Im using cis and auto sandbox set to fully virtualized.Im also using onedrive for my online backup that sync across multiple computers of mine.If I were(if)to get hit with that cryptolocker virus and it was virtualized by comodo would my onedrive files get encrypted?Onedrive also stores them on the hd when syncing across computers.Just wanting to see if fully virtualized is good for this or antoher setting like untrusted or block?
Depending on the time I switch between these modes.
I think untrusted or blocked increases the level of security.
I also use the HitmanPro.Alert with CryptoGuard, works great
http://www.surfright.nl/en/cryptoguard
Some information and discussions about Ransomware :
https://forums.comodo.com/leak-testingattacksvulnerability-research/about-a-ransomware-t96429.0.html
Another interesting reading:
Cyber- Hygiene Best Practices to Stay Protected from Ransomware
Thanks for the links,i think ill set auto sandbox to block
I haven’t tested it but while it probably would encrypt the files in the OneDrive directory (hang on, let me finish) however the original files would be left alone and no encrypted files would be synced.
My reasoning for the above: When you run a program in the FV sandbox it is not allowed to make changes to the real system (unless certain files/folders are set in exclusions) and so lets say you have a ransomware that encrypts all files, when it would try to encrypt C:\Example\Example.pdf the actual file would be left alone and the encrypted file would be stored in C:\VTRoot\HarddiskVolume?\Example\Example.pdf (? is a number but don’t know what number means what, 3 may mean C) However FV sandboxed programs think that the later file is located in the first location while it really isn’t. So to summarize, the actual files in the OneDrive folder will be left alone and no encrypted files would be synced to the cloud, the exception being if the OneDrive executable was run in the FV sandbox, since it would then believe that the encrypted files are in the OneDrive directory and hence would upload them.
Hope that helps, or at least makes sense.
Thanks Sanya IV Litvyak,thats what I wanted to find out if the encrypted files would be synced online to the onedrive account and all my other computers.I feel better hearing that and running fully virtualized.
When you say running the onedrive executable in the fv sandbox,do you mean the onedrive install file?
I don’t know how you have it installed, I have Windows 8.1 update 1 and hence it is installed by default with the OS, the way OneDrive works (regards syncing) is that it has a process running in the background that checks the status of the OneDrive folder and then if a change is detected then it syncs it (I think, not entirely sure, point is that there is a process that does the work) and that process is in Windows 8.1 update 1 called SkyDrive.exe (since OneDrive was previously called SkyDrive) and for me it is located in C:\Windows\System32\skydrive.exe
However if you are running an earlier version of Windows then you might have installed OpenDrive from Microsoft, in that case I’m not sure what the executable is called or where it is located, I honestly don’t know if they have any such installer, since you reference an install file I would assume they do, but no I am not talking about the install file but rather the executable that it installs.
Regarding running OpenDrive in FV sandbox, you will most likely NEVER manually run it in the FV sandbox, my point is that if for some reason a Fully Virtualized program would try to launch the OpenDrive executable then it would also sync the encrypted files, if that makes sense?
Let me explain with a time line:
First a scenario where the encrypted files won’t by synced.
[ol]- You accidentally download and run a malware
- The malware is unrecognized and hence auto-sandboxed by CIS as Fully Virtualized (as that is what you have it set to)
- The malware turns out to be a ransomware which encrypts your files
- The malware tries to encrypt C:\Users\Sanya\OneDrive* (using my own folder as example)
[li]However since the malware is run in FV sandboxed the actual files in [b]C:\Users\Sanya\OneDrive[/b] are left intact and the encrypted files are located in [b]C:\VTRoot\HarddiskVolume3\Users\Sanya\OneDrive[/b]
[/li]
- OneDrive is run outside of the FV sandbox and sees the normal files in [b]C:\Users\Sanya\OneDrive[/b] instead of the encrypted files[/ol]
Now a scenario where the encrypted files MIGHT be synced
[ol]- You accidentally download and run a malware
- The malware is unrecognized and hence auto-sandboxed by CIS as Fully Virtualized (as that is what you have it set to)
- The malware turns out to be a ransomware which encrypts your files
- The malware tries to encrypt C:\Users\Sanya\OneDrive* (using my own folder as example)
[li]However since the malware is run in FV sandboxed the actual files in [b]C:\Users\Sanya\OneDrive[/b] are left intact and the encrypted files are located in [b]C:\VTRoot\HarddiskVolume3\Users\Sanya\OneDrive[/b]
[/li]
- For some inexplicable reason the malware tries to launch C:\Windows\System32\SkyDrive.exe and since the malware is in the FV sandbox then the new SkyDrive.exe process will also be started as Fully Virtualized
- OneDrive is now run inside the FV sandbox and sees the encrypted files in [b]C:\Users\Sanya\OneDrive[/b] instead of the normal files!
[li]When the FV sandboxed OpenDrive process checks for the files in [b]C:\Users\Sanya\OneDrive[/b] it will actually see the files in [b]C:\VTRoot\HarddiskVolume3\Users\Sanya\OneDrive[/b] (assuming there are files in the VTRoot folder) however it will think that the files are actually in [b]C:\Users\Sanya\OneDrive[/b] (This is CIS FV sandbox fooling it)
[/li][/ol]
I hope that makes sense.
It makes sense.Im running windows 8.1 all uo tp date on all my machines so i should be fine,thanks again