Author Topic: comodo against ChineseRarypt  (Read 1340 times)

Offline radek178

  • Comodo's Hero
  • *****
  • Posts: 246
comodo against ChineseRarypt
« on: August 08, 2019, 03:10:42 AM »
Hi,

I would like to ask you. I found this test on YT https://www.youtube.com/watch?v=hF2TeN5Ha6A and CIS virtualized suspicious file but the files was crypted. How?

Thank you for explanation. SOrry for my English.

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 296
Re: comodo against ChineseRarypt
« Reply #1 on: August 08, 2019, 03:13:11 AM »
What do you think of this test?
In addition to CIS, no other antivirus has passed it.

https://www.youtube.com/watch?v=hF2TeN5Ha6A&t=9s

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2604
  • Security Saskquatch
Re: comodo against ChineseRarypt
« Reply #2 on: August 08, 2019, 06:57:26 AM »
I think it's inconclusive as they didn't Reset Container or restart afterwards.

I really wish user folder was included in default protected folders in CIS. I have to add my documents etc manually.

I expect it would have been blocked earlier with Proactive or Cruelsister settings but a reset of container should undo any changes made by the contained malware.

Eric

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: comodo against ChineseRarypt
« Reply #3 on: August 08, 2019, 09:27:08 AM »
The video description says the test was done using the latest CIS version of 12.0.0.6882 but in the video, you can see the virusscope recognizer is 12.0.0.6780, so it is kinda misleading. I have the sample used and I tested againts 12.0.0.6882, and I didn't see any files get deleted like in the video and the how to decrypt your files txt document was not saved to the real desktop. So maybe the issue did affect 6870 but is now fixed in 6882, which might mean the sample used the vulnerabilities that were disclosed that affected 6870 to bypass the sandbox.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25576
Re: comodo against ChineseRarypt
« Reply #4 on: August 08, 2019, 10:27:30 AM »
I ran the comment from the channel owner through an online translator:
Quote
ChineseRarypt does not encrypt the files as the typical ransomware does, instead, it places them in password-protected files, which users cannot access unless they pay the ransom fee demanded by the attackers, (the test was performed with the default setting of Comodo), I really thought that the Comodo sandbox would protect the files, I'm not sure what could have happened, maybe it could be due to a defect in the Comodo sandbox, one thing I could see was that only the files on the desktop were affected, (the same location where the ransomware was run), other locations such as the images / videos / documents folder, were not affected by the ransomware.
Only the files on the desktop were affected. 

I have several folders amongst which the desktop added to Protected Data Folders. That should have stopped the ransomware from deleting files on the desktop. It is unfortunate that Comodo does not add the default data folders of Windows to the Protect Data Folders by default.

Offline kyl

  • Comodo Loves me
  • ****
  • Posts: 131
Re: comodo against ChineseRarypt
« Reply #5 on: August 08, 2019, 10:33:58 AM »
default settins are useless

Offline tachion

  • Star Group
  • Comodo Member
  • *****
  • Posts: 36
    • Safegroup
Re: comodo against ChineseRarypt
« Reply #6 on: August 08, 2019, 01:03:52 PM »
They have been removed from the downloads location, because it is the default location added in the program.


Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 50
Re: comodo against ChineseRarypt
« Reply #7 on: August 08, 2019, 01:05:29 PM »
I ran the comment from the channel owner through an online translator:Only the files on the desktop were affected. 

I have several folders amongst which the desktop added to Protected Data Folders. That should have stopped the ransomware from deleting files on the desktop. It is unfortunate that Comodo does not add the default data folders of Windows to the Protect Data Folders by default.
I watched the video and thought it was fake but no, now I can see that it is a bad CIS configuration... but then, [at]EricJH, by your explanation it bring me several doubts and questions:

1º You said that only the desktop folder is not protected  by default again a sandboxed malware unless you add the the desktop to Protected Data Folders (Hips component). Then, by default the standard windows folders like Documents, Music, Pictures, etc... are protected by default again a sandboxed malware or you need to added to the Protected Data Folders?

2º Any other file/folders in others paths (same/other harddisk, usb memory, network path)  are protected by default or not  (I thought so)?.

3º The custom protection for the Protected Data Folders only works when the HIPS component is enabled or not?


Sorry if this isnt's a place for help-questions but you answer brought me with many doubts...

