Comodo FW 10 VS Wannacry.....

Many countries in the world have been attacked by this malware in the last 24hours…many damages.
Could they avoid it?
The answer is: Yes, they could.

I was curious, is it that the firewall is able to clean and recover files from an infected machine?

Some suites provide free tools, but they do not work most of the time (trojancrypt)

It prevents the encryption, much better than repairs :wink:

I know comodo fw can prevents the encryption with auto-containment function.
However, I’m curious if encryption of files in “protected data folders” can be prevented with HIPS enabled alone?

Protected data folders are only for contained applications to prevent read access to what is set in protected data folders.

I read the guide and find that “Protected Files” may be the right place as it mentioned that
"If a file is ‘Protected’ it can still be accessed and read by users, but not altered. "
So I tried to add a folder under the list but i can can still modify a text file in the folder. Am I miss-understand the guide about “protected files”?

Protected data files only protects your data from unknown files so any app running in the sandbox or unknown to cis. It does not protect your data from the user.

That’s what I understand initially, but the guide mentioned that
"If you add a file to ‘Protected Files’, but want to allow a trusted application to access it, then you can create an exception. Refer to the section Exceptions for more details about how to allow access to files placed in Protected Files. "
It looks like that it is also protected against known(trusted) app. I think the guide is missleading and that made me think if the guide for “Protected data folders” is correct or not as I believe initially that files under “Protected data folders” list should also be protected against unknown app without auto-containment.

I am using the Protected Data Folders to makes sure malware cannot have read access to my document folders and browser data to mitigate the risk of malware stealing my data. Based on my testing I have confirmed that Protected Data Folders also applies to contained applications which are trusted, as Firefox does not work properly in containment with browser cache/cookies/profiles in the protected folders category. These appear to work even though technically I have disabled HIPS. HIPS still works in the background when disabled.

On the other hand, the Protected Files category prevents the files/folders which are defined in the ruleset from being modified or deleted. I personally would like these two features to be merged into one, in which the user can decide what to block without having to navigate between Protected Data Folders for read access and Protected Files for modification and write access, allowing the user to block both or allow access for a specific app in a convenient manner if desired.

So using either protected files or data folders should be able to stop ransomware activity, protected data folders might still allow the ransomware to create it’s help files within the folders, but it won’t be able to read any of the files in the folder and therefore not be able to modify them, in theory at least. It is important to note that some ransomware also encrypts other files and executables, so I would advise that you only use these features to supplement the containment technology of Comodo and not rely on the HIPS. Even if you block, terminate, and reverse for HIPS, it does not reverse deleted or modified files to their original state at this time.

IMO, the Protected Data Folders is best used for protecting sensitive data which may be stolen by malware. The Protected Files is mainly used to protected critical system resources and is best left alone since containment discards any file system changes anyways, at least with containment enabled.

EDIT: I’m not sure if unknown applications running outside containment are subject to HIPS rulesets when HIPS is disabled, as HIPS still functions in the background when disabled, although I’m assuming that if HIPS is enabled, it would be like the old versions of Comodo before they had sandbox, where a HIPS popup will occur when an unknown application is trying to modify a protected file.

Just done some tests.
I can confirm that unknown application can modify a protected file in “Protected Data Folder” list with HIPS enable but auto-containment disable. Hence files in “Protected Data Folder” are unprotected with auto-containment disable. So the guide for “Protected Data Folder” is fine. However, it is strange that “Protected Data Folder” is grouped as a sub-setting in HIPS setting thought it is not protected by HIPS. I think it is better 1. alert modification of files in “Protected Data Folder” list with HIPS enable but auto-containment disable or 2. move the “Protected Data Folder” sub-setting to Containment setting. Of course, I would prefer 1 more than 2.

And I also think someone should amend the guide for “Protected Files” to avoid confusion.

Ah, so blocking read access does not protect files from being modified at all, but only in the case where unknown application is not running in the container (see this: Protected Data Files And Folders, Virus Protection Programs, Comodo Internet Security). The guide states that Protected Data Folders are invisible to contained apps and therefore also blocks modification (for both unknown and trusted in container), so theoretically ransomware shouldn’t even be able to modify the files provided in the virtual file system. But if an application is running outside the container the guide says that it allows write access by “other known/trusted programs.” If you want to totally conceal a data file from all the contained programs but allow read/write access by other known/trusted programs, then add it to ‘Protected Data Folders’. This should imply that unknowns outside the container still should not be able to read/modify, so I think that the guide should be edited or Comodo makes this apply to unknowns outside container as well.

Since Protected Data Folder is only for blocking read access and not modification, I don’t think it makes sense that HIPS should alert for modification of files within that folder, it would only make sense for HIPS to alert for the read access to that folder. The Protected Files feature is the one that should be alerting to file modification, as it blocks write access according to Comodo Help Guide: Protected Files, PC Files, Folders Protection From Malicious Software | COMODO

I think both Yousername(right?) and I would prefer files in “Protected Data Folders” be protected from unknowns outside container with HIPS enable. I agree that Yousername’s suggestion for blocking read access looks more natural and I hope this capability can be added in future CIS development.

FW (Firewalls) do not “prevent encryption or auto-containment function,” the essential and core function of a Firewall is to prevent an(y) application from communicating with outbound systems.

HIPS (Host-based Intrusion Prevention System) prevents applications, essentially malware and virus’, from digging deep into a system and securing it’s function to wreck havok. So in your words “prevents encryption and auto-containment function,” this is the essential role of both HIPS and AV products. HIPS is what will prevent, in this case, the WannaCrypt exploit from executing the modified header containing the Ransomware code and it’s essential functions.

WannaCrypt is not Ransomeware. Hackers/scriptkiddies inject a header into the old WannaCrypt exploit with code to encrypt your data in exchange to decrypt it for payment… which is aka Ransomeware/Fraud/PrisonForLife code, which ought to be if these dumb kids are caught should be publicly executed… just dumb stupid kids.

I’ll repeat. Firewalls have absolutely nothing to do with virus’ or malware’s ability to process it’s core functions on a system. The only caveat is unless those malware functions include requirement to communicate to an outside system to download a header to secure a system. Still a Firewall does not prevent malware from executing its functions.

Again a Firewalls main function is to prevent applications to communicate between systems. Absolutely nothing to do with HIPS or the complete protection of malicious tools, especially when some users have no idea about an applications specific roles or how to operate them.

he meant the entire comodo firewall application as a whole can prevent encryption, which in addition to a firewall of course also includes hardware assisted virtualization of non-whitelisted files and HIPS.