Ransomware vs CIS = Fail?

A friend who has Comodo Internet Security installed (at my recommendation :embarassed:) on his laptop recently suffered a ransomware attack. He had turned on his laptop computer and attempted to log into his bank website.
A pop-up asking to install Adobe Reader appeared, he declined then a ransomware message appeared as he was trying to login, instructing him that his system been encrypted and that he should reboot the computer.

On reboot all documents, all pictures, all music, + all XML, all text and all HTML files had been encrypted. There were more than 1700 copies of the ransomware readme file in png HTML & txt formats written all over the drive. Collectively this was nearly 2 gig in size. The code had accessed all drive partitions and entered directories which I would’ve thought were protected by the Comodo system. E.g. Windows system32 directory.
Looking at last years Crypto Locker malware discussion on various forums, I can see this latest version has made steps to prevent any kind of recovery. All restore points, shadow copies and temporary backup files written by MS office applications were also encrypted or deleted.
Auto-sandbox, virus-scope, HIPS, firewall, and anti-virus all showed working and active.

It is possible it was user error but he rarely installs anything & CIS is set to flag any attempted install action etc.

Very disappointing that Comodo was unable to prevent this attack as he lost all his documents and pictures and was forced to restore the machine back to factory default in order to use it.

This raises 2 important questions.
Can CIS stop current ransomware attacks?
Does Comodo intend to implement a system like Crypto Drop?

I could never understand how ransomware manages to bypass Default Deny sandboxing. No one ever explained it either.

You can check this video:

It looks like the bypass is possible if HIPS is OFF, especially if the malware uses a trusted process to make its action.

Then, there are a lot of settings that can affect the issue:

  • Proactive security configuration (HIPS is turned ON by default) is better than Internet security configuration (which is the default configuration when you install CIS)
  • Custom ruleset for the FW is better than safe mode because you can get an alert for outgoing traffic even for trusted apps
  • Viruscope can be set to monitor not only sandboxed file, but every file (like this you can get control on trusted apps too)

Interesting vid.

The settings used in the event described above were with HIPS active & custom for the FW. Personally I always use custom settings which gives me more control.
One reason I hated the upgrade to the new GUI is previously I could see/add/tweak everything quickly, now it’s being buried in multiple sub-trees & often semi-automated thus allowing errors. OK the new way seems better for novices but #only# if it works…

I think svchost.exe is one of the major problems I’ve seen historically, as it is often very difficult to see what is being done by which process & why. Given the fact that a network link needs only moments for malware, a user has almost zero chance of figuring it out before it is potentially disastrous.

As to how ransomware is able to act within a supposedly secure system, the only hints I’ve found are in discussion of Crypto Drop. There seems to be a whole lot of nothing available for anyone trying to figure out whats going on. Given the seriousness of the threat I have to wonder why ‘no-one’ is really saying much about it. Plenty of old comments on the early types 2013-15 but nothing much for this year that is actually helpful.

Has anyone reviewed CIS with maximum virtualization active? I assume that would help in resisting this kind of threat, but often it isn’t practical to be entirely virtual.

One of the suggestion to increase security with CIS is to modify the rule for unknown files to run virtually and untrusted.
Unfortunately this is not possible on Windows 10:
https://forums.comodo.com/resolvedoutdated-issues-cis/limited-and-restricted-block-screen-capture-but-untrusted-does-not-m399-t95001.45.html

Personally, I have set the auto-sandbox rule to block unknown apps.
Like that I can right-click on the app and run it in Comodo sandbox.
It seems that manual (on-demand) sandbox is more restrictive than auto-sandbox:

Thanks for that info Jon79.
Typical of W10 to be more interested in data-mining & selling apps than allowing itself to be fully locked down I guess.
I think you should be able to set UAC to off & have CIS take over, providing CIS works. :stuck_out_tongue:

Not really.
In Win10, if you completely disable UAC by registry hack, you won’t even be able to use the start button, because that’s a kind of metro app…

Jon- regarding the AVGuru test:

This was a topic that was discussed a few weeks ago on Wilders and am surprised that it is showing up here. “EfficacyTest.exe” is a specific AV tester that when run will in turn run malware. If EfficacyTest.exe is allowed to run out of the sandbox ALL future actions will also be unsandboxed, thus the infections that can be seen in that video. In short, the setup for the test was very flawed and thus the results are also without value.

I was sent all of the malware seen in that video (the malware pack was PM’d to me) and the actual results can be seen here:

Not really?
Surely you are showing that it is worse than a simple on/off option & therefore is in fact removing options to allow the monetized app interface to force you into certain modes of behavior at a code level.
That in itself presents a pipeline for hacker activity that will ‘always’ be active.

Even if you simply disable UAC in Settings, Windows 10 to will stop running Windows Apps.
You have an issue with this, take it up with Microsoft.

Duuuuuh.

Comodo is trying to produce a product that works effectively in a flawed environment, so stating the obvious really helps.
Much more useful that understanding the problems & discussing them.

Hi cruelsister,
I watched the video, thanks for the link.
I noticed that you set the auto-sandbox on run virtually → restricted and you wrote that you did so because run virtually → untrusted doesn’t work on Windows 10.
The problem is that run virtually → restricted won’t work too because every app will run as partially limited
Try to re-make the test with this setting and let’s see what happens.
Thanks

Will it be fixed on CIS 10?
(perrsonally I don’t think so, as this problem is strictly related to WIN 10 UAC…)

Right…I agree…But I’m not sure this issue can be fixed by Comodo…