Offline R2C2

  • Comodo Family Member
  • ***
  • Posts: 59
Re: comodo against ChineseRarypt
« Reply #8 on: August 08, 2019, 01:40:50 PM »
This is why you use cruelsister  settings.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25576
Re: comodo against ChineseRarypt
« Reply #9 on: August 08, 2019, 06:37:09 PM »
I watched the video and thought it was fake but no, now I can see that it is a bad CIS configuration... but then, [at]EricJH, by your explanation it bring me several doubts and questions:

1º You said that only the desktop folder is not protected  by default again a sandboxed malware unless you add the the desktop to Protected Data Folders (Hips component). Then, by default the standard windows folders like Documents, Music, Pictures, etc... are protected by default again a sandboxed malware or you need to added to the Protected Data Folders?
I am using Proactive Security so I have HIPS enabled and I was arguing that my set up would have stopped this breech. For reasons of usability and ease of use I am strongly in favor of adding the standard Windows data folders to Protected Data by default or make a group that can be easily deployed.

Quote
2º Any other file/folders in others paths (same/other harddisk, usb memory, network path)  are protected by default or not  (I thought so)?.
I will come to the analysis of this bypass further down. Sandboxed executables will only have access to the Shareed Space and Downloads folders as tachion is pointing out.

Quote
3º The custom protection for the Protected Data Folders only works when the HIPS component is enabled or not?
That's what I assume but can't find it confirmed in the Help file.

Quote
Sorry if this isnt's a place for help-questions but you answer brought me with many doubts...
To go further with the analysis of this bypass. Futuretech points out he is using 6870 and he cannot reproduced the findings of Juan Diaz. I have attached an image with the recognizers of 6882 to show that they differ. It indicates Juan Diaz was testing with 6870.

Futuretech could not reproduce the bypass and unless somebody shows otherwise this bypass does not affect 6882.

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 50
Re: comodo against ChineseRarypt
« Reply #10 on: August 09, 2019, 04:27:22 AM »
So what do you think of this test?

I can't find previous comments ... have they been deleted or moved?

Can protection against ransoware be achieved only by activating HIPS?
My Post have been deleted too, but I hope that have been an accident...  :)
It is no clear what happen in this video, but one thing is true, is a bad video because we cannot see what happen when the sandbox is restored.
Anyway, it raised some doubts to me about the way that the sandbox works, so and going to create my own fake ransoware and test it with all CIS protection enabled to see what happen already with my files...

Offline B-boy/StyLe/

  • Comodo Member
  • **
  • Posts: 44
Re: comodo against ChineseRarypt
« Reply #11 on: August 09, 2019, 07:50:42 AM »
This is what he said (using the translator):

Quote
Yes, I tried to reset the sandbox but the files were not recovered, I also changed the configuration proactively and only got a notification from the HIPS module, maybe making other changes in the configuration could have protected the files, I don't know, I also believe the sandbox has some defect, I did a test with Sandboxie with this ransomware and it was able to protect all the files.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4360
Re: comodo against ChineseRarypt
« Reply #12 on: August 09, 2019, 09:48:41 AM »
I have merged and removed duplicate posts from the CIS Certifications, Test Results & Reviews topic that discusses the video of CIS and the ChineseRarypt into this topic.

What ever version of CIS was used, it is clear it was not using default settings, I also tried with 6780 and I still didn't see files on the desktop get deleted nor did I see the dropped text file get added either. So I have come to the conclusion that default settings were not used, in particular the 'Do not virtualize access to the specified files/folders' was modified to include the Desktop folder. So regardless of CIS version used, CIS will protect against this even under default settings.

I found it strange that only files located on the desktop were being modified and the ransom note was successfully being saved to the desktop, but all other files were protected. So it is either an intentional change to the do not virtualize containment setting, or an incompatibility with another security software that was installed alongside CIS during the test.

To answer the question of using protected data folders, HIPS does not need to be enabled for protected data folders to work. Also resetting the sandbox wouldn't do anything to bring back files that were modified or deleted that were being excluded from virtualization.
« Last Edit: August 09, 2019, 10:03:24 AM by futuretech »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25576
Re: comodo against ChineseRarypt
« Reply #13 on: August 09, 2019, 10:06:32 AM »
My Post have been deleted too, but I hope that have been an accident...  :)
Futuretech has split posts from CIS Certifications, Test Results & Reviews topic and merged them here. He also deleted double posts. May be double posts did get deleted.

Posts about the same youtube video of CIS against ChineseRarypt have been merged with the existing topic, please stop cross posting and instead continue with the existing topic.  Duplicate posts have also been removed.

https://forums.comodo.com/news-announcements-feedback-cis/comodo-against-chineserarypt-t124728.0.html

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 296
Re: comodo against ChineseRarypt
« Reply #14 on: August 09, 2019, 11:16:14 AM »
Thanks for the analysis of this test in the video of Juan Diaz.
Obviously assuming that this is a true ransoware ... so in conclusion, even not enabling HIPS protection and with CIS or CAV default settings, can you be calm?
« Last Edit: August 09, 2019, 11:18:43 AM by NDABBRU »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek