Author Topic: Comodo containment and HIPS against recent ransomware  (Read 8854 times)

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #60 on: July 05, 2021, 02:22:52 PM »
You have to use Proactive Security and make sure you have "Perform script analysis" enabled and set the protection level of run virtualized to Limited or Restricted.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1510
Re: Comodo containment and HIPS against recent ransomware
« Reply #61 on: July 05, 2021, 02:32:06 PM »
I would like to know too if CIS is able to detect malware entering a computer via trusted remote control software like Kaseya and if CIS is still able to block it or to run it in containment.
If Kaseya software itself is rated trusted what will be the rating of the malware then?

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 639
Re: Comodo containment and HIPS against recent ransomware
« Reply #62 on: July 05, 2021, 02:37:06 PM »
You have to use Proactive Security and make sure you have "Perform script analysis" enabled and set the protection level of run virtualized to Limited or Restricted.

In the settings i had already chosen the proactive one (I just disabled HIPS for fear of making mistakes when pop-ups of choice appear) and in the containment settings I did as you said.
Here are the settings (the language is Italian  ;D ...)

Thanks! :D :-TU
Bye!
Nunzio

Offline kyl

  • Comodo's Hero
  • *****
  • Posts: 267
Re: Comodo containment and HIPS against recent ransomware
« Reply #63 on: July 06, 2021, 10:52:32 AM »
I would like to know too if CIS is able to detect malware entering a computer via trusted remote control software like Kaseya and if CIS is still able to block it or to run it in containment.
If Kaseya software itself is rated trusted what will be the rating of the malware then?

if it entering a computer via Windows itself CFW would  block it
experiencing too much BSoD with CFW already so it's like blocking even system files too but settings is not default (Cs's)

 :P0l

Offline Eric Cryptid

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2840
  • Security Saskquatch
Re: Comodo containment and HIPS against recent ransomware
« Reply #64 on: July 06, 2021, 02:03:24 PM »
if it entering a computer via Windows itself CFW would  block it
experiencing too much BSoD with CFW already so it's like blocking even system files too but settings is not default (Cs's)

 :P0l

I wonder if the FW block will happend with Alert Incoming (Proactive Config default FW Config) as well as Block Incoming CF/IS default. I suppose you'd still get an alert giving you the option to block it.

Moderator: Any concerns? PM me and/or review the Forum Policy
System: 64 bit Win 10
Realtime Protection:CIS 12

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1510
Re: Comodo containment and HIPS against recent ransomware
« Reply #65 on: July 06, 2021, 04:12:30 PM »
Head scratching . . .
Will there be a FW Alert when Kaseya software initiated the connection and malware piggybacks on that connection?

Offline kyl

  • Comodo's Hero
  • *****
  • Posts: 267
Re: Comodo containment and HIPS against recent ransomware
« Reply #66 on: July 06, 2021, 09:40:03 PM »
Head scratching . . .
Will there be a FW Alert when Kaseya software initiated the connection and malware piggybacks on that connection?

I bet it will be blocked without alert when CFW properly setted up

 :P0l


Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1510
Re: Comodo containment and HIPS against recent ransomware
« Reply #67 on: July 07, 2021, 07:35:47 AM »
I bet it will be blocked without alert when CFW properly setted up

 :P0l

Not very convincing, I still have my doubts. . .  :P0l

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26225
Re: Comodo containment and HIPS against recent ransomware
« Reply #68 on: July 07, 2021, 10:32:04 AM »
Head scratching . . .
Will there be a FW Alert when Kaseya software initiated the connection and malware piggybacks on that connection?
With HIPS and script analysis enabled CIS should block unknown program from piggybacking on executables.

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 137
Re: Comodo containment and HIPS against recent ransomware
« Reply #69 on: July 07, 2021, 04:13:56 PM »
Regarding the Kaseya attack, Comodo does quite well against it. As the initial ransomware is digitally signed (PB03 TRANSPORT LTD), it was passed by some anti-malware applications prior to the revocation of the certificate.

The fact that the malware was signed presents no issue to Comodo. Utilizing CF (even without the AV and HIPS functionality), containment at the lowest level will stop the malware. Specifically note that the ransomware has two modes- the first is a Powershell script that seeks to disabled Windows Defender and modifies Windows firewall with the "netsh advfirewall firewall set rule group" routine. Along with certutil these are recognized and blocked from action. A batch script will run the ransomware itself.

The main ransomware routine is rather pretty as it will drop a legitimate version of Windows defender (specifically MsMpEng.exe) as well as the payload in the form of a malicious mpsvc.dll which will then be loaded by Windows Defender in a side-loading  attack.These are also contained with the only evidence of ransom activity being encrypted files within Containment, all of which can be flushed without any system changes (also, no outbound network requests exist with the malware).

These are really the essentials of this malware attack and could have resulted in less victims if Comodo was employed.

 


Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1914
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Comodo containment and HIPS against recent ransomware
« Reply #70 on: July 08, 2021, 03:06:42 AM »
Many thanks for the info M  :)
Regarding the Kaseya attack, Comodo does quite well against it. As the initial ransomware is digitally signed (PB03 TRANSPORT LTD), it was passed by some anti-malware applications prior to the revocation of the certificate.

The fact that the malware was signed presents no issue to Comodo. Utilizing CF (even without the AV and HIPS functionality), containment at the lowest level will stop the malware. Specifically note that the ransomware has two modes- the first is a Powershell script that seeks to disabled Windows Defender and modifies Windows firewall with the "netsh advfirewall firewall set rule group" routine. Along with certutil these are recognized and blocked from action. A batch script will run the ransomware itself.

The main ransomware routine is rather pretty as it will drop a legitimate version of Windows defender (specifically MsMpEng.exe) as well as the payload in the form of a malicious mpsvc.dll which will then be loaded by Windows Defender in a side-loading  attack.These are also contained with the only evidence of ransom activity being encrypted files within Containment, all of which can be flushed without any system changes (also, no outbound network requests exist with the malware).

These are really the essentials of this malware attack and could have resulted in less victims if Comodo was employed.
Ploget

All Win 10 x 64 Pro - 21H1 (19043.1348) / CFW 12.2.2.8012 / WiseVector StopX
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 639
Bye!
Nunzio

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 137
Re: Comodo containment and HIPS against recent ransomware
« Reply #72 on: July 08, 2021, 08:46:30 AM »
I am really impressed that Comodo has come out with such a well done and easily understandable article. The only addition that one could make is that the malware also contained the "netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes" batch command (easily missed) which is also contained by Comodo.



Offline victorlopes

  • Comodo Family Member
  • ***
  • Posts: 64
Re: Comodo containment and HIPS against recent ransomware
« Reply #73 on: July 08, 2021, 04:16:26 PM »
cruelsister, can you, please, post your cis configuration (updated withh anything you think is important) in text not video? just so i can check it out, try it again, translate it and make it easier for people in brazil to understand.. maybe, if possible, can we have an script or regedit that will do your configuration without the user opening the cis config window?

imagine that: a user installr cis, run an reg file (or cmd) and its all set!!! nothing more to worrie.. that would be magic!!! :P

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 582
Re: Comodo containment and HIPS against recent ransomware
« Reply #74 on: July 11, 2021, 02:55:29 AM »
I think this not necessary. That would be a lot of work.You can stop the video and follow each step or two steps without having to read.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek