Comodo 5.8 bypassed by trojan GPCODE

[Guest]

[Szadout]

It's better to add "\Device\KsecDD"
I proposed it to Comodo but they didn't add that

Was any reason given?

edit: Never mind, I found his concern..

It can be used by many legitimate apps frequently i.e. everytime they are executed. I am not sure.,

for example, Windows Socket Interface is also used by many legitimate programs, and yet are in the protected files, and it does not create problems

[morphiusz]

for example, Windows Socket Interface is also used by many legitimate programs, and yet are in the protected files, and it does not create problems

+1
It is used by almost all application which are supposed to connect to the net..
So, there is a little misunderstanding.

[loveboy_lion]

I too was bypassed my one malware and tis was on my personal laptop while testing some malware and it infected me so badly that i had to format  i pinged egemen and he asked me for samples submitted to him now lets see what he does hope he fixes it

http://forums.comodo.com/bug-reports-cis/cis-58-bug-that-crashed-cis-and-windows-t77531.0.html

[HeffeD]

Loveboy_lion,

This thread has nothing to do with your issue. Please stop post poisoning/thread jacking/cross posting as this behavior is a violation of forum policy.

You really don't need to post links to your threads in every post that seems remotely similar.

Thanks for your understanding.

-HeffeD

[AyeAyeCaptain]

Loveboy_lion,

This thread has nothing to do with your issue. Please stop post poisoning/thread jacking/cross posting as this behavior is a violation of forum policy.

You really don't need to post links to your threads in every post that seems remotely similar.

Thanks for your understanding.

-HeffeD

Agreed, no offense Loveboy but you got to just have patience for people to respond to your thread as opposed to posting the link everywhere. 

[a256886572008]

The "auto sandbox" does not enable "file system virtualization" and "registry virtualization",
but "always sandbox" does.

[a256886572008]

But it will cause many popups.
It's better to add "\Device\KsecDD"
I proposed it to Comodo but they didn't add that

CIS can not block the following malware by adding that rule.


.bat script malware

[at]echo off

del /s /q d:\*

[morphiusz]

CIS can not block the following malware by adding that rule.


.bat script malware

I can confirm it is blocked.
Szadout can confirm as well, we have tested that couple times.

[a256886572008]

I can confirm it is blocked.
Szadout can confirm as well, we have tested that couple times.

1.
I added the rule to the protected files and folders.



2.
I double clicked on the .bat file.

3.
I viewed the defense+ events.

[vix123]

Any malware that immediately harms the host has zero chance of surviving. Document encrypting malware is a nuisance (even a terrible one) to those who don't backup but the chance of getting it is far less than the chance of a serious hard disk head crash which would be the same.

Comodo is right about letting programs modify your documents.

If Comodo warns you any time you'll be changing your documents, say hello to users who will be disabling Defense+ after the first 5 minutes of nuisance. False positives ~is~ an issue already with Comodo.

If Comodo sandboxes your documents, they'll be having serious complains from users who uninstall it and then discover that their documents were not updated in their original locations and they have to be looking in virtual directories for the proper copies. Woe to those who had formatted their system drive in the meantime, losing the updates copies of their documents.

Of course Comodo is giving you all the tools to prevent unathorized programs from modifying your documents but don't be confusing the job of scheduled backups to that of security software.

[evil_religion]

"\Device\KsecDD" cuts access to Microsoft encryption tool. (gpcode cannot encrypt the files)

What about the HIPS at proactive profile, sandbox turned off and manually adding files to "My protected files"?
What alerts are shown when the malware wants to access the Microsoft encryption tool? Process start?
So, with this config the malware is also blocked without adding "\Device\KsecDD"?

[hkjoj]

Any malware that immediately harms the host has zero chance of surviving. Document encrypting malware is a nuisance (even a terrible one) to those who don't backup but the chance of getting it is far less than the chance of a serious hard disk head crash which would be the same.

Comodo is right about letting programs modify your documents.

Ways to rescue system cannot be excuses for weakness of security programs.

Comodo is right about letting programs modify your documents only when it is safe to do so.  Comodo should warn user if malware modify your documents.

If Comodo always allows any program modify files in your system, what's the point for installing CIS?

[RejZoR]

I've changed virtualization method in VMWare Player from "Automatic" to "Binary translation" and disabled acceleration. It was slow but then it was working. Now i've switched back and it's still working. However there is still one sample named 7000.exe that doesn't raise any warnings from comodo. Hm...

EDIT:
WTF, CIS just decided on it's own to add all the malware samples to trusted files. Just like that. Are they mad at Comodo!?

[Siketa]

WTF, CIS just decided on it's own to add all the malware samples to trusted files. Just like that. Are they mad at Comodo!?

Everything is fine here.....plus when I change untrusted folder's location, all files in it remain untrusted....
No auto switching to Trusted....has to be your system....
7000.exe is detected by AV component...

[AyeAyeCaptain]

But this was not tested with AV + Cloud, on another forum am sure it got picked up when both of these were switched on?

Anyone confirm?

[Tags:]