Author Topic: How Comodo protect my system against Trojan.Win32 GPCODE ?  (Read 26301 times)

Offline pikusek

  • Comodo Loves me
  • ****
  • Posts: 137
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #15 on: October 21, 2011, 08:40:28 AM »

The rules of COMODO is not the same as that of other HIPS programs.


I know that. I have removed the rule "All applications" from the "Rules Defense +" and added to the "Protected Files and Folders" (only here it works).
« Last Edit: October 21, 2011, 08:51:30 AM by pikusek »

Offline naren

  • Comodo's Hero
  • *****
  • Posts: 4376
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #16 on: October 21, 2011, 09:50:31 AM »
keep the sandbox level as "partially limited"

Thanxx for the info.

Regards
Naren

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #17 on: October 21, 2011, 07:49:42 PM »
Can you give me or us an example (Screenshot) ?
Here you go:


I tested the sample with this rule with internet security profile, sandbox on and proactive profile, sandbox off and it was blocked successfully.

Sorry guys, but this issue is highly overrated...

Offline RejZoR

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #18 on: October 22, 2011, 01:22:20 AM »
Highly overrated? I wish you good luck when you'll get hit by such ransomware. There are two things that should never be taken with ease. Viruses (actual file infectors) and these ransomware malwares.
I don't care about worms, trojans and other garbage that you can eventually clean off without losing anything. But with file infectors and encryption ransomware, there is always chance of losing data.
And even though everyone is screaming make backups, then what's the point of having antimalware software in the first place if you defend its flaws by saying make backups. Backups should be the very very last resort. And honestly, how many of you actually make them? I can't backup 2TB of data. Unless you want to pay me for another 2TB drive. Data is not critical but then again i also don't want to lose it since it's stuff that spans across 13 years of computer usage. Some was lost and scrambled during the years because of various reasons but majority is still here.

So don't be stupid and don't defend it for things that can easily be improved. DOing that just harms the users in the end, including you. As you know i'm a big avast! supporter and at first i was doing the same. But not much later i started pointing out problems and criticizing it myself. Because only this way, things actually improve. So do Comodo a favor and don't defend it this way. It's for everyones good.

Offline hkjoj

  • Comodo's Hero
  • *****
  • Posts: 452
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #19 on: October 22, 2011, 02:51:48 AM »
RejZor, I agree all of your points except I think Data is Critical.
One can always rebuilt its system without backup by re-installing the system (may be with a little bit of money) but, one can never get back some personal data without backup (e.g. your travel photos, your work documents, your connection of ...)

Offline Nickoo

  • Comodo Loves me
  • ****
  • Posts: 141
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #20 on: October 22, 2011, 05:08:55 AM »
Can anyone tell me if these rulles is ok to be there please? or maybe I should change somthings?

my CIS setting: Proactive Security
Sandbox: enabled & Untrusted
Defense Plus: Safe Mode
Firewall: Custom Policy
Antivirus: On Access & show me alert

Thanks. :)


Offline Siketa

  • Comodo's Hero
  • *****
  • Posts: 4778
  • ZIG ZAG
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #21 on: October 22, 2011, 06:26:47 AM »
Salmonela is a great teacher... :)

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #22 on: October 22, 2011, 07:02:31 AM »
Highly overrated? I wish you good luck when you'll get hit by such ransomware.
You do see that I let D+ protect my important files, don't you?

There are two things that should never be taken with ease. Viruses (actual file infectors) and these ransomware malwares.
I don't care about worms, trojans and other garbage that you can eventually clean off without losing anything.
You'd better care about "worms, trojans and other garbage" since they may steal data that can't be replaced either, not even by restoring backups.

But with file infectors and encryption ransomware, there is always chance of losing data.
You forget filekillers, MBR killers, disk killers and buggy malware that may incidently kill data.
To the point: When malware hits the system there's always a risk of data loss.

And even though everyone is screaming make backups, then what's the point of having antimalware software in the first place if you defend its flaws by saying make backups. Backups should be the very very last resort. And honestly, how many of you actually make them? I can't backup 2TB of data.
I'm sorry for you, I can.

Data is not critical but then again i also don't want to lose it since it's stuff that spans across 13 years of computer usage. Some was lost and scrambled during the years because of various reasons but majority is still here.
Then you'd better buy a second 2TB drive and save it.

So don't be stupid
You're as pleasant as ever...

and don't defend it for things that can easily be improved.
Adding "\Device\KsecDD" is just a workaround. It doesn't make your data protected, it just cuts access to some Windows functions. Ever wondered why egemen hasn't added that rule yet? This may be the reason (I bet).
Other malware will still be able to kill your data unless Comodo introduces default virtualization or you manually add your stuff to protected files of D+.

DOing that just harms the users in the end, including you.
I can't recall when I was hit by malware the last time, must be many many years ago.
Anyway, I have my files protected by D+ via manual rules and there are also Sandboxie and Brain, so your argument isn't true.

So do Comodo a favor and don't defend it this way. It's for everyones good.
I just point at the flaws of your argumentation.
« Last Edit: October 22, 2011, 03:15:30 PM by evil_religion »

Offline RejZoR

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #23 on: October 23, 2011, 02:46:45 AM »
Whatever. You're answer to my every damn word is just a sand in your own and others eyes. If you never got hit by anything, then why you even use secirity software if you're so confident that you're right about anything and everything?

