Blackday trojan versus HIPS

How would something like BufferZone do against this?

 

Darn interesting topic here. Alarmingly much more interesting on other security apps defense against this trojan. aigle thanks for this post. Got me thinking there. I hope someone here will test DefenseWall and Outpost. How about Sandboxie? How will it fair with this trojan or with th others that you have mentioned in your other posts?

Can some veteran here try it out please...? I do not have the means and knowledge to do it. This is a bombshell post!

 

Thx again for the test, Its a nice info

 

I am not sure if i understood you correctly. But, it can be absolutely controlled only for unknown programs. See the screenshot which i've created...

b/W i have replaced my Comodo Firewall with OA premium after using comodo for long time. Hope i would be back to it once the issues are resolved. After being adjusted to comodo (re very less alerts), i think it takes some time to me to answer the amount of pop-ups OA produces...

Thanks,
Harsha

 

Ok, aome nice things about file defence that they have added 3 option there( for trusted, untrusted and unknown programs-- I like this, and also read, create, modify, delete options).

I will tel you one imp thing. With any classical HIPS, if you are using File Protection, try to make a bit liberal rules, otherwise you will get a lot lot lot of pop up alerts. You will tackle it intially, until one day you will get irritated of it and stop using it.

 

For all the respected members here, excuse me if I don,t reply to your posts or can,t repeat the tests requested. I am overwhelmed with the Qs, PMs and requests after my recent three threads, here and over at Comodo forums. I was infact already too busy in my daily life.

Hope all of you understand.

I will however reply all PMs.

 

In the Comodo's test the malware was active (infected the pc) or was just copied in a folder?
If you want popups like OA just disable the sandbox

 

The sandbox contained the sample from modifying the system, although even though I waited for some minutes the sample only dropped 2 files in root and ruined 7-zip install folder (you can view that by going in to Kasperskys virtual/sandbox folder); I was expecting it to modify a lot more.
(verified with tinywatcher and manual searching- system clean)

 

Bufferzone is bypassed ?

 

Regarding CIS5- The first thing that I did after installing CIS was add all the browsers that I use to the run in sandbox function. Needless to say Registry and File System virtualization buttons are checked.

With these settings I've done testing on diverse malware samples and have gotten results perfectly mirroring the excellent Geswall program. So I guess I should assume that the testers did not have browsers specifically sandboxed?

 

Testing was on default settings of CIS.

 

Yes, but it was a test of CIS on default settings. CIS was supposed to contain it but it failed.

 

Can you test it with guest's point...?

That is interesting. I thought the function of CIS sandbox is not intended to be like Sandboxie(sandboxing browsers) but to sandbox unknown/unverfied file types..If I may what seetings do you use for CIS sandbox? I am using the pc with Outpost Pro/Avast IS installed. I'll boot up the other one with CIS/Avira Premium later to check the CIS sandbox.

How about Avast Sandbox / Sandboxie / Bufferzone..? I wonder how will they fair..I hope someone for the benefit of the members can test this one with the apps mentioned in this whole thread.

Friend alerted me to the post in CIS forum but I am not ale to view it. Heard of a similar inquiry at Outpost forums still have to read it but HERE.

I hope there will be a similar post or say inquiry at the Emsisoft forums...I have OA Premium also.

Very good aigle. Great work!

 

Comodo has two variation of sandboxes
1) Automatic Sandbox (without file system and registry virtulization, which sandboxes unknown files automatically)
2) Manual Sandbox (with file system and registry virtulization, like sandboxie)

What cruelsister is referring to is manual sandbox part. We can manually add internet facing apps to it. And when ever those apps run, Comodo virtualizes them completely and no can be harm done to real system.

b/W CIS v6 will have its automatic sandbox upgraded with active/realtime file system virtualization

 

Hmmm, I must be missing something here. So, what does it sandbox, if not filesystem and registry?

 

It simply restricts access to certain parts of the system based on HIPS ruleset/restriction.
(there's no actual redirection of file registry operations, just auto blocking; a hipsbox rather than sandbox)

 

@harsha_mic,
Thanks there. Using Sandboxie so that part I did not delve into. But I tested Opera11 with "Always Sandboxed" setting and it was okay seems like OA RunSafer.

Incidentally a buddy alerted me to another CIS forum post about some actions to be taken in connection with this trojan. It's quite long (have not read it in full yet) but since it is relevant link is https://forums.comodo.com/leak-test...esearch/weakness-of-the-gpcode-t65960.45.html

I also seem to have seen your username there

 

really gr8 topics and test


aigle

i wish more program get tested Like mamuto , threatfire , and other hips

can you send me the

sample for further testing ?

 

This is not similar to OA's runsafer. What OA does is, it essentially runs the targetted app as LUA. Here in CIS, if app is added to "Always Sandboxed" setting, a file and registry virtualization will be activated. Meaning, if you download sth to your desktop, you won't see the file in your desktop instead it will be in "c:\?\..." (similar to this, i don't remember the name exactly, currently i'm using OA) like sandboxie.

Yeah lot of talks going over there. In default setting comodo's automatic sandbox is being bypassed. CIS v6 will handle it properly in defualt setting even.

Yeah its me only

 

Well, the thing is, it does not appear to even block the FS/registry access (correctly) - see https://www.wilderssecurity.com/showpost.php?p=1864043&postcount=2

 

It could simply mean that the folder in which the (now encrypted) files were wasn't in the list of monitored resources in HIPS settings (there was no existing HIPS ruleset covering for those files, either via folder access or filetypes on a global level)... or that something really went awry.

 

Yes, without tweaks, Comodo's automatic sandbox fails to protect non-OS files properly.
Please read the post by egemen at below link for proactive protection against data files-
http://forums.comodo.com/leak-testi...-the-gpcode-t65960.0.html;msg512678#msg512678

 

Yes, you are right. ( someone correct me if i'm wrong )

 

Interesting observation.

So Manual-Sandbox uses virtualization, and we can use it with:
- right click > Run in Comodo sandbox
- opening CIS > D+ > Run a program in the sandbox

Auto-Sandbox, as we know, is started when unknown program tries to execute, and does not have virtualization (only restriction of accessing protected file/folder and other things, depending on the sb level whe choose)

Am i right?

 

Yes, your are right.