Author Topic: Petya / Petya-like ransomware run sandboxed... Protected or not?  (Read 2803 times)

Offline cocalaur

  • Comodo's Hero
  • *****
  • Posts: 333
  • Happy COMODO user
Petya / Petya-like ransomware run sandboxed... Protected or not?
« on: February 17, 2017, 05:54:45 PM »
Hi.

I already know that thanks to its autosandbox feature, COMODO can prevent all ransomware encrypting your
files.

I just wanted to know: In case of Petya and other/similar MBR/GPT encryption ransomware, if they are run into sandbox,
will they be able to encrypt the drives?

Thank you
=================================
Son: "Dad, what is malware?"
Dad: "I don't know, son, we use COMODO."
=================================

Offline BlueTesta

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 482
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #1 on: February 17, 2017, 06:36:19 PM »
Evjls Rain
Comodo Firewall - Proactive Configurations - petya blocked
https://www.youtube.com/watch?v=kRqQFZrnZ3c


Note: Comodo Firewall is more secure with Proactive Configurations then Firewall Configurations
even with the same Sandbox settings

cruelsister1
Comodo Firewall 10 Setup
https://www.youtube.com/watch?v=FoIu3Z2ImO8




Some core settings i have noticed to be different within the Configurations.

Note, even if HIPS is off in the menu, HIPS is still active in the background.

Internet Security Configuration have more rules in the Settings -> HIPS -> Protected Objects -> e.g Com Interfaces compared to what Firewall Configuration have.

Both Proactive Configuration and Internet Security Configuration have Protected Files -> Executables
and Firewall Configuration do not have Executables in Protected Files

Proactive Configuration have more stuff in Settings -> HIPS -> Protected Objects compared to Internet Security Configuration
« Last Edit: February 17, 2017, 08:10:09 PM by BlueTesta »
"Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid."

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #2 on: February 19, 2017, 11:06:45 AM »
Hi.

I already know that thanks to its autosandbox feature, COMODO can prevent all ransomware encrypting your
files.

I just wanted to know: In case of Petya and other/similar MBR/GPT encryption ransomware, if they are run into sandbox,
will they be able to encrypt the drives?

Thank you

No.

Because when running in containment(sandbox) the file running has

Read privilege: so that it can read from the hard drive
but
File Driver, Registry and COM interfaces are all virtualized....

So...it can read....it can encrypt the file in ram....but when it wants to overwrite over the original file on the hard drive, it fails because it is writing it on the virtual drive we give it. We also virtualize the Registry and COM interface.

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #3 on: February 19, 2017, 12:02:46 PM »
[...]
but
File Driver, Registry and COM interfaces are all virtualized....
[...]

or blocked in some cases

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #4 on: February 19, 2017, 12:38:47 PM »
or blocked in some cases

in containment mode, they are not blocked. If you choose a more strict policy they can be blocked.

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 143
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #5 on: February 19, 2017, 03:59:42 PM »
Cocalaur- When speaking of the MBR encryptors, note that Petya comes in 3 versions, each distinguished by the color of the ransom screen- Peta 1 (Red), Petya 2 (Green), and Petya 3 (Yellow- aka GoldenEye); also one should add another popular strain, that being Satana which comes in two main variants.

The effects of each vary with the Configuration and Sandbox levels used. In the case of Comodo Firewall (which I use and love), baseline would be to use firewall configuration and the sandbox at Partially Limited; preferable would be Proactive Security configuration and the sandbox at Restricted (or Untrusted).

In no case for any of the malware at any of the various protection levels is either the MBR or files trashed. The worst that will happen is at the baseline level Satana2 will cause a Windows crash with memory dump but on reboot all will be fine. At the settings that I suggest 4 of the five will error out for various reasons, and the original Petya (Red flavor) will run pointlessly in RAM until flushed from the box or after system reboot.

In short, Comodo will protect you from these in all cases.

Hope that helped,

M


Offline cocalaur

  • Comodo's Hero
  • *****
  • Posts: 333
  • Happy COMODO user
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #6 on: February 20, 2017, 03:25:15 PM »
Thank you all for your feedback :)

I run the auto-sandbox in fully virtualized mode.

However, my primary hard drive is not MBR, it's GPT, the rest are MBR.
I have heard that in case of GPT, petya-like ransomware would render the system unbootable at all,
so it's good to hear that I am protected against ransomware :) .

So far COMODO has not let me down.

The only loophole I can find related to the sandbox would be if an unknown spyware is run sandboxed.
I don't know if it could still gather data from my computer and upload it to a server, since there is no option that
can disallow network access for sandboxed apps - or set it in prompt mode in the firewall.

=================================
Son: "Dad, what is malware?"
Dad: "I don't know, son, we use COMODO."
=================================

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #7 on: February 20, 2017, 04:50:13 PM »
Thank you all for your feedback :)

I run the auto-sandbox in fully virtualized mode.

However, my primary hard drive is not MBR, it's GPT, the rest are MBR.
I have heard that in case of GPT, petya-like ransomware would render the system unbootable at all,
so it's good to hear that I am protected against ransomware :) .

So far COMODO has not let me down.

The only loophole I can find related to the sandbox would be if an unknown spyware is run sandboxed.
I don't know if it could still gather data from my computer and upload it to a server, since there is no option that
can disallow network access for sandboxed apps - or set it in prompt mode in the firewall.

Yes, you can stop unknown apps running in containment (sandbox) from making connection to internet....

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 143
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #8 on: February 20, 2017, 10:24:25 PM »
Coca- There is indeed a Firewall setting to do just what you want it to do. Please look at this video: https://www.youtube.com/watch?v=FoIu3Z2ImO8

specifically at the 7:53 mark. Enabling this setting will prevent a sandboxed item from network access.

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1123
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #9 on: February 21, 2017, 02:07:28 AM »
As cruelsister pointed out, you can do what you asked for by enabling the option "Do NOT show popup alerts" and choosing "block requests".
Just to give you the full picture, if the option "Do NOT show popup alerts" is disable, you will get a pop-up as soon as an unknown app tries to connect the web.

The problem is, at the default "Internet security" configuration, that option is enable, but so that the FW will allow every outgoing connection instead of blocking it...  :-\ see attachment from the online help.
Actually, I don't understand why a default-deny security product comes with a default-allow setting... people here said it's like this because of usability, especially for novice users, but I still can't understand the point... with that setting Comodo FW (I'm talking about the FW portion only) does nothing more than what Windows FW does... it blocks incoming connections, but allows outgoing requests :o

EDIT
Everything written above applies to the FW in "safe mode", where any trusted app can connect to the internet, while any unknown app will either generate a popup (if "Do NOT show popup alerts" is disable) or be silently blocked/allowed (depending on the setting, if "Do NOT show popup alerts" is enable).
If you switch to "custom ruleset" and "Do NOT show popup alerts" is disable, you'll get a FW popup for any app (no matter if trusted or not) trying to connect out.
So, in this case, if you enable "Do NOT show popup alerts" --> "block requests", every app will be prevented from connecting the web, even the trusted ones.
« Last Edit: February 21, 2017, 02:44:35 AM by Jon79 »

Offline BlueTesta

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 482
"Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid."

Offline cocalaur

  • Comodo's Hero
  • *****
  • Posts: 333
  • Happy COMODO user
Re: Petya / Petya-like ransomware run sandboxed... Protected or not?
« Reply #11 on: February 23, 2017, 05:12:17 PM »
Melih and cruelsister

Thank you for your feedback :) I will check
=================================
Son: "Dad, what is malware?"
Dad: "I don't know, son, we use COMODO."
=================================

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek