Comodo containment and HIPS against recent ransomware

[futuretech]

Cruelsister states CIS HIPS gets bypassed when running it in Safe Mode.Drivers, .sys files, are protected executables.

Looking forward to hear more in depth comments from cruelsister. 

HIPS mode won't matter if the files that are being encrypted are not listed under protected files, which for ransomware will target non-executable files such as documents, videos, pictures, and music files. I ran a sample with HIPS only, and no files were encrypted because I have ?:\* added to protected files along with additional items under protected COM interfaces.

When using HIPS instead of auto-containment to protect the system it is important to add and customize protected files, registry keys, and/or COM interfaces.

[CISfan]

HIPS mode won't matter if the files that are being encrypted are not listed under protected files, which for ransomware will target non-executable files such as documents, videos, pictures, and music files. I ran a sample with HIPS only, and no files were encrypted because I have ?:\* added to protected files along with additional items under protected COM interfaces.

When using HIPS instead of auto-containment to protect the system it is important to add and customize protected files, registry keys, and/or COM interfaces.

Please elaborate on what settings we have to add or customize to get the best ransomware HIPS protection.

[Citizen K]

HIPS mode won't matter if the files that are being encrypted are not listed under protected files, which for ransomware will target non-executable files such as documents, videos, pictures, and music files. I ran a sample with HIPS only, and no files were encrypted because I have ?:\* added to protected files along with additional items under protected COM interfaces.

When using HIPS instead of auto-containment to protect the system it is important to add and customize protected files, registry keys, and/or COM interfaces.

Thanks. I was reading back your previous post and I think I responded to a typo? When you wrote drivers did you mean drives?

Do you mean you add ?:\* to Protected Files and not to Protected Data?

What registry keys and COM interface do you add to a HIPS only set up?

[CommodoUser2019]

Yes, would like to see more about how to make HIPS harder.

EDIT: ...maybe in a new separate thread.

[NDABBRU]

With the standard proactive configuration but without activating HIPS, but only by activating containment and all that the proactive configuration requires, can I feel comfortable?
By activating HIPS I am afraid of making wrong choices and I do not know if it is better to activate the "block all" or "allow all" choices

[futuretech]

Thanks. I was reading back your previous post and I think I responded to a typo? When you wrote drivers did you mean drives?

Do you mean you add ?:\* to Protected Files and not to Protected Data?

What registry keys and COM interface do you add to a HIPS only set up?

Yeah I meant drives my mistake, I was wondering why you were mentioning drivers lol. And yes under protected files adding ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, unless you want greater coverage, you can add *\Software\* and *\System\*. Under protected COM interfaces, adding *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows you to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.

Yes, would like to see more about how to make HIPS harder.

EDIT: ...maybe in a new separate thread.

With that I have split the posts from the release topic to make this separate topic.

[cruelsister]

If I can elaborate for a bit:

1). Comodo Containment is superb. Set it up in a cruel fashion and have no malware worries. This can be done in about 30 seconds and one will be covered. On the other hand, relying on HIPS alone and reacting to specific malware strains is complicated and time consuming and may not be adequate for malware that work in ways that the user may be unaware of.
2). HIPS- malware act in various ways, as do ransomware. Accessing windows API's or valid windows files in mischievous ways (LoLBin) often will be ignored by the HIPS routine. It is also important to note that at a HIPS popup you will be presented with 3 choices: Allow, Block, and Block and Terminate. if Block and Terminate is chosen all will be well. However for some malware Allow and Block are essentially equivalent in stopping (or more properly, not stopping) some malware.

A case in point (and the easiest to test) can be seen with Xdata ransomware (MD5: a0a7022caa8bd8761d6722fe3172c0af which can be found at the usual sources like AnyRun). Only a single warning popup will be seen even paranoid mode and choosing either Allow or Block will result in the encryption process to proceed (actually the initial alert will be for the Photo directory).

The point here is that if you like popups and are confident that you understand them all, fine. But Never Ever (never, ever) disable Containment, and be prepared to ALWAYS choose "Block and terminate" if relying on HIPS alone.

[Citizen K]

Yeah I meant drives my mistake, I was wondering why you were mentioning drivers lol. And yes under protected files adding ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, unless you want greater coverage, you can add *\Software\* and *\System\*. Under protected COM interfaces, adding *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows you to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.

Thank you.

With that I have split the posts from the release topic to make this separate topic.

EDIT: ...maybe in a new separate thread.

