Comodo 5.8 bypassed by trojan GPCODE

I made a test today and uploaded to youtube:

I am a fun of Comodo,but it seems like sandbox and defense + had been bypassed by Trojan.Win32 Gpcode

I’ve experienced the same thing with screen lock ransomwares. Aparently CIS 5.8 is not reliable at all. Something that’s not exactly acceptable in security field…

Egemen, I think you should do something about those two threats…

Only the file system virtualization can protect against this malware.

;D

Can you please set up CIS following these rules:
http://www.techsupportalert.com/content/how-install-comodo-firewall.htm
ignoring the antivirus and see if it’s protected?

Thanks.

CIS auto sandbox can block the malware by adding one rule to the protected files and folders.

?:*

But it will cause many popups.
It’s better to add “\Device\KsecDD”
I proposed it to Comodo but they didn’t add that :frowning:

Was any reason given?

edit: Never mind, I found his concern…

Hi the GPCODE is a known issue.

Here is what egemen said about this a while back. Unfortunately we will have to wait for v6 for a permanent fix.

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants. Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of SOME automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that avreage joe wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe’s photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.


https://forums.comodo.com/leak-testingattacksvulnerability-research/weakness-of-the-gpcode-t65960.0.html;msg512678#msg512678

I think the | sign is needed because "partially limited’ sandbox application is allowed to access the protect file without the | sign.

I’ve added protected folders like “/documents|", "/pictures|”, etc

If you add the rules, then the sandboxed process can not create files to these folders.

The | sign is not essential.

“\Device\KsecDD” cuts access to Microsoft encryption tool. (gpcode cannot encrypt the files)
Also it’s responsible for some kernel actions.
Only these 2.

No. without the | sign, I find sandboxed apps still able to create files in the directories.

But they can not modify or delete files in the directories.

What about an application like Buffer Zone, our firewall is compatible the anti-virus I’m not sure of.

turnorburn

for example, Windows Socket Interface is also used by many legitimate programs, and yet are in the protected files, and it does not create problems

+1
It is used by almost all application which are supposed to connect to the net…
So, there is a little misunderstanding.

I too was bypassed my one malware and tis was on my personal laptop while testing some malware and it infected me so badly that i had to format i pinged egemen and he asked me for samples submitted to him now lets see what he does hope he fixes it

https://forums.comodo.com/bug-reports-cis/cis-58-bug-that-crashed-cis-and-windows-t77531.0.html

Loveboy_lion,

This thread has nothing to do with your issue. Please stop post poisoning/thread jacking/cross posting as this behavior is a violation of forum policy. :P0l

You really don’t need to post links to your threads in every post that seems remotely similar.

Thanks for your understanding.

-HeffeD

Agreed, no offense Loveboy but you got to just have patience for people to respond to your thread as opposed to posting the link everywhere. ;D