Some unique HIPS features

I will do "what Bellgamin wants".

 

Obviously not just text files it attacks.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99&tabid=2

I guess the best I could do with EQS would be to limit access to these files types. Thinking of the number of pop-up's, don't think I'll bother.

Do any behavioural blockers like Threatfire or Mamutu detect this kind of behaviour? What about Defensewall? Seems to me that protection from ransomware like this is something for a 'smart' behavioural blocker rather than a classical HIP's.

 

Seems you are right. I have not tried behav blockers with this malware but will try to test with TF.

 

Thanks hammerman.

 

Hello hammerman,

I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.


Peace & Gratitude,

CogitoErgoSum

 

I am a CFP user. As such, I strongly support your proposal to add such filters to CFP (Defense+). I want to endorse your comments at Comodo's forums, but couldn't find your post. Link please?

 

GW stops it too.

 

http://forums.comodo.com/leak_testi...acking_features_in_defence_plus-t24754.0.html

 

These kind of features would be useful as an heuristic analyzer module in a classical HIPS. Then, you would have an hybrid between a HIPS and a behav. blocker.

 

Thanks for test results. Didn't expect DW (or GW) to protect against this. I thought protection from ransomware would be more prominent in their feature list.

Any chance you could PM me a link to GPcode. I'd like to test against OA's run safer and Mamutu.

 

Always expects unexpected.

 

Lesson learnt. Seems like this protection could be quite unique though. Looking forward to seeing if TF and Mamutu are up to the challenge. Response from OA is that this is a feature that may be added in future.

Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?

 

Well, I'm not sure if DW covers all the file types Gpcode encodes. But most of them are, as I know, the most important for an average user. Will check out later.

 

Tested sample of GPcodei courtesy CogitoErgoSum.

Sandboxie completely isolates infection
OA run safer fails to protect
Mamutu quiet as a mouse in Paranoid Mode (waste of good memory space IMO)
AntiVir detects infection
EQS 3.41 unable to do anything about it

 

Thanks Ilya,

I haven't used DW for a while since there is a conflict on my system when I run Sandboxie, OA and DW together.

As I understand it, an untrusted process cannot modify any other files and this is how it protects against GPcode. Are you saying there are some exceptions to this rule for certain file types?

 

No, it,s not.

 

GW( i think) and DW will protect against it.

 

I would like to test this GPcode do not have sample though

 

Why not. Registry n files both. No protection if u can,t protect files. Just they don,t rely heavily on virtualization, only as musch as needed.

 

I PMed u, pls share ur results but take care not to loose ur data.

 

thanks.I will post after test.Here is what I got from KAV.

 

I tried it with GW to be sure. Excellent job by GW on default settings.