I was thinking of doing the same thing when I would get back online.

[Eric Cryptid]

Yeah I meant drives my mistake, I was wondering why you were mentioning drivers lol. And yes under protected files adding ?:\* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, unless you want greater coverage, you can add *\Software\* and *\System\*. Under protected COM interfaces, adding *\RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority.* allows you to control process token privileges, and {*} and *.* will cover many COM interfaces by CLSID and ProgID.
With that I have split the posts from the release topic to make this separate topic.

That's great, thanks for the info! Did you notice any performance impact adding the drives to protected?

I tend to use the HIPS default as safemode with CIS with Proactive config and Containment set as (Restricted) as per [at]cruelsister 's original firewall config. but maybe it's worth including the drives with hips.

[futuretech]

If I can elaborate for a bit:


2). HIPS- malware act in various ways, as do ransomware. Accessing windows API's or valid windows files in mischievous ways (LoLBin) often will be ignored by the HIPS routine. It is also important to note that at a HIPS popup you will be presented with 3 choices: Allow, Block, and Block and Terminate. if Block and Terminate is chosen all will be well. However for some malware Allow and Block are essentially equivalent in stopping (or more properly, not stopping) some malware.

A case in point (and the easiest to test) can be seen with Xdata ransomware (MD5: a0a7022caa8bd8761d6722fe3172c0af which can be found at the usual sources like AnyRun). Only a single warning popup will be seen even paranoid mode and choosing either Allow or Block will result in the encryption process to proceed (actually the initial alert will be for the Photo directory).

The point here is that if you like popups and are confident that you understand them all, fine. But Never Ever (never, ever) disable Containment, and be prepared to ALWAYS choose "Block and terminate" if relying on HIPS alone.

Sorry but you are mistaken, it is not possible for this ransomware or any other malware that modifies the file system, to bypass the HIPS as long as the files that are being modified are added to the protected files. I ran that particular sample and was alerted to attempts to modify many files, which I was able to simply block using the treat as option and selecting the contained application ruleset.

That's great, thanks for the info! Did you notice any performance impact adding the drives to protected?

I tend to use the HIPS default as safemode with CIS with Proactive config and Containment set as (Restricted) as per [at]cruelsister 's original firewall config. but maybe it's worth including the drives with hips.

I haven't notice any performance issue and it really shouldn't, also if you don't run many non-trusted applications, you won't be bothered with alerts unless you are in the habit of running unknown applications.

[Eric Cryptid]

I haven't notice any performance issue and it really shouldn't, also if you don't run many non-trusted applications, you won't be bothered with alerts unless you are in the habit of running unknown applications.

Nice one thanks!

Had to add C:/ as a Folder initially under Protected Files and then changed that to ?:\* as in the attached. Is that right? Just double checking.

Thanks for the help.

[Citizen K]

Sorry but you are mistaken, it is not possible for this ransomware or any other malware that modifies the file system, to bypass the HIPS as long as the files that are being modified are added to the protected files. I ran that particular sample and was alerted to attempts to modify many files, which I was able to simply block using the treat as option and selecting the contained application ruleset.

Cruelsister states CIS gets bypassed when only using HIPS in Safe mode:

One interesting thing about it is that although it is totally blocked by Comodo Containment, the encryption process would be allowed to proceed if ONLY the HIPS is enabled at Safe Mode (even if the user selects Block at every prompt).

I bring this up only for those that would prefer HIPS (any HIPS from anybody, actually) over Containment.

It goes without saying that making modifications from stock settings a HIPS can be made stronger but that's beside the point.

At cruelsister. Did you also disable script analysis when you did the HIPS only analysis?

[CISfan]

Great information, thank you.

Just to be sure...
Does HIPS mode matter when applying futuretech's HIPS settings to make it stronger?
I mean, do those HIPS settings work for all HIPS modes in the same way?

[CommodoUser2019]

...it is not possible for this ransomware or any other malware that modifies the file system, to bypass the HIPS as long as the files that are being modified are added to the protected files...

I am assuming CS was referring to a system with stock unmodified HIPS settings? Versus your mods.  So we want to make sure we are comparing apple to apples. I have containment on but am interested in these HIPS adjustments as an accompaniment to everything else CIS or CFW offers, not as a replacement.

[CommodoUser2019]

I'm missing something here. I go into settings>HIPS>protected object>protected files and when I try to add a file, it prompts me to select an actual file on the system. How do you add ?:\* under protected files?