Protecting Users Documents, Videos, Pictures, etc folders [M1548] [M1732]

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, very reliably.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Running Comodo on Proactive profile, HIPS enabled, Containment disabled.
2: Install Ransim Ransomware simulator.
3: Run the test.

One or two sentences explaining what actually happened:
Comodo HIPS mode (HIPS enabled- Safe Mode, Containment disabled) fails against Ransim unless the rule C:\Users* is added to Protected Files at Protected Objects settings.

Additionaly, the Run Restricted containment rule (WITHOUT VIRTUALIZATION), either set to Restricted or Untrusted, will fail all tests unless adding C:\Users* and also \Device\KsecDD to Protected Objects - Protected Files.

I also tested Comodo on Proactive profile using Cruelsister’s configuration (RUN VIRTUALLY WITH RESTRICTED LEVEL) and Anti-executable/DefaultDeny configuration (BLOCK UNKNOWNS) and Comodo passes on all Ransomware simulation tests if using said configurations.

One or two sentences explaining what you expected to happen:
I expected HIPS mode and Pure Restrictions settings to pass all of Ransim’ tests.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
No and not necessary.
Any software except CIS/OS involved? If so - name, & exact version:

Ransim Ransomware Simulator v1.1.0.7 - Download Link

v1.1.0.7 contains 10 tests in which the reported problem is happening.

Also Ransim Ransomware Simulator v1.1.0.76 - Download Link

v1.1.0.76 contains 15 tests in which the same reported problem is happening.

Any other information, eg your guess at the cause, how you tried to fix it etc:
Adding C:\Users* and also \Device\KsecDD to Protected Objects - Protected Files solved the problem.

B. YOUR SETUP
Exact CIS version & configuration:
CIS V12.0.0.6882 - Proactive Security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS enabled - Safe Mode, Containment disabled, VirusScope disabled, everything else enabled.

OR

Contaiment enabled and set to RUN RESTRICTED - Restricted or Untrusted, VirusScope disabled, everything else enabled.

Have you made any other changes to the default config? (egs here.):
Disabled VirusScope.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No.
if so, have you tried a a a clean reinstall - if not please do?:
This is a clean install.
Have you imported a config from a previous version of CIS:
No.
if so, have you tried a standard config - if not please do:
Not necessary - see above.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 Pro SP1 Fully Updated, 64 Bit, UAC Disabled, Administrator Account, Real System.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None. b=None.

Set the installer or executable file as untrusted so you will see the effects. Currently, the simulator installer is marked as trusted, which is why this effect.

UAC is interfering with containment restriction level, which means only partially limited will be the restriction level that contained applications will run at regardless of the level you set in the auto-containment rule. Otherwise you need to add the pipe symbol “|” at the end of the protected file/folder path to prevent partially limited applications from modifying/writing to that protected file/folder path. Because of this limitation, adding of \Device\KsecDD to protected files is not necessary.

As for C:\Users* needed to be added to the protected files, it is more of a wish than a bug and such wish enhancement is already logged into the issue tracker. Whether or not they add it is up to them if they see the value in doing so.

I’ve also had tried changing the three main executables of Ransim (Ransim.exe, DataCollector.exe and Launcher.exe) as Unknown and the tests can’t be properly executed.

But Futuretech is right, I forgot about UAC interfering with Restriction level, will test again with UAC completely turned off and report back.

As of HIPS results, I remember testing back with older versions of CIS and HIPS caught the Ransomware simulations without needing to add any rule. Maybe something changed at HIPS Protected Objects in CIS V12?

EDIT: I just tried now with UAC disabled and Pure Restrictions - Untrusted config fail against all tests (10/10 Vulnerable). The .txr files are indeed running as Untrusted level and not as Partially Limited.

Maybe I need to disable UAC through Group Policy Editor or something like that to get a correct result?

I’d also like to point out that this CIS installation is working properly as I’ve tested multiple configurations with Comodo Leak Test (340/340 score with HIPS and Pure Restrictions), Spyshelter Antitest.exe, CheckPoint CheckMe Endpoint Test, and of course Ransim tests were blocked with CruelComodo or Anti-exe Comodo configs. Got a clear score against them all.

Yes it will fail without having the necessary files/folders added to the protected files section. As long as you have C:\Users* added or even better ?:* HIPS will monitor and protect every file and run restricted containment setting will also protect against modification.

Problem is I remember testing back with CIS V10, CIS V11 and HIPS always blocked all of Ransim tests without needing to add any rule. That’s why I tought this is maybe a Bug or something changed in the Protected Files of HIPS in CIS V12?

No the default protected files has been the same since at least v8. What has changed is ransim tool version is now v1.1 but was probably an older version which operated differently when you tested from before.

Indeed, I will see if I can grab some older version of Ransim and test again. Thanks for your input and sorry for taking your time.

You still have a valid wish with adding additional folders to protected files, like %USERPROFILE%\Documents*, %USERPROFILE%\Pictures*, %USERPROFILE%\Videos*, etc. Or the entire %USERPROFILE% directory, I’ll change topic title with bug tracker number and reference this topic with the wish that is logged in the tracker.

Okay so I’ve got an older version of Ransim which contains 15 tests, version v1.1.0.76 and I get the exact same result from testing CIS V12 with v1.1.0.7.

I remember when I tested CIS V10 and V11 with Ransim, I downloaded from the website Baboo.com.br which was serving version v1.1.0.7 at the time.

Use browser search feature to search for “Ransim”. You will notice the version being served there back in 2017 was v1.1.0.7 which is the same from MajorGeeks download link.

Also, in this topic at Malwaretips, there is a user mentioning Comodo V10 HIPS blocked all of Ransim tests. I presume this user have not added any rule to HIPS Protected Objects.

So unless we can test this with CIS V10 or CIS V11 we can’t be sure if this is a Bug or not.
Also other Operating System besides Windows 7 x64 might not be affected.

At the moment I lack the time or resources to dig deeper into this. So I will leave this to anyone interested in investigating this possible Bug.

EDIT: I am trying to attach both versions of Ransim as .zip file to first post but it’s taking a while because of my internet connection. I have them both saved at USB stick just in case.

Also I would like to add that while testing CIS V12 with Ransim v1.1.0.76 I was bombarded with HIPS alerts and even though answering them with Block > Block Only I got a score of 2/15 so HIPS failed most of the 15 tests.

When I tested CIS V12 with Ransim V1.1.0.7 I haven’t received many HIPS alerts at all.

Adding C:\Users* to Protected Files made HIPS get a perfect score in both cases.

EDIT: I would like to stress that Cruelsister Config and Anti-executable/DefaultDeny Comodo did get a perfect score against Ransim v1.1.0.76 as well, without needing to add any rule. Just so less informed users won’t think they are vulnerable to Ransim, when in reality they are not.

Test here 100%
You can test setting with hips active and disable?
unzip=1

You are testing using Run Virtually for Unknowns rule and like I said, there is no problem when using this rule, as in Cruelsister configuration which uses “Run Virtually” for all Unknowns, Comodo achieves a perfect score against all versions of Ransim.

Problem lies with HIPS enabled > Containment Disabled or Run Restricted for Unknowns Containment rule > Untrusted Level.

The possible Bug is affecting the HIPS and Restrictions (without virtualization) only. Not 100% sure if Bug or not.

and Yes with the User/Usuário custom File Group you created which protects multiple folders at Users folder, HIPS will block all of Ransim tests.

To Futuretech and Comodo staff,

I really don’t want to waste your time nor the Comodo developers time and there is a very low possibility that my memory is playing a trick on me in this case. But this small possibility still exists since I am currently having my mind focused on personal problems. If you want to submit this as a Wish instead, you have my support since I don’t see this as a serious problem to begin with, even if Bug or not.

Hello mmalheiros,

Thank you for your effort. We will discuss with our PM and notify you.

Kind Regards,
PD

You do know that if you are on Windows that this is already possible to do yes, without having them add something that the Windows OS can already do. The Windows feature is called Controlled Folder Access, you can look up this security setting by using Windows search or by using the Windows Security dashboard and finding where the Controlled Folder Access setting is then all you have to do is add the folders and or files you want to protect.