Yeah I meant drives my mistake, I was wondering why you were mentioning drivers lol. And yes under protected files adding ?:* will cause HIPS to protect all files on all volumes and drives. For protected registry keys while not necessary, unless you want greater coverage, you can add *\Software* and \System*. Under protected COM interfaces, adding \RPC Control\ntsvcs monitors access to the service control manager, LocalSecurityAuthority. allows you to control process token privileges, and {} and . will cover many COM interfaces by CLSID and ProgID.
With that I have split the posts from the release topic to make this separate topic.
1). Comodo Containment is superb. Set it up in a cruel fashion and have no malware worries. This can be done in about 30 seconds and one will be covered. On the other hand, relying on HIPS alone and reacting to specific malware strains is complicated and time consuming and may not be adequate for malware that work in ways that the user may be unaware of.
2). HIPS- malware act in various ways, as do ransomware. Accessing windows APIās or valid windows files in mischievous ways (LoLBin) often will be ignored by the HIPS routine. It is also important to note that at a HIPS popup you will be presented with 3 choices: Allow, Block, and Block and Terminate. if Block and Terminate is chosen all will be well. However for some malware Allow and Block are essentially equivalent in stopping (or more properly, not stopping) some malware.
A case in point (and the easiest to test) can be seen with Xdata ransomware (MD5: a0a7022caa8bd8761d6722fe3172c0af which can be found at the usual sources like AnyRun). Only a single warning popup will be seen even paranoid mode and choosing either Allow or Block will result in the encryption process to proceed (actually the initial alert will be for the Photo directory).
The point here is that if you like popups and are confident that you understand them all, fine. But Never Ever (never, ever) disable Containment, and be prepared to ALWAYS choose āBlock and terminateā if relying on HIPS alone.
With that I have split the posts from the release topic to make this separate topic.
[quote="CommodoUser2019 post:19, topic:320338"]
EDIT: ...maybe in a new separate thread.
[/quote]
!ot! I was thinking of doing the same thing when I would get back online.
Thatās great, thanks for the info! Did you notice any performance impact adding the drives to protected?
I tend to use the HIPS default as safemode with CIS with Proactive config and Containment set as (Restricted) as per @cruelsister 's original firewall config. but maybe itās worth including the drives with hips.
Sorry but you are mistaken, it is not possible for this ransomware or any other malware that modifies the file system, to bypass the HIPS as long as the files that are being modified are added to the protected files. I ran that particular sample and was alerted to attempts to modify many files, which I was able to simply block using the treat as option and selecting the contained application ruleset.
I havenāt notice any performance issue and it really shouldnāt, also if you donāt run many non-trusted applications, you wonāt be bothered with alerts unless you are in the habit of running unknown applications.
Just to be sureā¦
Does HIPS mode matter when applying futuretechās HIPS settings to make it stronger?
I mean, do those HIPS settings work for all HIPS modes in the same way?
I am assuming CS was referring to a system with stock unmodified HIPS settings? Versus your mods. So we want to make sure we are comparing apple to apples. I have containment on but am interested in these HIPS adjustments as an accompaniment to everything else CIS or CFW offers, not as a replacement.
Iām missing something here. I go into settings>HIPS>protected object>protected files and when I try to add a file, it prompts me to select an actual file on the system. How do you add ?:* under protected files?
HIPS can protect you by protecting the system but in a different way than auto-containment. CruelSister mentioned about the HIPS for those who prefer HIPS over Containment as indicated in her post.
But FutureTech has a point. HIPS can protect the system as well as Containmentm if you add in the extra rules to protect the whole drive. Youāll also get a notification if a trusted application goes rogue or interacts with an untrusted/unrecognized file. (e.g. if a trusted game launcher tried to communicate with an untrusted game main .exe file, you get a pop-up to warn you and the option to block that activity)
I think that made sense. Anyway, I like a combination of the two as HIPS adds a layer of protection.
I needed to just select one of the drives and then modify the rule by changing the drive letter to a ? after the rule has been created. As I mentioned in my other post earlier. This is also to protect drives you add to the system.
I see:
file groups
folders
files
running processes
No way to add a whole drive I can see. EDIT: OK apparently by adding a folder I was able to just select the C drive and hit OK. It saved it; then as you said substitute out the drive letter with a ? via edit.
Ok so by adding ?:* to HIPS protected files, we are able to block this ransomware by responding to the HIPS alert with either BLOCK or BLOCK AND TERMINATE? Whereas before only BLOCK AND TERMINATE would stop it?
HIPS itself includes a number of important objects and folder to protect as default. Adding in FutureTechās rules just ensures the whole drive, extra registry components and additional COM Interfaces are protected by the HIPS mechanism.
Containment works separately. Itās apples and oranges I guess but auto-containment is the easiest to use and mineās always set to āRestrictedā for any unknowns but you can just set it to Block things as shown in CSās videos
I donāt know whether the paid version still has that $500 guarantee but it used to be you had to do a full scan and activate HIPS in Safe mode for the guarantee to work.
Anyway, loving that CruelSister is back and glad Comodo protects us so well
Script Analysis has no effect either way on the mechanism of action of this ransomware.
Also, to clarify what happens if you choose to add things to the Protected objects list in HIPS settings, one can certainly protect the entire drive as noted above, or one can just protect individual folders. For instance, just protecting the Pictures folder and running the ransomware file that I discussed above will result in a (red) HIPS popup that states a file is attempting to Modify a protected File or Folder; you will get this popup for EVERY file that is in that directory, and choosing just Block will not allow the ransomware to make any changes to these files.
On the other hand protect the Photos directory but NOT the Document folder and hit Block at all the HIPS prompts will result (as before) in all the Photos being unchanged but ALL the Documents will be encrypted.
We told you that comodo can be fully bypass with both sandbox and hips!
And nobody did bothered to contact usā¦except a 3 letter agency who now has our code($)!
one small example of attack is done via chromium engine based browser, and nope cis canāt do anything about it !
dope cis can be stripped down of hips and sandbox
hehe even stop all services we can uninstall it and turn a plane around in your system(s)!
the secret is the access memory !
please erase my account hereā¦this company and his product is going to be bombarded!
bye
