Author Topic: weakness of the gpCode  (Read 107145 times)

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: weakness of the gpCode
« Reply #105 on: April 28, 2011, 12:22:36 PM »
Are you guys considering the possibility to exclude a certain folder from being sandboxed? That would be for the situation where people have a designated download folder; I have one for programs I download from sources I trust.

It is not something that should be enabled by default but could be set.

Offline harsha_mic

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 155
Re: weakness of the gpCode
« Reply #106 on: April 28, 2011, 12:31:31 PM »
Yes. Currently this is what happens in v5.3 when browsers manually added to Comodo's Sandbox.
W7 64 bit | Comodo Fw v5.8 | Eset NOD32 AV v5 | Hitman (ondemand)

Offline wasgij6

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5717
Re: CFW fails in GPCode ransom test
« Reply #107 on: April 28, 2011, 12:35:38 PM »
Sure. If whitelisted, there wont be a problem. Howevver we have all the whitelist + cloud and yet there are popups causing the users simply shutdown or uinstall the protection. In this case, less is more.

Hack is a hack. Not a solution. Putting such a hack into 30 million computers for just a few detectable trojans which are already easily detected already is not preferable. Why? Because it will detect more white files then bad files. Guaranteed.

Btw, it is already detected by the cloud based behavior analysis. So for example, if a user does not use an AV and does not use Sandbox, still, cloud based analysis will alert the user about the trojan.

So there are many ways that a default user is being protcted now hence no need for hacks. The problem is protecting the data of the user. And this requires a more sophisticated method of prevention which is what we are doing now.

The upcoming solution is not specificaly designed for this threat however it prevents much more important data attacks as well as this one.

i thought the only time that cloud based analysis was used is when a file is sandboxed and then its checked ?

or am i just missing something here

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: weakness of the gpCode
« Reply #108 on: April 28, 2011, 12:37:57 PM »
We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.


Are you guys considering the possibility to exclude a certain folder from being sandboxed? That would be for the situation where people have a designated download folder; I have one for programs I download from sources I trust.

It is not something that should be enabled by default but could be set.

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #109 on: April 28, 2011, 12:54:13 PM »
Egemen, ok bahaviour analysis can catch gpcode.
But you know that first file must be analyzed on the user's computer - must be runned...(or uploaded to camas by www interface)
That means that gpcode can does a harm on few pc before it gets camas results and will be detected by beahiour cloud.

Offline bluevik

  • Comodo Loves me
  • ****
  • Posts: 115
Re: weakness of the gpCode
« Reply #110 on: April 28, 2011, 01:19:01 PM »
Sorry, Now I don't understand: with the sandbox disabled, Defense+ in paranoid mode detects and blocks  gpCode or not ? because the first work of an HIPS highly setted is checking the system and blocking malware....sandbox is for who doesn't want a personal control of his system. 

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: weakness of the gpCode
« Reply #111 on: April 28, 2011, 01:24:28 PM »
We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.
Cool.:) :-TU
Sorry, Now I don't understand: with the sandbox disabled, Defense+ in paranoid mode detects and blocks  gpCode or not ? because the first work of an HIPS highly setted is checking the system and blocking malware....sandbox is for who doesn't want a personal control of his system. 
It does not block it with default settings. However D+ is capable of catching it. You need to manually add some things. Read Ronny's contribution under this.

Easiest way to handle this one is to put *_CRYPT on the blocked files list for D+
Then this whole encryption trick won't work. This is the first thing I do when I read some new ransomware is detected figure out the extension it uses and put that on the blocked files list.



Other thing is you can protect your favorite files by adding them to the protected files and folders list.
e.g.

*.txt|
*.chm|
*.jpg|
*.7z|

Be sure to add the | sign behind it so that sandboxed apps can't modify these extensions.



Those where the extensions that where encrypted on my test VM, but as there are more this isn't watertight. And it does prevent the malware from modifying your original files but doesn't prevent it from writing the encrypted files to disk to it messes up the system.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: weakness of the gpCode
« Reply #112 on: April 28, 2011, 01:50:50 PM »
Re: *_CRYPT

I did note that on the recently supplied Ransom samples that .crypt is appended to the filename, rather than _crypt. So, I would suggest considering *.*crypt in this case.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: CFW fails in GPCode ransom test
« Reply #113 on: April 28, 2011, 06:17:42 PM »
Sure. If whitelisted, there wont be a problem. Howevver we have all the whitelist + cloud and yet there are popups causing the users simply shutdown or uinstall the protection. In this case, less is more.