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11455
  • Linux is free only if your time is worthless.;-)
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #24 on: October 23, 2011, 03:25:57 AM »
Highly overrated? I wish you good luck when you'll get hit by such ransomware.

[at]evil_religion - IMHO, the loss of user generated data cannot be over-rated. Operating systems, applications and settings can be reinstalled - data that you create cannot be reinstalled and there is no guarantee that you could recreate it exactly. Unless you have backups, of course.

Quote
And even though everyone is screaming make backups, then what's the point of having antimalware software in the first place if you defend its flaws by saying make backups. Backups should be the very very last resort.

Seriously??

In a commercial sense, data can be considered an official record and therefore covered under law as to how long it must be retained. Under certain circumstances, the record must be retained in perpetuity. In this instance, a hard copy would be required to insure the record could be read in future years, but for records with a "sunset" of 5, 7 or more years, an archival copy must be retained in a readable format.

In a personal sense, safeguarding user generated data can be just as important, whether the data is archived because of legal requirements or because of non-reproducibility.

Just because you choose not to backup your data, doesn't mean everyone should choose likewise.

Cheers,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline RejZoR

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #25 on: October 23, 2011, 04:16:12 AM »
No, what i was and still am saying is that security programs have to take any measures possible to prevent getting infected or lose data because of malware. As we pointed out already, despite all the super duper D+, this thing just walks past it and thrashes the entire system. Clearly, this IS a flaw and a bad one that is.
First one to be is why an unknown application is allowed to use a known application to modify user files. It seems to me that something got broken in between. Known app using known app to modify user files is acceptable. Known app using unknown app to modify user data is still normal since the initiator of the whole process is known. However you can't be unknown initiator of the process using known app to modify user data. That simply falls in the exploiting category. Which in this case is by all points.

So instead of defending it with some lame excuses, demand an explanation from the staff and a possible official solution to the problem. Which we still haven't got. Instead some nice lads have found out a workaround that actually works. I don't care if it's home cooked, i've seen it work and that's all i need to know. Even if it's still not 100%, being 75% is better than 0%...

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11455
  • Linux is free only if your time is worthless.;-)
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #26 on: October 23, 2011, 04:38:26 AM »
Don't get me wrong Rejzor, I agree with you 100% re. an unknown object being allowed to run a known object. It should be fixed - categorically.

In saying that, I still believe that backup are important. The degree of importance is largely determined by the nature of the data and the nature of the data owner.

Quote
So instead of defending it with some lame excuses ....

I don't believe that I offered any kind of excuse re. GPCode. I was only commenting on your position on the relevance/importance of backups. Not everyone has your perspective on the importance of data retention, that's all. You're prepared to lose data, other may not be. No one position is canonical.

Cheers,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline Lurchi

  • Newbie
  • *
  • Posts: 15
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #27 on: October 23, 2011, 07:24:17 AM »
No, what i was and still am saying is that security programs have to take any measures possible to prevent getting infected or lose data because of malware. As we pointed out already, despite all the super duper D+, this thing just walks past it and thrashes the entire system. Clearly, this IS a flaw and a bad one that is.
First one to be is why an unknown application is allowed to use a known application to modify user files. It seems to me that something got broken in between. Known app using known app to modify user files is acceptable. Known app using unknown app to modify user data is still normal since the initiator of the whole process is known. However you can't be unknown initiator of the process using known app to modify user data. That simply falls in the exploiting category. Which in this case is by all points.

So instead of defending it with some lame excuses, demand an explanation from the staff and a possible official solution to the problem. Which we still haven't got. Instead some nice lads have found out a workaround that actually works. I don't care if it's home cooked, i've seen it work and that's all i need to know. Even if it's still not 100%, being 75% is better than 0%...
:-TU :-TU :-TU
Do not trust the government

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 880
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #28 on: October 23, 2011, 07:29:19 AM »
I wonder why there is no devs in any vulnerability thread trying to solve the problem

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: How Comodo protect my system against Trojan.Win32 GPCODE ?
« Reply #29 on: October 23, 2011, 08:03:04 AM »
If you never got hit by anything, then why you even use secirity software if you're so confident that you're right about anything and everything?
I'm still a human though, and I like pop ups.  ;D

[at]evil_religion - IMHO, the loss of user generated data cannot be over-rated. Operating systems, applications and settings can be reinstalled - data that you create cannot be reinstalled and there is no guarantee that you could recreate it exactly. Unless you have backups, of course.
I didn't say data loss would be overrated: I mean you can easily protect your data with D+. Every HIPS user should consider this method.
Apart from this, the only real solution without crippling sandboxed processes to a maximum or using the random "\Device\KsecDD" workaround is auto-virtualization. Until we have that, I don't think multiple threads about the same threat are necessary.
The issue is known for a long time now...

Don't get me wrong Rejzor, I agree with you 100% re. an unknown object being allowed to run a known object. It should be fixed - categorically.
I slightly disagree with you. The problem doesn't seem to be that the malware is able to encrypt something with the use of a Windows function. The "process start" in this case can't be used to get the full control over a trusted process, at least that hasn't happened yet and most likely won't be.
The problem is that the malware can write at the user's data - all the dangerous actions are performed by the malware process, not by a hijacked Windows process.
So, how to stop that? Adding "\Device\KsecDD" won't prevent a malware to acess your stuff. If ransomware would do the encryption by process-internal features, having "\Device\KsecDD" protected wouldn't help a bit since the malware doesn't need to access it.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek