weakness of the gpCode

[Citizen K]

Are you guys considering the possibility to exclude a certain folder from being sandboxed? That would be for the situation where people have a designated download folder; I have one for programs I download from sources I trust.

It is not something that should be enabled by default but could be set.

[harsha_mic]

Yes. Currently this is what happens in v5.3 when browsers manually added to Comodo's Sandbox.

[wasgij6]

Sure. If whitelisted, there wont be a problem. Howevver we have all the whitelist + cloud and yet there are popups causing the users simply shutdown or uinstall the protection. In this case, less is more.

Hack is a hack. Not a solution. Putting such a hack into 30 million computers for just a few detectable trojans which are already easily detected already is not preferable. Why? Because it will detect more white files then bad files. Guaranteed.

Btw, it is already detected by the cloud based behavior analysis. So for example, if a user does not use an AV and does not use Sandbox, still, cloud based analysis will alert the user about the trojan.

So there are many ways that a default user is being protcted now hence no need for hacks. The problem is protecting the data of the user. And this requires a more sophisticated method of prevention which is what we are doing now.

The upcoming solution is not specificaly designed for this threat however it prevents much more important data attacks as well as this one.

i thought the only time that cloud based analysis was used is when a file is sandboxed and then its checked ?

or am i just missing something here

[egemen]

We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.

Are you guys considering the possibility to exclude a certain folder from being sandboxed? That would be for the situation where people have a designated download folder; I have one for programs I download from sources I trust.

It is not something that should be enabled by default but could be set.

[morphiusz]

Egemen, ok bahaviour analysis can catch gpcode.
But you know that first file must be analyzed on the user's computer - must be runned...(or uploaded to camas by www interface)
That means that gpcode can does a harm on few pc before it gets camas results and will be detected by beahiour cloud.

[bluevik]

Sorry, Now I don't understand: with the sandbox disabled, Defense+ in paranoid mode detects and blocks  gpCode or not ? because the first work of an HIPS highly setted is checking the system and blocking malware....sandbox is for who doesn't want a personal control of his system. 

[Citizen K]

We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.

Cool.

Sorry, Now I don't understand: with the sandbox disabled, Defense+ in paranoid mode detects and blocks  gpCode or not ? because the first work of an HIPS highly setted is checking the system and blocking malware....sandbox is for who doesn't want a personal control of his system. 

It does not block it with default settings. However D+ is capable of catching it. You need to manually add some things. Read Ronny's contribution under this.

Easiest way to handle this one is to put *_CRYPT on the blocked files list for D+
Then this whole encryption trick won't work. This is the first thing I do when I read some new ransomware is detected figure out the extension it uses and put that on the blocked files list.



Other thing is you can protect your favorite files by adding them to the protected files and folders list.
e.g.

*.txt|
*.chm|
*.jpg|
*.7z|

Be sure to add the | sign behind it so that sandboxed apps can't modify these extensions.



Those where the extensions that where encrypted on my test VM, but as there are more this isn't watertight. And it does prevent the malware from modifying your original files but doesn't prevent it from writing the encrypted files to disk to it messes up the system.

[kail]

Re: *_CRYPT

I did note that on the recently supplied Ransom samples that .crypt is appended to the filename, rather than _crypt. So, I would suggest considering *.*crypt in this case.

[aigle]

Sure. If whitelisted, there wont be a problem. Howevver we have all the whitelist + cloud and yet there are popups causing the users simply shutdown or uinstall the protection. In this case, less is more.

Hack is a hack. Not a solution. Putting such a hack into 30 million computers for just a few detectable trojans which are already easily detected already is not preferable. Why? Because it will detect more white files then bad files. Guaranteed.

Btw, it is already detected by the cloud based behavior analysis. So for example, if a user does not use an AV and does not use Sandbox, still, cloud based analysis will alert the user about the trojan.

So there are many ways that a default user is being protcted now hence no need for hacks. The problem is protecting the data of the user. And this requires a more sophisticated method of prevention which is what we are doing now.

The upcoming solution is not specificaly designed for this threat however it prevents much more important data attacks as well as this one.

Thanks for the reply. I don,t insist that Comodo people use same technique/ hack used by OnlineArmor. I will be happy with any solution provided it work. I will reaped it again.

Still there is one thing missing. What about uesrs who are not using sandbox and are using just proactive HIPS feature of Defence Plus. It is not very much practical to add all your sensitive files in one folder and then protect this folder. One might have many .doc, .txt and image files scattered here n there on hard disk. Besides what you will do about blackday trojan that is targeting so many types of files.

I think they will need the HACK or some other smart idea as they are not using sandbox anyway. Hope I made my point clear.

Thanks for all your kind input and replies.

[aigle]

Re: *_CRYPT

I did note that on the recently supplied Ransom samples that .crypt is appended to the filename, rather than _crypt. So, I would suggest considering *.*crypt in this case.

Hi, don,t think that I am rude pls. IMHO this solution is totally useless and un-necessary. Problem here is not gpcode. Problem is the way gpcode ruins your data. We need a way to protect our data by Defence Plus. This rule will work only for gpcode but it will fail against a similar malware who work slightly different than gpcode while encrypting the data.

If only the gpcode is the problem, then as egemen said even the cloud based detection might be enough for any user.

[kail]

Hi, don,t think that I am rude pls. IMHO this solution is ..

Thanks for clarifying your opinion on this issue. I hadn't picked up on that previously. 

[Peter5]

We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.

Now that the AS will have virtualizattion will you still be offering the MS and the anti-executable (AS: "Blocked"), in V.6?
Because the strongest protection against loggers (key-loggers, screen-loggers, etc) is an anti-executable (no need for others applications like key scramblers).

For example with Sandboxie you have start/run access restrictions.

I do not know if it is possible an answer, but i really would appreciate one, as an anti-executable + Virtualizattion are imperative to my security setup.

[Citizen K]

Forgive me my ignorance but why would one need a sandbox (with or without virutalisiation) with an anti executable? The anti executable would be there to prevent unauthorised programs from running where the sandbox would run unknown.unauthorised programs.

[Peter5]

Forgive me my ignorance but why would one need a sandbox (with or without virutalisiation) with an anti executable? The anti executable would be there to prevent unauthorised programs from running where the sandbox would run unknown.unauthorised programs.

Hi EricJH


I am just an average user. But my idea would be that if the malware would be able to start, it would still be contained in the sandbox.

Maybe it is a wrong approach, but if the anti-executable is for example applocker and the virtualizattion from comodo, they work differently i assume and if the malware is able to bypass applocker  it  still would be in the sandbox.

Do you agree or do you think it is still a wrong approach?

[Citizen K]

There is nothing wrong with that; it's actually a very good and sane idea: you are making a layered security defense.