Ransomware versus Comodo HIPS, GesWall and Comodo Sandbox

Discussion in 'other anti-malware software' started by aigle, Jul 29, 2016.

  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, sorry no screen shots at the moment. Will upload some as I get time. I had been testing these since last week. On XP VM

    Comodo Defense Plus. I allowed execution of malware and denied all other pop up alerts. Safe mode, file rep , AV n cloud disabled.

    Comodo Defence Plus:

    CTB locker test: Passed
    Petya ransomware test: passed
    Mischa ransomware test: passed
    Locky ransomware test: passed
    Gpcoder (old malware) test: passed
    Blackday Trojan(old malware ) test: passed

    Comodo Sandbox : all above tests passed

    Geswall : all above tests passed
     
    Last edited: Jul 30, 2016
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    CTB locker
     

    Attached Files:

  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    What in Paranoid Mode ?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Tried only safe mode.
     
  6. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    Good to know, thank you for testing.
     
  7. @aigle

    Passed = ransomware passed the defense or security software passed the test?

    Thx
     
  8. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Thanks aigle for the post.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Funny question indeed.

    BTW for HIPS I allowed execution of ransomware and denied all other malware actions.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Just about all sandboxes should be able to stop ransomware. I'm sure Sandboxie and 360 IS will also pass these tests, perhaps you can check them out.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,874
    You allowed execution of ransomware.

    That why it passed through. If you circumvent security mechanisms on purpose, they can't protect you.

    It isn't an indictment of their effectiveness in stopping malware.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Where did I say they "passed through" ?

    None of the ransomware passed through. All of them could not harm the system. While testing HIPS you have to allow execution of malware, otherwise there is no point of testing the HIPS.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, you want to block the execution of ransomware with a HIPS assuming we are talking about a PE; all the other HIPS ransomware mitigations are secondary to this.
     
  14. so all ransomware was blocked?
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Yes. Actually I made a test folder on desktop with some files( .txt .jpg .png .exe .pdf etc). I firstly ran ransomware without any protection and these files( plus many others) were encrpyted. Next time I run the ransomware with protection, it was intercepted and I did not see any encrpyted files/ encryption messages.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Sure hope the 360 referred here is not Qihoo because "they" are the reason i stopped using AV's again.

    Mr Crypto slipped right thru them onto my Win 8 machine after over a year of peace and that was it for me.

    Maybe they gotten better but once was more than enough for this user.
     
  17. Good old GeSWall, still the best protection for anyone on XP (light, solid). When someone wants to know to use the Pro application data base (GesWall.dat and use Application Wizzard to add any program not listed) with the free version, just PM me.

    I hope Re:HIPS will be the reincarnation of GesWall (reason why GeSWall was a lot faster/easier on CPU was because it used Windows mechanisms just like reHips does).
     
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Geswall is still secure enough for modern malware?
     
  19. Well it does a decent job according to Aigle's test. On modern OS I would use ReHips instead.
     
  20. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    ReHips seems complex, similar to appguard. I guess it just takes time to learn it.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I wouldn't use it either, but I believe the sandbox should be able to block ransomware. I'm guessing you didn't run it inside the sandbox, so that's why it failed to protect. That's no surprise because AV's can't identify 100% of all malware. That doesn't mean they aren't useful, but I'm not a big fan either.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    GesWall is extremely secure because of its design, no matter which type of malware you throw in it. Alas it died. It would had been relatively easier to port it to Windows 8 and 10 because of its design.
     
  23. guest

    guest Guest

    Any HIPS & Anti-exe will block a ransomware : "ransomware.exe want to execute. allow yes/no" obviously you won't say yes to unknown exe...
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Seems you did not read my post. I did say yes to the execution of all ransomware.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But I believe that's not the point of this test. The point is to run ransomware, and to see if the actions are mitigated. For example SpyShelter will not be able to block all damage once you let ransomware run and execute other system processes like svchost.exe and explorer.exe. A sandbox will simply redirect or virtualize file writes, so that's why they should all pass.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.