Comodo 5.8 bypassed by trojan GPCODE

[Guest]

[acafacaa]

I made a test today and uploaded to youtube:
http://www.youtube.com/watch?v=fYM8f3HXAXk&feature=channel_video_title
I am a fun of Comodo,but it seems like sandbox and defense + had been bypassed by Trojan.Win32 Gpcode

[RejZoR]

I've experienced the same thing with screen lock ransomwares. Aparently CIS 5.8 is not reliable at all. Something that's not exactly acceptable in security field...

[Siketa]

Egemen, I think you should do something about those two threats...

[a256886572008]

Egemen, I think you should do something about those two threats...

Only the file system virtualization can protect against this malware.

 

[Chiron]

Can you please set up CIS following these rules:
http://www.techsupportalert.com/content/how-install-comodo-firewall.htm
ignoring the antivirus and see if it's protected?

Thanks.

[a256886572008]

Can you please set up CIS following these rules:
http://www.techsupportalert.com/content/how-install-comodo-firewall.htm
ignoring the antivirus and see if it's protected?

Thanks.

CIS auto sandbox can block the malware by adding one rule to the protected files and folders.

?:\*

[morphiusz]

But it will cause many popups.
It's better to add "\Device\KsecDD"
I proposed it to Comodo but they didn't add that

[kail]

.. It's better to add "\Device\KsecDD"
I proposed it to Comodo but they didn't add that

Was any reason given?

edit: Never mind, I found his concern..

It can be used by many legitimate apps frequently i.e. everytime they are executed. I am not sure.,

[ComoJust]

Hi the GPCODE is a known issue.

Here is what egemen said about this a while back.  Unfortunately we will have to wait for v6 for a permanent fix.

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants.  Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of *SOME* automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

https://forums.comodo.com/leak-testingattacksvulnerability-research/weakness-of-the-gpcode-t65960.0.html;msg512678#msg512678

[hkjoj]

I think the | sign is needed because "partially limited' sandbox application is allowed to access the protect file without the | sign.

I've added protected folders like "*/documents|", "*/pictures|", etc

[a256886572008]

I think the | sign is needed because "partially limited' sandbox application is allowed to access the protect file without the | sign.

I've added protected folders like "*/documents|", "*/pictures|", etc

If you add the rules, then the sandboxed process can not create files to these folders.

The | sign is not essential.

[morphiusz]

"\Device\KsecDD" cuts access to Microsoft encryption tool. (gpcode cannot encrypt the files)
Also it's responsible for some kernel actions.
Only these 2.

[hkjoj]

If you add the rules, then the sandboxed process can not create files to these folders.

The | sign is not essential.

No. without the | sign, I find sandboxed apps still able to create files in the directories.

[a256886572008]

No. without the | sign, I find sandboxed apps still able to create files in the directories.

But they can not modify or delete files in the directories.

[turnorburn]

What about an application like Buffer Zone, our firewall is compatible the anti-virus I'm not sure of.

turnorburn

[Tags:]