Author Topic: Protection against ransomware.  (Read 453 times)

Offline Picandalo

  • Comodo Family Member
  • ***
  • Posts: 53
Protection against ransomware.
« on: November 04, 2020, 09:53:06 AM »
Hi,

Does CIS have protection against ransomware? ... if so, how to configure it?

Thank's

My CIS
CIS v.12.0.0.6818
Database version: 32957


Offline safemode

  • Comodo's Hero
  • *****
  • Posts: 202
Re: Protection against ransomware.
« Reply #1 on: November 04, 2020, 06:08:28 PM »
Yes, CIS protects against Ransomware, and any other kind of Malware, through Auto-Containment & HIPS modules.

That's when we figured what the Malware needs to cause damage in the main was

1-Write privilege to hard disk
2-write privilege to the Registry
3-write privilege to the COM interface

Write privilege means: the right/ability to write to hard disk...why would you want a brand new untrusted app to start writing to your hard disk??? It could simply overwrite your own good files.....yep...Ransomware....
So when a new executable file comes in if its never seen before by Comodo...we say "hey kiddo...here is a really good plastic knife" ;)
Lets say a Ransomware makes it to your computer because the user clicks anything shiny on the web...
this ransomware is now running in RAM....and says....I want to "READ" hard disk....
Comodo says:...hmm.."READ" privilege..its ok...go ahead and read it....
then
Ransomware says:...I want to "encrypt" this file that I just read...
Comodo says: hmm....just messing around inside RAM...no damage done...go ahead....
Ransomware says: Now I have an encrypted file...I want to delete your original file and overwrite it with just encrypted....
Comodo says:...say what?? you want to have a "WRITE PRIVILEGE" to hard disk...Don't think so....here is a "Virtual Write Privilige to a Fake Hard disk" .....
Ransomware says: oh thank you, let me write there....
All the while Ransomware is writing to a "fake hard disk" where user's original files are untouched and safe on the hard disk.

You can change CIS to 'Proactive Security' mode, this will enhance overall protection of all CIS components. You can also check and use the Cruelsister settings for Comodo Firewall (also valid for CIS) which will further enhance the level of protection provided.

Offline Picandalo

  • Comodo Family Member
  • ***
  • Posts: 53
Re: Protection against ransomware.
« Reply #2 on: November 05, 2020, 03:17:16 AM »
Yes, CIS protects against Ransomware, and any other kind of Malware, through Auto-Containment & HIPS modules.

Hi safamode,
so I am worried because a ransomware encrypted an excel file on my machine and I would like to know if Comodo has a module that decrypts this file ?!

The ransomware created a .mars file in place of my excel file.
Need help!

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1866
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Protection against ransomware.
« Reply #3 on: November 05, 2020, 04:44:29 AM »
No it doesn't, but try the advice and tools on these sites:

https://www.bugsfighter.com/remove-mars-ransomware-and-decrypt-mars-files/

https://www.pcrisk.com/removal-guides/19266-mars-ransomware
Hi safamode,
so I am worried because a ransomware encrypted an excel file on my machine and I would like to know if Comodo has a module that decrypts this file ?!

The ransomware created a .mars file in place of my excel file.
Ploget

All Win 10 x 64 Pro - 21H1 (19043.1110) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline safemode

  • Comodo's Hero
  • *****
  • Posts: 202
Re: Protection against ransomware.
« Reply #4 on: November 05, 2020, 01:27:00 PM »
Picandalo, just out of curiosity, this Excel file that was encrypted by the Mars Ransomware was located in which Folder? I am asking because the 'Downloads' folder is set by default as an exception to Auto-Containment's Virtualization by Comodo, so any Ransomware could encrypt files located in this mentioned folder.

EDIT: Did this Ransomware compromised your machine with CIS installed or you installed CIS after the infection?

Looks like another case of the Default Settings in CIS being weak - Installing it without properly configuring it is the same as not installing it at all.
« Last Edit: November 05, 2020, 01:34:02 PM by safemode »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek