Some unique HIPS features

[ErikAlbert]

Quote:

Originally Posted by bellgamin

The topic was started by Aigle. who asked certain questions based on NG capabilities. It is his topic and he based it on NG.

If you want to endlessly discuss "what Erik wants" I suggest you start your own thread and stop hi-jacking others.

I will do "what Bellgamin wants".

[hammerman]

Quote:

3- GPcode trojan- A malware that encrpts many files on infected PC( like text files) causing data loss.

NG gave pop ups for all these actions though it was not fully successful to stop the damage( like it did not stopped the encrption of text files by malware) but it,s interesting to see such a functionality. I have not seen such filters in any other HIPS( atleast upto best of my knowledge). Am i right?

I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

Thanks

Obviously not just text files it attacks.

http://www.symantec.com/security_res...723-99&tabid=2

I guess the best I could do with EQS would be to limit access to these files types. Thinking of the number of pop-up's, don't think I'll bother.

Do any behavioural blockers like Threatfire or Mamutu detect this kind of behaviour? What about Defensewall? Seems to me that protection from ransomware like this is something for a 'smart' behavioural blocker rather than a classical HIP's.

[aigle]

Seems you are right. I have not tried behav blockers with this malware but will try to test with TF.

[aigle]

Quote:

Originally Posted by hammerman

Shots of E-mail file protection rules and pop-up when anything tries to access these files.

Thanks hammerman.

[CogitoErgoSum]

Quote:

Originally Posted by hammerman

Obviously not just text files it attacks.

http://www.symantec.com/security_res...723-99&tabid=2

Do any behavioural blockers like Threatfire or Mamutu detect this kind of behaviour? What about Defensewall? Seems to me that protection from ransomware like this is something for a 'smart' behavioural blocker rather than a classical HIP's.

Hello hammerman,

I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.


Peace & Gratitude,

CogitoErgoSum

[bellgamin]

Quote:

Originally Posted by aigle

I have made thread on Comdod forums to add such filters in CFP. What are your thoughts?

I am a CFP user. As such, I strongly support your proposal to add such filters to CFP (Defense+). I want to endorse your comments at Comodo's forums, but couldn't find your post. Link please?

[aigle]

Quote:

Originally Posted by CogitoErgoSum

Hello hammerman,

I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.

GW stops it too.

[aigle]

Quote:

Originally Posted by bellgamin

I am a CFP user. As such, I strongly support your proposal to add such filters to CFP (Defense+). I want to endorse your comments at Comodo's forums, but couldn't find your post. Link please?

http://forums.comodo.com/leak_testin...-t24754.0.html

[lucas1985]

Quote:

Originally Posted by aigle

They get the e-mail addresses from windows address book and Sober worm als scans many files like text file on the PC and finds e-mail addresses.

These kind of features would be useful as an heuristic analyzer module in a classical HIPS. Then, you would have an hybrid between a HIPS and a behav. blocker.

[hammerman]

Quote:

Originally Posted by CogitoErgoSum

Hello hammerman,

I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.


Peace & Gratitude,

CogitoErgoSum

Thanks for test results. Didn't expect DW (or GW) to protect against this. I thought protection from ransomware would be more prominent in their feature list.

Any chance you could PM me a link to GPcode. I'd like to test against OA's run safer and Mamutu.

[Ilya Rabinovich]

Quote:

Originally Posted by hammerman

Didn't expect DW (or GW) to protect against this.

Always expects unexpected.

[hammerman]

Quote:

Originally Posted by Ilya Rabinovich

Always expects unexpected.

Lesson learnt. Seems like this protection could be quite unique though. Looking forward to seeing if TF and Mamutu are up to the challenge. Response from OA is that this is a feature that may be added in future.

Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?

[Peter2150]

Quote:

Originally Posted by hammerman

Lesson learnt. Seems like this protection could be quite unique though. Looking forward to seeing if TF and Mamutu are up to the challenge. Response from OA is that this is a feature that may be added in future.

Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?

If this threat is the KD.exe, then Sandboxie protects. Also OA actually does now in some ways. If the exe is downloaded from the web thru a drive by, and you are running your browsers with Run Safer, it will indeed not allow this thing to do damage. I've tested that.

Also OA will have two new features. One is direct disk access, and other is automatically running an unknown program at lower rights. Test both in beta's and both work.

Pete

[Ilya Rabinovich]

Quote:

Originally Posted by hammerman

Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?

Well, I'm not sure if DW covers all the file types Gpcode encodes. But most of them are, as I know, the most important for an average user. Will check out later.

[hammerman]

Tested sample of GPcodei courtesy CogitoErgoSum.

Sandboxie completely isolates infection
OA run safer fails to protect
Mamutu quiet as a mouse in Paranoid Mode (waste of good memory space IMO)
AntiVir detects infection
EQS 3.41 unable to do anything about it

[hammerman]

Quote:

Originally Posted by Ilya Rabinovich

Well, I'm not sure if DW covers all the file types Gpcode encodes. But most of them are, as I know, the most important for an average user. Will check out later.

Thanks Ilya,

I haven't used DW for a while since there is a conflict on my system when I run Sandboxie, OA and DW together.

As I understand it, an untrusted process cannot modify any other files and this is how it protects against GPcode. Are you saying there are some exceptions to this rule for certain file types?

[aigle]

Quote:

Originally Posted by Peter2150

If this threat is the KD.exe

No, it,s not.

[Peter2150]

Okay. Got a sample and tested. Nasty little critter.

ShadowDefender did it's job well as did Sandboxie.

OA's Runsafer didn't and couldn't do anything. I would suspect none of the policy based sandbox will.

I ran it with both OA and SSM on to see what it was doing. Both just alerted it wanted to run. It did nothing else, so clearly it didn't need system privileges. By the time the next pop up's came about the vbs file, it was too late.

Pete

[aigle]

Quote:

Originally Posted by Peter2150

I would suspect none of the policy based sandbox will.

GW( i think) and DW will protect against it.

[Peter2150]

Quote:

Originally Posted by aigle

GW( i think) and DW will protect against it.

Okay, so they are protecting files also?

[Dark Shadow]

I would like to test this GPcode do not have sample though

[aigle]

Quote:

Originally Posted by Peter2150

Okay, so they are protecting files also?

Why not. Registry n files both. No protection if u can,t protect files. Just they don,t rely heavily on virtualization, only as musch as needed.

[aigle]

Quote:

Originally Posted by djohn

I would like to test this GPcode do not have sample though

I PMed u, pls share ur results but take care not to loose ur data.

[Dark Shadow]

thanks.I will post after test.Here is what I got from KAV.

[aigle]

I tried it with GW to be sure. Excellent job by GW on default settings.