How Comodo protect my system against Trojan.Win32 GPCODE ?

[Guest]

[RejZoR]

Ok, how did you make the category for it? I can't seem to find the controls to do that so i could organize them a bit...

[Ronny]

Ok, how did you make the category for it? I can't seem to find the controls to do that so i could organize them a bit...

If your in the protected files & folders window you need to press the 'Group' button, Add a new group and add the entry to that group.
Now apply that and once your out of that window you can add the new group to the protected files & folders policy.

[RejZoR]

I've featured these tweaks on my blog www.rejzor.tk or directly at: http://my.opera.com/rejzor/blog/2012/08/15/comodo-anti-ransom-protection-settings

If anyone knows who was the original finder of the KsecDD settings, please let me know so i can add credits accordingly...

[Ronny]

I've featured these tweaks on my blog www.rejzor.tk or directly at: http://my.opera.com/rejzor/blog/2012/08/15/comodo-anti-ransom-protection-settings

If anyone knows who was the original finder of the KsecDD settings, please let me know so i can add credits accordingly...

I think it was me, posted here

[RejZoR]

Thx, i have changed the credits.

[Ronny]

Thx, i have changed the credits.

Thanks for that!

[RejZoR]

Np. Though i've noticed that KsecDD is being triggered for many other things as well. It's no problem to allow that, but still. Any idea how to trim it down and still be GPcode proof?

[Ronny]

Unfortunately not, it's the general encryption routine and indeed also used by a lot of 'legit' applications.

[RejZoR]

Strangely, Killing Floor game triggers it. Not sure why would a game need KsecDD.

What about adding *.jpg to the protected files and folders? I've tried editing JPG image with whitelisted app and i didn't get any warning. Makes me wonder how would CIS behave if you'd run an unknown app inside sandbox with this rule. In theory you should get warning if any EXE tries to modify JPG directly.

If this would work, it would be no problem to build a list of user file extensions (jpg, doc etc) that would be protected in general.

[RejZoR]

Ronny, do you happen to have both samples of these ransomware crypters? I'm thinking of doing some research on Defense+ without using KsecDD in order to protect user data from them.
If you still have them, plz contact me on PM.

[Ronny]

Strangely, Killing Floor game triggers it. Not sure why would a game need KsecDD.

What about adding *.jpg to the protected files and folders? I've tried editing JPG image with whitelisted app and i didn't get any warning. Makes me wonder how would CIS behave if you'd run an unknown app inside sandbox with this rule. In theory you should get warning if any EXE tries to modify JPG directly.

If this would work, it would be no problem to build a list of user file extensions (jpg, doc etc) that would be protected in general.

I have seen other users put * on the protected files list, that runs fine in default install if you sandbox RW then they can't modify any file.
On the other hand all sandboxed executables can't change anything, but if you only run the sandbox to isolate unknown executables that's fine.

[a256886572008]

?:\*

[Ronny]

Yes that one should protect all drives.

[RejZoR]

And spawn even more useless popups than KsecDD?

Wouldn't it be then easier to just add "*.jpg" to the list of protected files and you'd get warning just when unknown app tries to modify JPG images? It doesn't seem to give me any warnings when trying to edit images using whitelisted apps like Paint.NET. Then again due to lack of samples, i couldn't yet test if it does actually trigger this rule when GPCode is executed...

[a256886572008]

And spawn even more useless popups than KsecDD?

Wouldn't it be then easier to just add "*.jpg" to the list of protected files and you'd get warning just when unknown app tries to modify JPG images? It doesn't seem to give me any warnings when trying to edit images using whitelisted apps like Paint.NET. Then again due to lack of samples, i couldn't yet test if it does actually trigger this rule when GPCode is executed...

GPCode can destroy *.doc, *.png, *.xls,.............., etc.

[Tags:]