Hi,
on GitHub I find a test that anyone can perform visiting the relative GitHub page.
Is really simple is just a code to copy and paste into the Windows Powershell after created a folder in the PC and created a test txt file with some text content.
I tested two free antivirus after installed them and restart Windows and they was able to block the encryption.
With Comodo CIS the file was encrypted.
Can I share the link to the GitHub page here or I should report this discover somewhere else in private?
Thanks Comodo.
Malware links should not be posted in public forum.
Can you confirm CIS settings, evidence of user files being encrypted showing parent directory etc.
Given you have to manually copy and paste the code into powershell it’s user inputted and unlikely a real world scenario. It would be interesting to see @cruelsister 's view on the test (easy to find with a web search) as she tests CF/CIS against ransomware regularly with no breaches.
I used CIS default settings.
I just reporting this to you but I have unistalled Comodo.
For me this is an evidence of no protection against ransomware. Also test (different from this) I made in the past was passed by other software but not from CIS.
Is sad for me read as reply that is not a real scenario or may be not because the GitHub page explain well this is a test of zero day malware. Other antivirus free I tested gives protection also from this attack so I will use that product for now.
For me it is, a program can simply run his code into poweshell or in a PC can be sent a powersheel script that seems CIS is not locking.
Anyway this is my feedback.
Also seems CIS has many smallest BUG like secure shopping setup is not working and other applications setup as well. CIS is locking Windows Sandbox Internet.
I was just leave my feedback here because I’m sad to see CIS made this faliture but I’m not surprised.
CIS works with definition and with deny unknow program. This is maybe all the protection.
There is also heuristic protection disabled by default … but here i don’t know how it works.
If I’m not wrong there is an exe file of this test that can be downloaded and I do.
If I’m no wrong also in this case CIS fail his test, file get encrypted.
The best way to run this test is to download the exe and/or jar file versions as this would be more of a real world test. Doing so once again shows Comodo protects:
With only Containment enabled at default (everything else disabled), running either will not allow any encryption to proceed in whatever folder is chosen (and the browser popup with the Encryption Warning is also contained, btw).
As a check, disabling Containment and then running the test file will demonstrate that encryption will occur.
This test file is really nothing special as it just parallels what a simple certutil -encode command can also accomplish.
The cloud is turned off because it is already recognized in the collective as harmful. I ran as unrecognized, pointed to the specified folder and the result is that it did not encrypt anything.
Interesting, after my topic now Comodo recognize this test and this try to encrypt, before this topic was not.
So something seems has been changed to fix maybe just this attack?!
Before the topic the issue was present in the stable and in the beta of Comodo,
now seems I’m unable to reproduce again because the file get sandboxed.