Hack is a hack. Not a solution. Putting such a hack into 30 million computers for just a few detectable trojans which are already easily detected already is not preferable. Why? Because it will detect more white files then bad files. Guaranteed.

Btw, it is already detected by the cloud based behavior analysis. So for example, if a user does not use an AV and does not use Sandbox, still, cloud based analysis will alert the user about the trojan.

So there are many ways that a default user is being protcted now hence no need for hacks. The problem is protecting the data of the user. And this requires a more sophisticated method of prevention which is what we are doing now.

The upcoming solution is not specificaly designed for this threat however it prevents much more important data attacks as well as this one.

Thanks for the reply. I don,t insist that Comodo people use same technique/ hack used by OnlineArmor. I will be happy with any solution provided it work. I will reaped it again.

Still there is one thing missing. What about uesrs who are not using sandbox and are using just proactive HIPS feature of Defence Plus. It is not very much practical to add all your sensitive files in one folder and then protect this folder. One might have many .doc, .txt and image files scattered here n there on hard disk. Besides what you will do about blackday trojan that is targeting so many types of files.

I think they will need the HACK or some other smart idea as they are not using sandbox anyway. Hope I made my point clear.

Thanks for all your kind input and replies.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: weakness of the gpCode
« Reply #114 on: April 28, 2011, 06:21:42 PM »
Re: *_CRYPT

I did note that on the recently supplied Ransom samples that .crypt is appended to the filename, rather than _crypt. So, I would suggest considering *.*crypt in this case.
Hi, don,t think that I am rude pls. IMHO this solution is totally useless and un-necessary. Problem here is not gpcode. Problem is the way gpcode ruins your data. We need a way to protect our data by Defence Plus. This rule will work only for gpcode but it will fail against a similar malware who work slightly different than gpcode while encrypting the data.

If only the gpcode is the problem, then as egemen said even the cloud based detection might be enough for any user.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: weakness of the gpCode
« Reply #115 on: April 28, 2011, 06:40:56 PM »
Hi, don,t think that I am rude pls. IMHO this solution is ..
Thanks for clarifying your opinion on this issue. I hadn't picked up on that previously.  :D ;)
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline Peter5

  • Comodo's Hero
  • *****
  • Posts: 257
Re: weakness of the gpCode
« Reply #116 on: April 28, 2011, 09:00:11 PM »
We are making the necessary changes so that everything will be able to be virtualized by default while the users wont be confused with their downloads and program installations etc.

Now that the AS will have virtualizattion will you still be offering the MS and the anti-executable (AS: "Blocked"), in V.6?
Because the strongest protection against loggers (key-loggers, screen-loggers, etc) is an anti-executable (no need for others applications like key scramblers).

For example with Sandboxie you have start/run access restrictions.

I do not know if it is possible an answer, but i really would appreciate one, as an anti-executable + Virtualizattion are imperative to my security setup.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: weakness of the gpCode
« Reply #117 on: April 28, 2011, 09:10:09 PM »
Forgive me my ignorance but why would one need a sandbox (with or without virutalisiation) with an anti executable? The anti executable would be there to prevent unauthorised programs from running where the sandbox would run unknown.unauthorised programs. ???

Offline Peter5

  • Comodo's Hero
  • *****
  • Posts: 257
Re: weakness of the gpCode
« Reply #118 on: April 28, 2011, 09:58:44 PM »
Forgive me my ignorance but why would one need a sandbox (with or without virutalisiation) with an anti executable? The anti executable would be there to prevent unauthorised programs from running where the sandbox would run unknown.unauthorised programs. ???

Hi EricJH


I am just an average user. But my idea would be that if the malware would be able to start, it would still be contained in the sandbox.

Maybe it is a wrong approach, but if the anti-executable is for example applocker and the virtualizattion from comodo, they work differently i assume and if the malware is able to bypass applocker  it  still would be in the sandbox.

Do you agree or do you think it is still a wrong approach?



Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26183
Re: weakness of the gpCode
« Reply #119 on: April 29, 2011, 07:56:36 AM »
There is nothing wrong with that; it's actually a very good and sane idea: you are making a layered security defense. :-TU

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek