Author Topic: Comodo containment and HIPS against recent ransomware  (Read 7675 times)

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Comodo containment and HIPS against recent ransomware
« on: May 11, 2021, 12:01:45 PM »
Just in case anyone was wondering, Comodo Containment deals with the Darkside ransomware strain (the one that is all over the news the past few days) quite nicely. All system changes are prevented.

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: Comodo containment and HIPS against recent ransomware
« Reply #1 on: May 11, 2021, 12:04:14 PM »
Just in case anyone was wondering, Comodo Containment deals with the Darkside ransomware strain (the one that is all over the news the past few days) quite nicely. All system changes are prevented.

Nice one, thanks for confirming! :-TU :rocks:

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #2 on: May 11, 2021, 12:07:10 PM »
Just in case anyone was wondering, Comodo Containment deals with the Darkside ransomware strain (the one that is all over the news the past few days) quite nicely. All system changes are prevented.

Thank you. That's very good to know.

Do all default CIS config types protect against it the same way or only the pro-active one?
Does CIS need some special settings for optimal protection?

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1891
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Comodo containment and HIPS against recent ransomware
« Reply #3 on: May 11, 2021, 12:36:59 PM »
Thanks M .  . . . nice to know and thanks for the info  :-TU
Just in case anyone was wondering, Comodo Containment deals with the Darkside ransomware strain (the one that is all over the news the past few days) quite nicely. All system changes are prevented.
Ploget

All Win 10 x 64 Pro - 21H1 (19043.1288) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Re: Comodo containment and HIPS against recent ransomware
« Reply #4 on: May 11, 2021, 01:14:06 PM »
The configuration doesn't matter, nor does the actual Containment level (Partially Limited works just fine). Note also that the Firewall at Safe Mode will alert to the ransomware attempting to infect others on the Network,

Also for giggles, in addition to this one from the Darkside Group I also ran a few newer files that are all the rage this month on TOR. They come from what my friends at Mandiant have labeled as the UNC2447 group. Related to Deathransom (HelloKitty), the variants tested were FIVEHANDS and Sombrat. All were contained without any system changes.

Why Industry doesn't use Comodo Endpoint is beyond me...

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Comodo containment and HIPS against recent ransomware
« Reply #5 on: May 12, 2021, 12:04:24 AM »
Why Industry doesn't use Comodo Endpoint is beyond me...
I agree... and why they think having CRITICAL infrastructure connected to the internet as good security is beyond stupid regardless of their rhetoric.

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 636
Re: Comodo containment and HIPS against recent ransomware
« Reply #6 on: May 12, 2021, 02:47:03 AM »
The configuration doesn't matter, nor does the actual Containment level (Partially Limited works just fine). Note also that the Firewall at Safe Mode will alert to the ransomware attempting to infect others on the Network,

Also for giggles, in addition to this one from the Darkside Group I also ran a few newer files that are all the rage this month on TOR. They come from what my friends at Mandiant have labeled as the UNC2447 group. Related to Deathransom (HelloKitty), the variants tested were FIVEHANDS and Sombrat. All were contained without any system changes.

Why Industry doesn't use Comodo Endpoint is beyond me...

It's very interesting, and it's nice to know that Comodo's containment (in any configuration) protects us.  :)
Bye!
Nunzio

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #7 on: May 12, 2021, 12:13:23 PM »
The configuration doesn't matter, nor does the actual Containment level (Partially Limited works just fine). Note also that the Firewall at Safe Mode will alert to the ransomware attempting to infect others on the Network,

Also for giggles, in addition to this one from the Darkside Group I also ran a few newer files that are all the rage this month on TOR. They come from what my friends at Mandiant have labeled as the UNC2447 group. Related to Deathransom (HelloKitty), the variants tested were FIVEHANDS and Sombrat. All were contained without any system changes.

Why Industry doesn't use Comodo Endpoint is beyond me...
Thank you and good to hear from you again. :)

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Re: Comodo containment and HIPS against recent ransomware
« Reply #8 on: May 12, 2021, 02:28:21 PM »
Thanks Eric! And if you would allow a followup- the FIVEHANDS ransomware I mentioned above is making the news today, example here:

https://www.zdnet.com/article/new-ransomware-cisa-warns-over-fivehands-file-encrypting-malware-variant/

One interesting thing about it is that although it is totally blocked by Comodo Containment, the encryption process would be allowed to proceed if ONLY the HIPS is enabled at Safe Mode (even if the user selects Block at every prompt).

I bring this up only for those that would prefer HIPS (any HIPS from anybody, actually) over Containment.

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #9 on: May 12, 2021, 02:57:06 PM »
How does Fivehand get around a HIPS? Is it a fileless malware that calls legit script engines? Is it living off the land?

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5227
Re: Comodo containment and HIPS against recent ransomware
« Reply #10 on: May 12, 2021, 02:58:04 PM »
Thanks Eric! And if you would allow a followup- the FIVEHANDS ransomware I mentioned above is making the news today, example here:

https://www.zdnet.com/article/new-ransomware-cisa-warns-over-fivehands-file-encrypting-malware-variant/

One interesting thing about it is that although it is totally blocked by Comodo Containment, the encryption process would be allowed to proceed if ONLY the HIPS is enabled at Safe Mode (even if the user selects Block at every prompt).

I bring this up only for those that would prefer HIPS (any HIPS from anybody, actually) over Containment.
I find that very hard to believe unless you expect HIPS to protect files that are not listed under protected files. If you add ?:\* to protected files then all drivers will be protected from unwanted modification.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #11 on: May 12, 2021, 03:00:14 PM »
I'm wondering (in case not using Containment), how does the ransomware encryption process still pass thru HIPS safe mode when the user blocks every HIPS Alert?
Can this be prevented in some way?
It would be nice to have two protection layers, one by Containment and one by HIPS (safe mode).

Offline Nautilus

  • Newbie
  • *
  • Posts: 16
Re: Comodo containment and HIPS against recent ransomware
« Reply #12 on: May 12, 2021, 03:58:34 PM »
[at]cruelsister , hi meghan. I am still rocking your config with containment and all the other setting you did recommend , and it still runs smooth and light , without the hassle of all those popups / warnong messages! hope you are doing fine in NYC! :)
win10 pro x64 2H1 190.43.1202
Comodo Internet Security 12.2.2.8012

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #13 on: May 12, 2021, 04:28:20 PM »
I find that very hard to believe unless you expect HIPS to protect files that are not listed under protected files.
Cruelsister states CIS HIPS gets bypassed when running it in Safe Mode.
Quote
If you add ?:\* to protected files then all drivers will be protected from unwanted modification.
Drivers, .sys files, are protected executables.

Looking forward to hear more in depth comments from cruelsister.  :)

Offline -MOKSHA-

  • Comodo Family Member
  • ***
  • Posts: 68
  • Windows is like burgers and fries, without burgers
Re: Comodo containment and HIPS against recent ransomware
« Reply #14 on: May 12, 2021, 06:35:22 PM »
Cruelsister states CIS HIPS gets bypassed when running it in Safe Mode.
So does this mean using HIPS with the default - recommended by Comodo itself - is unsafe?
COMODO Internet Security 12.2.2.8012
Windows 10 Pro x64 21H1 | DE

Innumerable the words spoken not / Even as silent truths unwritten
Forgotten shades of dreams past / Known by but a withered tree

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek