Malware Encrytors Redux

Although I feel that testing an initial Beta of a security program may be unfair, I really wanted to check on thing out stat, and that is how CIS6 would deal with a type of malware that it had problems with in the past- ransomware encryptors (aka GpCode).

First off I tried to find a recent sample- to no avail. Fortunately I had a few samples from our Zoo. I picked one and ran it:

1). being an old sample, as soon as I ran the sample the AV popped up informing me that the sample was a trojan. Fine. So I then shut off the AV and ran the sample again:

2). On run, the Cloud scanner popped up telling me that the sample was a trojan. So it seems the cloud scan work with or without the actual AV activated. Fine. So I now (with the AV still deactivated) blocked all network activity. I reran the sample:

3). With CIS6 at default settings, files were encrypted- Fail.

4). Running the sample in Virtual Kiosk- Files were encrypted- Fail.

Am hoping that the former workaround can be included stock in subsequent betas.

How can VK be failure?
It is fully virtualized and after restart everything is deleted.

1.You can add this line to the protected files.

2.Or you can switch the restriction level to the “fully virtualized”

Again, was hoping that in following Betas the workaround will be added by default.

How exactly can i add ‘?:*’ ? I’ve created the ‘All Files’ group, but when i add that line (Add->Browse Files), i get a message: “The file name is not valid.”

To be honest, this is a massive letdown. The only reason why i was trying to use CIS was the ability to generically block these encryptors. Seeing CIS fail when signatures don’t catch it doesn’t bring all that much confidence.

Btw, have you used Partially Limited or Limited? Some say Limited should block it but i’ve never had chance to try…

You can pick any file first.

Then you can rename the rule by double clicking on it.

Limited should work.

I got a FBI ransomware sample to test out later.

Goos man! :wink: Thank you! :-TU

But what I’m thinking. when we upgade to a other version of Beta, that we will have to add the setting again.

I’m not 100% sure if I’m right. that is why I threw that question out there.

There is a difference between “should” and “does”. Have you tried it? In CIS5, only special rules worked, increasing the leveld idn’t. Except the last one which blocks execution entirely…


In my understanding it’s only partially limited that is vulnerable. Thus, there is no need to add complicated rules like “?:*”. Just switch it to limited and get on with your day.

Also, if something is virtualized it will be able to do a lot of bad things to other things in the sandbox, but not to files on the real computer. That is intended behavior.

1.I test the a.bat

[at]echo off del d:\a.txt

2.The logs is as attached

3.The restriction level, limited, can block this.

4.In V5, it can not block it.

5.Is there any improvement for blocking the “direct disk access”?

[attachment deleted by admin]

I tested it on gpcode.

Not really. Any other security product would do much worse. In a ‘real world’ you won’t disable your AV. And Comodo AV will catch it. Very rare it won’t esp with max settings in the AV. Well how about using ‘blocked’ sandbox? The ones who will fail will be the encryptors. You can enable it back to normal in a ‘safe zone’.

It’s a shame that you need to add rules in version 6 again to protect against encryptors like in 5.10. But it’s no biggie.

But you don’t need to.

Just change the level to limited.

Well you can’t always rely on signatures and main point of sandbox is to isolite malware but it fails to do so with the most pesky class of encryptors.

Ok, switching on “limited” does protect users, but talking about the second test Cruelsister didn’t say if files encrypted were in Virtual Kiosk or not. In the first case it is expected, in the second one…is a big/dangerous bug…

If as Chiron says it is blocked on the “Limited” setting,then there’s an argument for the default setting to be higher,especially if it doesn’t cause widespread issues running safe applications.