For the first time since I acquired CIS last spring, I suffered an attack this morning–a “perfect storm” of an email I’d been waiting for, and no coffee yet (!), and an email stating “your electronic transfer failed”. I was fooled and clicked the link.
Comodo D+ appeared to sandbox and isolate 3 executables and a bat file, all of which I could see in the logs were attempting to modify other programs running on the PC, and to modify the Registry key that would enable them to start on boot. When I located these files and tried to delete them, Windows wouldn’t let me, nor would Security allow me to change Permissions to take ownership of the files and delete them. I eventually found the files in CIS’ Computer Security Policy, and here I was able to Delete them.
Was the reason I could not delete them using Explorer simply that CIS was in control of them?
Another question: I searched on “files modified after today” looking for anything that might have changed since the attack started. Among these was included C:\Boot\BCD. Is there a danger that the boot manager was corrupted? Should I try to recover this file from backup? It is locked such that I can’t look at the BCD.LOG file. Or should I consider that since CIS clearly sandboxed these files from the beginning, and I can’t find anything in the logs suggesting the BCD was attacked, that I’m OK in this regard.
TIA For any help here!