Author Topic: Comodo containment and HIPS against recent ransomware  (Read 7674 times)

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: Comodo containment and HIPS against recent ransomware
« Reply #30 on: May 14, 2021, 01:00:26 AM »
I am assuming CS was referring to a system with stock unmodified HIPS settings? Versus your mods.  So we want to make sure we are comparing apple to apples. I have containment on but am interested in these HIPS adjustments as an accompaniment to everything else CIS or CFW offers, not as a replacement.

HIPS can protect you by protecting the system but in a different way than auto-containment. CruelSister mentioned about the HIPS for those who prefer HIPS over Containment as indicated in her post.

One interesting thing about it is that although it is totally blocked by Comodo Containment, the encryption process would be allowed to proceed if ONLY the HIPS is enabled at Safe Mode (even if the user selects Block at every prompt).

I bring this up only for those that would prefer HIPS (any HIPS from anybody, actually) over Containment.

But FutureTech has a point. HIPS can protect the system as well as Containmentm if you add in the extra rules to protect the whole drive. You'll also get a notification if a trusted application goes rogue or interacts with an untrusted/unrecognized file. (e.g. if a trusted game launcher tried to communicate with an untrusted game main .exe file, you get a pop-up to warn you and the option to block that activity)

I think that made sense. Anyway, I like a combination of the two as HIPS adds a layer of protection.

I'm missing something here. I go into settings>HIPS>protected object>protected files and when I try to add a file, it prompts me to select an actual file on the system. How do you add ?:\* under protected files?


I needed to just select one of the drives and then modify the rule by changing the drive letter to a ? after the rule has been created. As I mentioned in my other post earlier.  This is also to protect drives you add to the system.

Anyway, I got to be up in a couple hours...

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Comodo containment and HIPS against recent ransomware
« Reply #31 on: May 14, 2021, 01:49:37 AM »
I needed to just select one of the drives and then modify the rule by changing the drive letter to a ? after the rule has been created. As I mentioned in my other post earlier.  This is also to protect drives you add to the system.
I see:
file groups
folders
files
running processes
No way to add a whole drive I can see.
EDIT: OK apparently by adding a folder I was able to just select the C drive and hit OK. It saved it; then as you said substitute out the drive letter with a ? via edit.
« Last Edit: May 14, 2021, 02:07:19 AM by CommodoUser2019 »

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Comodo containment and HIPS against recent ransomware
« Reply #32 on: May 14, 2021, 02:14:43 AM »
Ok so by adding ?:\* to HIPS protected files, we are able to block this ransomware by responding to the HIPS alert with either BLOCK or BLOCK AND TERMINATE? Whereas before only BLOCK AND TERMINATE would stop it?

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #33 on: May 14, 2021, 09:52:37 AM »

At cruelsister. Did you also disable script analysis when you did the HIPS only analysis?
I hope cruelsister stops by and answers this question.

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: Comodo containment and HIPS against recent ransomware
« Reply #34 on: May 14, 2021, 10:02:22 AM »
Ok so by adding ?:\* to HIPS protected files, we are able to block this ransomware by responding to the HIPS alert with either BLOCK or BLOCK AND TERMINATE? Whereas before only BLOCK AND TERMINATE would stop it?

HIPS itself includes a number of important objects and folder to protect as default. Adding in FutureTech's rules just ensures the whole drive, extra registry components and additional COM Interfaces are protected by the HIPS mechanism.

Containment works separately. It's apples and oranges I guess but auto-containment is the easiest to use and mine's always set to "Restricted" for any unknowns but you can just set it to Block things as shown in CS's videos :)

I don't know whether the paid version still has that $500 guarantee but it used to be you had to do a full scan and activate HIPS in Safe mode for the guarantee to work.

Anyway, loving that CruelSister is back and glad Comodo protects us so well :D

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 135
Re: Comodo containment and HIPS against recent ransomware
« Reply #35 on: May 14, 2021, 11:40:40 AM »
Script Analysis has no effect either way on the mechanism of action of this ransomware.

