Petya / Petya-like ransomware run sandboxed... Protected or not?


I already know that thanks to its autosandbox feature, COMODO can prevent all ransomware encrypting your

I just wanted to know: In case of Petya and other/similar MBR/GPT encryption ransomware, if they are run into sandbox,
will they be able to encrypt the drives?

Thank you

Evjls Rain
Comodo Firewall - Proactive Configurations - petya blocked

Note: Comodo Firewall is more secure with Proactive Configurations then Firewall Configurations
even with the same Sandbox settings

Comodo Firewall 10 Setup

Some core settings i have noticed to be different within the Configurations.

Note, even if HIPS is off in the menu, HIPS is still active in the background.

Internet Security Configuration have more rules in the Settings → HIPS → Protected Objects → e.g Com Interfaces compared to what Firewall Configuration have.

Both Proactive Configuration and Internet Security Configuration have Protected Files → Executables
and Firewall Configuration do not have Executables in Protected Files

Proactive Configuration have more stuff in Settings → HIPS → Protected Objects compared to Internet Security Configuration


Because when running in containment(sandbox) the file running has

Read privilege: so that it can read from the hard drive
File Driver, Registry and COM interfaces are all virtualized…

So…it can read…it can encrypt the file in ram…but when it wants to overwrite over the original file on the hard drive, it fails because it is writing it on the virtual drive we give it. We also virtualize the Registry and COM interface.

or blocked in some cases

in containment mode, they are not blocked. If you choose a more strict policy they can be blocked.

Cocalaur- When speaking of the MBR encryptors, note that Petya comes in 3 versions, each distinguished by the color of the ransom screen- Peta 1 (Red), Petya 2 (Green), and Petya 3 (Yellow- aka GoldenEye); also one should add another popular strain, that being Satana which comes in two main variants.

The effects of each vary with the Configuration and Sandbox levels used. In the case of Comodo Firewall (which I use and love), baseline would be to use firewall configuration and the sandbox at Partially Limited; preferable would be Proactive Security configuration and the sandbox at Restricted (or Untrusted).

In no case for any of the malware at any of the various protection levels is either the MBR or files trashed. The worst that will happen is at the baseline level Satana2 will cause a Windows crash with memory dump but on reboot all will be fine. At the settings that I suggest 4 of the five will error out for various reasons, and the original Petya (Red flavor) will run pointlessly in RAM until flushed from the box or after system reboot.

In short, Comodo will protect you from these in all cases.

Hope that helped,


Thank you all for your feedback :slight_smile:

I run the auto-sandbox in fully virtualized mode.

However, my primary hard drive is not MBR, it’s GPT, the rest are MBR.
I have heard that in case of GPT, petya-like ransomware would render the system unbootable at all,
so it’s good to hear that I am protected against ransomware :slight_smile: .

So far COMODO has not let me down.

The only loophole I can find related to the sandbox would be if an unknown spyware is run sandboxed.
I don’t know if it could still gather data from my computer and upload it to a server, since there is no option that
can disallow network access for sandboxed apps - or set it in prompt mode in the firewall.

Yes, you can stop unknown apps running in containment (sandbox) from making connection to internet…

Coca- There is indeed a Firewall setting to do just what you want it to do. Please look at this video: Comodo Firewall 10 Setup - YouTube

specifically at the 7:53 mark. Enabling this setting will prevent a sandboxed item from network access.

As cruelsister pointed out, you can do what you asked for by enabling the option “Do NOT show popup alerts” and choosing “block requests”.
Just to give you the full picture, if the option “Do NOT show popup alerts” is disable, you will get a pop-up as soon as an unknown app tries to connect the web.

The problem is, at the default “Internet security” configuration, that option is enable, but so that the FW will allow every outgoing connection instead of blocking it… :-\ see attachment from the online help.
Actually, I don’t understand why a default-deny security product comes with a default-allow setting… people here said it’s like this because of usability, especially for novice users, but I still can’t understand the point… with that setting Comodo FW (I’m talking about the FW portion only) does nothing more than what Windows FW does… it blocks incoming connections, but allows outgoing requests :o

Everything written above applies to the FW in “safe mode”, where any trusted app can connect to the internet, while any unknown app will either generate a popup (if “Do NOT show popup alerts” is disable) or be silently blocked/allowed (depending on the setting, if “Do NOT show popup alerts” is enable).
If you switch to “custom ruleset” and “Do NOT show popup alerts” is disable, you’ll get a FW popup for any app (no matter if trusted or not) trying to connect out.
So, in this case, if you enable “Do NOT show popup alerts” → “block requests”, every app will be prevented from connecting the web, even the trusted ones.

I made this wish some time ago, that i think you might like (scroll down for pic)

Melih and cruelsister

Thank you for your feedback :slight_smile: I will check