Ransomware

tonystuartcole · September 12, 2012, 7:19pm

With regards to the nasty 'Ransomware: why does one need to add \Device\KsecDD, is an Internet Security Suite suppose to protect against such Trojan’s and Viruses etc.,? I have changed from Kaspersky 2013 and the protective(s) element was contained within the software itself, no changes had to be made by the user…

Seany007 · September 12, 2012, 8:00pm

Adding “\Device\KsecDD” restricts Windows encryption tool which some ransomware use to encrypt your PC. It won’t protect you against all. You might as well add the whole C drive into DEF+.

tonystuartcole · September 12, 2012, 8:19pm

How do I add the entire C: drive in to Defense +

Chiron494 · September 12, 2012, 8:24pm

In order to be fully protected from all forms of ransomware please follow the advice I give in How to Install Comodo Firewall. It will explain how to do this.

tonystuartcole · September 12, 2012, 8:31pm

That’s excellant, thanks…

cheater87 · September 12, 2012, 9:23pm

Setting the sandbox to block should block em

Seany007 · September 12, 2012, 10:14pm

That should do really.

tanganika · September 13, 2012, 9:49am

Download and watch this video guide http://dl.dropbox.com/u/71508137/COMODO%20Firewall/Protect%20files%20from%20Ransomware.7z

Or watch this video guide Protect files from Ransomware - Vbox7

And more video tutorials for Komodo http://lashev.com/?p=110

WxMan1 · September 19, 2012, 1:56am

where is this \Device\IKsecDD supposed to get added?
The suggestion to create the protected file group ?/* is just plain >:-D

Due to the number of popups, the system essentially becomes unuseable. A far more practical solution is to protect against drive-by downloads by blocking all executable and archive files into the %sysdrive%:\Documents and Settings*\Local Settings\Temporary Internet Files\Content.IE5*\ folders.

WxMan1 · September 19, 2012, 3:37am

Why is there a need for disinfection if the infection vector fails?

You might not be able to stop the poke, but CIS will hinder the injection of the poison.

Set the disinfection tranlsation level to: untrusted.

IF CIS sees a weird process, that process gets run in the sandbox; as long as your sandbox is set to max effecitvness unknown process can not access system resourse. Its tha nature of the beast: your trade simpliicyt for effectiveness at the expense of interpretation of alerts.

Faster, better, cheaper: pick two.

Chiron494 · September 19, 2012, 11:43am

After adding it I noticed no drastic change in the number of popups.

Remember that the setting only applies to unknown applications, of which there are not that many on most people’s computer. Thus, essentially that setting means that a sandboxed application cannot alter any files.

To me the benefit far outweighs the cost.

WxMan1 · September 20, 2012, 1:02am

???

After putting ?/* into Protected Files I got a never ending series of alerts having the form:

C:\Documents and Settings%user%\Application Data\Microsoft\Internet Explorer\Recovery\Active{*}.dat

C:\Documents and Settings%user%\Application Data\Microsoft\Internet Explorer\Recovery\Last Active{*}.dat

C:\Documents and Settings%user%\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore{*}.dat

C:\Documents and Settings%user%\Local Settings\Temp~DF???.tmp

It didn’t stop until I removed it. I added it back in and there are no alerts whatsoever. :-\

Anyways, hows ?/* different than the All Applications file-group, i.e., ‘*’ ???