Although I feel that testing an initial Beta of a security program may be unfair, I really wanted to check on thing out stat, and that is how CIS6 would deal with a type of malware that it had problems with in the past- ransomware encryptors (aka GpCode).
First off I tried to find a recent sample- to no avail. Fortunately I had a few samples from our Zoo. I picked one and ran it:
1). being an old sample, as soon as I ran the sample the AV popped up informing me that the sample was a trojan. Fine. So I then shut off the AV and ran the sample again:
2). On run, the Cloud scanner popped up telling me that the sample was a trojan. So it seems the cloud scan work with or without the actual AV activated. Fine. So I now (with the AV still deactivated) blocked all network activity. I reran the sample:
3). With CIS6 at default settings, files were encrypted- Fail.
4). Running the sample in Virtual Kiosk- Files were encrypted- Fail.
Am hoping that the former workaround can be included stock in subsequent betas.
To be honest, this is a massive letdown. The only reason why i was trying to use CIS was the ability to generically block these encryptors. Seeing CIS fail when signatures don’t catch it doesn’t bring all that much confidence.
Btw, have you used Partially Limited or Limited? Some say Limited should block it but i’ve never had chance to try…
Not really. Any other security product would do much worse. In a ‘real world’ you won’t disable your AV. And Comodo AV will catch it. Very rare it won’t esp with max settings in the AV. Well how about using ‘blocked’ sandbox? The ones who will fail will be the encryptors. You can enable it back to normal in a ‘safe zone’.
It’s a shame that you need to add rules in version 6 again to protect against encryptors like in 5.10. But it’s no biggie.
Ok, switching on “limited” does protect users, but talking about the second test Cruelsister didn’t say if files encrypted were in Virtual Kiosk or not. In the first case it is expected, in the second one…is a big/dangerous bug…