Ransomware versus Comodo HIPS, GesWall and Comodo Sandbox

Discussion in 'other anti-malware software' started by aigle, Jul 29, 2016.

  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It is Ok to allow ransomware while testing a HIPS but if you allow malware to execute other system processes like svchost.exe or explorer.exe, there is no way that a HIPS can protect the system because ransomware take control of trusted processes liek explorer.exe and do watever it wants. No HIPS can protect against this. Sandboxes are different though.
     
  2. guest

    guest Guest

    i guess SS allow the children if the parent is allowed , which is a weakness to me. A proper HIPS should at least have a setting to select the parent behavior abiility to execute a children.
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I think I would rather disagree and as I remember I saw many examples of asking about children process/it new action.
    Everything depends of
    - active protection level
    - is parent process on trusted list (built-in or user own)
    - what is automaticaly allowed on list of monitored action
    - how are basic/advanced rules for parent process
    - how are the rules in tab Application Execution Control (firewall only).
    GeSWall...even free?
    Hmm...great result.
     
    Last edited: Aug 3, 2016
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No, SS gives an option to block child process execution. But my point was that sandboxes are the safer bet when it comes to mitigating ransomware. With HIPS like WAR, HMPA and MBARW, there is always a chance they will be bypassed, because they couldn't recognize suspicious file system activity. Or that they will generate too many false positives.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Yes even free.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Appears ransomware is migrating to using the crypto API. As such, will be very difficult to detect if said API call imbedded in .Net program or assembly for example.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think the biggest problem for HIPS, is trying to detect which process is doing the encrypting. Most ransomware nowadays inject code into explorer.exe or svchost.exe, so if you can stop that, I assume you have already won the battle.

    But it should be easy to spot for HIPS if a lot of files are being modified in a short amount of time, the problem is they will always be too late to save all files. So tools like HMPA, WAR and MBARW also look at other parameters. The best solution would be a sandbox combined with HIPS.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.