Is there a good way to make CIS prevent any of those attacks? How does Cryptowall usually intrude a system? As a file attachment in emails? Or through a “drive-by” surfing? And what is the best way to monitor attempts of secret encrypting by those ransomware programs? :-[
Activating Proactive configuration will be enough to protect you, if you want added protection you can add C:\Users* and \Device\KsecDD to the protected objects list. If you want alerts for unknown applications then you must disable the auto-sandbox and have HIPS set to a least safe mode, otherwise all unknown applications will be sandboxed as fully virtualized and unknown/installers will generate an unlimited access alert.
Use Comodo Ice Dragon browser
Implement NoScript plugin to block JavaScript at all sites
Only permanently allow JavaScripts necessary for top-level domain of web-sites you implicitly trust to function
Unless necessary for functionality / bare minimum convenience, implement selective temporary allow permissions for JavaScripts otherwise
NEVER globally allow 150 JavaScripts from who know where 50 different 3rd party servers doing who knows what on ANY web-page
Once you figure out the SPECIFIC JavaScripts necessary for the base functionality of web-sites you trust to work, make them permanent if you go there a lot
Avoid allowing Google, ButtFace, FaceButt JavaScript like the plague, grin to grimace proportions when ANY Google related JavaScript absolutely must be enabled to enable basic functions of ANY website (knowing full well you’re on the NSA’s radar now)
Grimace even louder when you discover several Google JavaScripts are common across web-sites across the interwebs - smile and wave at NSA - and disabling them breaks web-pages
Ensure that Java is updated to latest version
Ensure that MS’ version of Java is obliterated from system
Disable Java in the browser and only enable when absolutely necessary per sessoin (disable when no longer needed at end of sesson)
Never update ANYTHING from any site other than at vendor
If a site warns you something is out-of-date, investigate the status at the vendor’s site and obtain updates from vendor or other CDN you explicitly trust
Never open eMail from unknown senders
Never open unsolicited attachments
Always inquire of senders you know whether they sent you unsolicited attachment
use browser in either virtual desktop or in the sandbox
have sandbox set to highest restrictions possible for functionality
enable greatest amount of virtualization possible in sandbox / virtual desktop configuration
Use proactive paranoid mode for HIPS D+
Use custom policy for Firewall rules
disable create rules for safe applications
harden your global rules to protect against ICMP, i.e.,
[ol]- allow ICMP in from ANY where ICMP is type NET UNREACHABLE
- allow ICMP in from ANY where ICMP is type HOST UNREACHABLE
- allow ICMP in from ANY where ICMP is type PORT UNREACHABLE
- allow ICMP in from ANY where ICMP is type FRAGMENTATION NEEDED
- allow ICMP in from ANY where ICMP is type NET UNREACHABLE
- allow ICMP in from ANY where ICMP is type 3.10
- allow ICMP in from ANY where ICMP is type TIME EXCEEDED
- allow ICMP in from ANY where ICMP is type 11.1
- block and log ICMP in from ANY where ICMP is type ANY
- allow ICMP out from NIC to DNS where ICMP is type PORT UNREACHABLE
- allow ICMP out from NIC to CO.UK(cmdagent TCP/UDP) where ICMP is type PORT UNREACHABLE
- allow ICMP out from NIC to FORTRESSITX(cmdagent TCP/UDP) where ICMP is type PORT UNREACHABLE
- allow ICMP out from NIC to COMODO.COM(cmdagent TCP/UDP) where ICMP is type PORT UNREACHABLE
- block and log ICMP out to ANY where ICMP is type ANY[/ol]
get rid of your trusted vendor list
implement a backup strategy that implements full, differential or incremental backup types
implement an image backup
verify your backups
perform regular NTBACKUP system-state backups
know where the registry backups are stored that NTBACKUP system state makes
ensure the recovery console is installed
be able to enter recovery console and restore registry backups that NTBACKUP system state makes
cut the interweb cable from your computer with a chainsaw at the central switch
build a 14" thick steel reinforced granite enclosure around your computer enclosed in a Faraday cage made out of titanium meshed kevlar 50’ below ground
and pray for the best
If things come to worst case, have your installation CDs, activation codes for the O/S and all your applications, DRM, etc and format the system and reinstall from scratch
Thanks for your advices! Btw, is there any testing kit for this kind of attacks? One, that tries to infect files in a test folder? I’d like to see what happens in a case of emergency. :embarassed: