Is CIS Set to Limited Vulnerable To Certain Types Of Ransomware

Okay, I want to make a separate topic just for this question. The question is that if the only change you make to CIS is to change the level of the behavioral analyzer to Limited are there any types of ransomware which can bypass it?

I am aware that partially limited already blocks most, but I also know that some are able to bypass it. At the moment I’m not entirely sure whether limited is able to block all that are known, or whether other changes need to be made.

By the way, I am aware that adding the rule “?:*” will protect against all types of ransomware, but I am trying to avoid using that rule. Thus, I would like to know whether anyone has found any ransomware which is able to encrypt files if run under limited.

If limited is vulnerable, then what is the lowest setting the behavioral blocker can be set to in order to fully protect the computer?



The question is, does ?:* even do anything if HIPS isn’t checked in the settings…

I’m not sure. Good question.

Can someone check this in addition to seeing how it does against ransomware at different settings?

I would think so since hips rules are still used even if hips is disabled

If BB set as Limited, it will block ransomware from accessing the files. No special configuraiton change is needed.

What is the downside to this? I assume if there wasn’t any, limited would be the default. thanks

Th downside is it can cause some unknown programs to malfunction. Like CIS 4.x.


Please see this video…Congratulations to Comodo Team (:CLP)
This sample could bypass the CIS5 auto Sandbox on Untrusted. But it cannot bypass the CIS6 BB on Limited.
My settings for this test:
Configuration: Proactive
AV: Disabled
HIPS: SafeMode
BB: Limited
And no special configuration

Download video

Thanks egemen. Excellent work :-TU

Yes, & partial limited is very good for majority of users in terms of protection & usability both.

The few probs with partial limited like some ransomware bypassing it, the upcoming malware reversal technology in the subsequent version 6 will fill the gap or will be a great addition to partial limited.

yes virus reversal will be great and dont forget about the local BB i think it will be more like mamutu hopefully its as strong or stronger.

What about setting “Untrusted” level in BB? The same result as in 5.10 or not? ???

No, you shouldn’t need to add any extra rules to protect against ransomware. Just changing it to limited is probably enough.

I know about ‘limited’ thanks. But I only use ‘untrusted’. In version 5.10 ‘untrusted’ fails to protect you without adding any rules (“Could bypass the CIS 5 Auto - Sandbox on Untrusted. But it cannot bypass the CIS 6 BB on Limited.”) I wondered if in version 6 it might be different somehow. I only want to know about ‘untrusted’ level in BB version 6. So I take it that without any rules it fails as well unless you change it to ‘limited’.

Yes Untruisted will also protect without modifications. Limited and other lower restriction levels will protect.

I see. Thank you. Limited and other (lower) (you mean: higher?) restriction levels will protect.

He meant Limited, Restricted and Untrusted :wink:

Yes just checking. I only like to be 100% sure ;D :-TU

One more Q. How come ‘Untrusted’ level without rules fails to protect you in version 5.10 but in version 6 ‘Untrusted’ level does protect you? What’s so different?

They have reworked what was the auto-sandbox in V5 into the behavioral blocker in V6. They are very similar, but some of the protection settings have been tweaked (among other changes). Therefore, V6 should be able to protect much better against keyloggers and ransomware, which was somewhat of a weak-point with V5.

Thus, with V6 you do not need to raise the restriction level as high as you did in V5 in order to achieve the same amount of security. (Admitting of course that V6 does protect against ransomware without the need to create complicated rules, which was required in V5.)