Also, to clarify what happens if you choose to add things to the Protected objects list in HIPS settings, one can certainly protect the entire drive as noted above, or one can just protect individual folders. For instance, just protecting the Pictures folder and running the ransomware file that I discussed above will result in a (red) HIPS popup that states a file is attempting to Modify a protected File or Folder; you will get this popup for EVERY file that is in that directory, and choosing just Block will not allow the ransomware to make any changes to these files.

On the other hand protect the Photos directory but NOT the Document folder and hit Block at all the HIPS prompts will result (as before) in all the Photos being unchanged but ALL the Documents will be encrypted.

Hope this helps,

m

Offline ro.edi

  • Comodo Family Member
  • ***
  • Posts: 76
    • ROFuSiON
Re: Comodo containment and HIPS against recent ransomware
« Reply #36 on: May 14, 2021, 12:27:49 PM »
We told you that comodo can be fully bypass with both sandbox and hips!
And nobody did bothered to contact us..except a 3 letter agency who now has our code($)!

one small example of attack is done via chromium engine based browser, and nope cis can't do anything about it !
dope cis can be stripped down of hips and sandbox
hehe even stop all services we can uninstall it and turn a plane around in your system(s)!

the secret is the access memory !

please erase my account here..this company and his product is going to be bombarded!
bye

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #37 on: May 14, 2021, 12:58:19 PM »
We told you that comodo can be fully bypass with both sandbox and hips!
...

Can it???  ???
I have missed that part, could you please forward more info about this?

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: Comodo containment and HIPS against recent ransomware
« Reply #38 on: May 14, 2021, 01:34:46 PM »
Nothing like a troll to brighten up a Friday evening [at]ro.edi LOL.

Anyway, added FutureTech's tweaks to HIPS and no performace impact ;)

Thanks for clarification [at]Cruelsister :D

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #39 on: May 14, 2021, 01:54:51 PM »
Has drunk too much coffee I guess...

Offline tachion

  • Star Group
  • Comodo Family Member
  • *****
  • Posts: 56
    • Safegroup
Re: Comodo containment and HIPS against recent ransomware
« Reply #40 on: May 14, 2021, 03:53:09 PM »
Hi

Standard sandbox settings with the (do not virtualize access to specific files and folders) option unchecked will protect against this threat.

Adding the system partition C:\* to protected files will also protect all data on that partition with the option in hips (only lock).

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #41 on: May 14, 2021, 05:41:30 PM »
I remember that I had the entries listed below in a File Group called "Anti-Ransom" which was added to HIPS "Protected Files and Folders" when I was using CIS V5.12.

\Global??\FltMgrMsg
\Device\KsecDD
?:\*


Are the first two entries of use for CIS V12 too?

Offline CommodoUser2019

  • Comodo's Hero
  • *****
  • Posts: 257
Re: Comodo containment and HIPS against recent ransomware
« Reply #42 on: May 14, 2021, 06:51:44 PM »
Nothing like a troll...
Are we sure that's all? It seems he had some interesting posts and I'm wondering if it's wise to just dismiss it all. Unfortunately, I am just an intermediate user (less than intermediate in the Comodo ecosystem) and do not feel qualified to make an assessment. But I'd like to know if low people in high places have cracked the Comodo conundrum. The ostrich act is not a good idea IMO.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #43 on: May 14, 2021, 07:08:15 PM »
... But I'd like to know if low people in high places have cracked the Comodo conundrum. ...

I would like to know too. That's why I asked him to provide more information about his bypass statement. His statement is completely worthless without evidence .

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1443
Re: Comodo containment and HIPS against recent ransomware
« Reply #44 on: May 15, 2021, 05:53:07 PM »
I had also below entry added to HIPS "Blocked Files" in CIS V5.12 to protect against certain ransomware.

*.locked

Not sure if this setting is still applicable with all new ransomware types these days...

Maybe someone can comment on this setting or shed a light on it?


 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek