Protection against ransomware.

Picandalo · November 4, 2020, 2:53pm

Hi,

Does CIS have protection against ransomware? … if so, how to configure it?

Thank’s

My CIS
CIS v.12.0.0.6818
Database version: 32957

safemode · November 4, 2020, 11:08pm

Yes, CIS protects against Ransomware, and any other kind of Malware, through Auto-Containment & HIPS modules.

Melih post:6:

That’s when we figured what the Malware needs to cause damage in the main was

1-Write privilege to hard disk
2-write privilege to the Registry
3-write privilege to the COM interface

Write privilege means: the right/ability to write to hard disk…why would you want a brand new untrusted app to start writing to your hard disk??? It could simply overwrite your own good files…yep…Ransomware…
So when a new executable file comes in if its never seen before by Comodo…we say “hey kiddo…here is a really good plastic knife”
Lets say a Ransomware makes it to your computer because the user clicks anything shiny on the web…
this ransomware is now running in RAM…and says…I want to “READ” hard disk…
Comodo says:…hmm…“READ” privilege…its ok…go ahead and read it…
then
Ransomware says:…I want to “encrypt” this file that I just read…
Comodo says: hmm…just messing around inside RAM…no damage done…go ahead…
Ransomware says: Now I have an encrypted file…I want to delete your original file and overwrite it with just encrypted…
Comodo says:…say what?? you want to have a “WRITE PRIVILEGE” to hard disk…Don’t think so…here is a “Virtual Write Privilige to a Fake Hard disk” …
Ransomware says: oh thank you, let me write there…
All the while Ransomware is writing to a “fake hard disk” where user’s original files are untouched and safe on the hard disk.

You can change CIS to ‘Proactive Security’ mode, this will enhance overall protection of all CIS components. You can also check and use the Cruelsister settings for Comodo Firewall (also valid for CIS) which will further enhance the level of protection provided.

Picandalo · November 5, 2020, 8:17am

Hi safamode,
so I am worried because a ransomware encrypted an excel file on my machine and I would like to know if Comodo has a module that decrypts this file ?!

The ransomware created a .mars file in place of my excel file.
Need help!

Ploget · November 5, 2020, 9:44am

No it doesn’t, but try the advice and tools on these sites:

safemode · November 5, 2020, 6:27pm

Picandalo, just out of curiosity, this Excel file that was encrypted by the Mars Ransomware was located in which Folder? I am asking because the ‘Downloads’ folder is set by default as an exception to Auto-Containment’s Virtualization by Comodo, so any Ransomware could encrypt files located in this mentioned folder.

EDIT: Did this Ransomware compromised your machine with CIS installed or you installed CIS after the infection?

Looks like another case of the Default Settings in CIS being weak - Installing it without properly configuring it is the same as not installing it at all.