the stupid question, but if I run Internet Explorer in the sandbox what will happen if I save a file on the Desktop?
Will it go there or will it go somewhere in a "virtual" folder? 

Sure. It will go to the virtual folder the original desktop will remain clean.

[Tags:]