A friend who has Comodo Internet Security installed (at my recommendation :embarassed:) on his laptop recently suffered a ransomware attack. He had turned on his laptop computer and attempted to log into his bank website.
A pop-up asking to install Adobe Reader appeared, he declined then a ransomware message appeared as he was trying to login, instructing him that his system been encrypted and that he should reboot the computer.
On reboot all documents, all pictures, all music, + all XML, all text and all HTML files had been encrypted. There were more than 1700 copies of the ransomware readme file in png HTML & txt formats written all over the drive. Collectively this was nearly 2 gig in size. The code had accessed all drive partitions and entered directories which I would’ve thought were protected by the Comodo system. E.g. Windows system32 directory.
Looking at last years Crypto Locker malware discussion on various forums, I can see this latest version has made steps to prevent any kind of recovery. All restore points, shadow copies and temporary backup files written by MS office applications were also encrypted or deleted.
Auto-sandbox, virus-scope, HIPS, firewall, and anti-virus all showed working and active.
It is possible it was user error but he rarely installs anything & CIS is set to flag any attempted install action etc.
Very disappointing that Comodo was unable to prevent this attack as he lost all his documents and pictures and was forced to restore the machine back to factory default in order to use it.
This raises 2 important questions.
Can CIS stop current ransomware attacks?
Does Comodo intend to implement a system like Crypto Drop?
The settings used in the event described above were with HIPS active & custom for the FW. Personally I always use custom settings which gives me more control.
One reason I hated the upgrade to the new GUI is previously I could see/add/tweak everything quickly, now it’s being buried in multiple sub-trees & often semi-automated thus allowing errors. OK the new way seems better for novices but #only# if it works…
I think svchost.exe is one of the major problems I’ve seen historically, as it is often very difficult to see what is being done by which process & why. Given the fact that a network link needs only moments for malware, a user has almost zero chance of figuring it out before it is potentially disastrous.
As to how ransomware is able to act within a supposedly secure system, the only hints I’ve found are in discussion of Crypto Drop. There seems to be a whole lot of nothing available for anyone trying to figure out whats going on. Given the seriousness of the threat I have to wonder why ‘no-one’ is really saying much about it. Plenty of old comments on the early types 2013-15 but nothing much for this year that is actually helpful.
Has anyone reviewed CIS with maximum virtualization active? I assume that would help in resisting this kind of threat, but often it isn’t practical to be entirely virtual.
Personally, I have set the auto-sandbox rule to block unknown apps.
Like that I can right-click on the app and run it in Comodo sandbox.
It seems that manual (on-demand) sandbox is more restrictive than auto-sandbox:
Thanks for that info Jon79.
Typical of W10 to be more interested in data-mining & selling apps than allowing itself to be fully locked down I guess.
I think you should be able to set UAC to off & have CIS take over, providing CIS works.
This was a topic that was discussed a few weeks ago on Wilders and am surprised that it is showing up here. “EfficacyTest.exe” is a specific AV tester that when run will in turn run malware. If EfficacyTest.exe is allowed to run out of the sandbox ALL future actions will also be unsandboxed, thus the infections that can be seen in that video. In short, the setup for the test was very flawed and thus the results are also without value.
I was sent all of the malware seen in that video (the malware pack was PM’d to me) and the actual results can be seen here:
Surely you are showing that it is worse than a simple on/off option & therefore is in fact removing options to allow the monetized app interface to force you into certain modes of behavior at a code level.
That in itself presents a pipeline for hacker activity that will ‘always’ be active.
I watched the video, thanks for the link.
I noticed that you set the auto-sandbox on run virtually → restricted and you wrote that you did so because run virtually → untrusted doesn’t work on Windows 10.
The problem is that run virtually → restricted won’t work too because every app will run as partially limited…
Try to re-make the test with this setting and let’s see what happens.