Comodo and GpCode revisited

Over the past few days I have tried to the best of my ability to infect computers protected by the new build of CIS6 with the Full Virtualization setting enabled to no avail. Former issues of the creation and deposition on the drives of Hidden files, various daughter programs, etc. no longer exist. Even CIS at stock seemed to be better. But as there is a difference between "seemed" and reality I decided to revisit a class of malware that Comodo had issues with in the past- the GpCode encryptors.

To those that may be unfamiliar, the encyptors are a particularly nasty form of malware that will encrypt documents, pictures, etc. rendering them totally inaccessible. Although around for a while, they were a particular problem in 2008-9 with a resurgence in 2011 (this is when the Comodo susceptibility was discovered). Having some time I decided to revisit this topic.

Digging around in my vault I selected a number of samples; the oldest was from 6-2008, the newest from late 2011. I then installed the latest version of CIS at totally default settings. The only thing that will vary would be the Behavior Blocker level. Please note that I had to disable both the AV component and network access. These samples are old and will be detected and eradicated by definitions and the cloud.

1). With the BB at Full V- samples were run. No encryption seen, although I did get a popup notice (loved the Green Border) saying my files were now encrypted (lies, all lies!). This popup vanished either by a reboot or just by emptying the sandbox.

2). With the BB at Untrusted- Like in the past, no malicious changes were seen.

3). With the BB at Limited- Nothing whatsoever happened. System protected.

4). With BB at the (sadly) default level of Partially Limited- Although CIS shrugged off some, it was not the case with all. The first and oldest sample was successfully able to break out of the sandbox with such a porous restriction level and zap my documents. At this point I suppose that I should delve into a further subtest of CIS at default with the various little additions made to protected files and folders that was such a hot topic on the Comodo boards back in 2011, but why bother? It is much more efficient just to right click the Comodo icon and step the sandbox up a level.

To conclude, please don't use the Partially Limited Auto Sandbox level. There is no reason to do so when better options exist.

 

I always have mine set to block

 

The problem with BB is that it reacts silently, without warning that it blocks or somehow else limited unknown app.

 

So Cruelsister, would you personally recommend setting the sandbox at "untrusted" or "fully virtualized"? Thanks!

 

The users can add one line to the protected files.

?:\*

 

One more better thing, Defence plus now blocks file infectors ( blackday trojan) and encrypters ( go code Trojan). It wil give a pop up alert of direct disk access by malware and if you deny this, malware can,t do its harm. Nice work indeed.

 

Guess I should have been a bit clearer-

1). Blackday was the name for a 2011 encryptor variant (if memory serves that was the term coined by Symantec). This is indeed blocked.
2). For the 2008 variant, the ?:\* and/or the "\Device\KsecDD" doesn't protect. Even if it did, as I pointed out it is a bunch easier to just right click an icon and bump the auto sandbox setting up a notch than playing around in Protected files adding things that most users can't understand in the first place.

To Solar- You will get a BB popup letting one know that the file has been sandbox as whatever.

To MHL- I absolutely would run CIS at either Full V or Untrusted. You will get the same BB alert if you run into something unknown no matter what Sandbox setting you are using, so no difference there. And I have never noticed any real world inconveniences among the settings.

Choosing between Untrusted and Full V is users choice. With Untrusted if you run into some malware you may see some orphaned files or actually live malware daughters in places like App Data or Roaming. They will just sit there until one does a 3rd party scan and they get picked up. Some have called this a Fail; I call it trivial.

With the Full V setting all will be contained in a directory on your C drive that CIS creates (VT Root). Clean the sandbox and it is gone.

One last thing- please again note that the files discussed are very old (even the excellent Mb has only retained a definition for one of the samples) and aren't out in the Wild anymore (no sample requests, please!). However there are currently malware that as part of whatever the package is meant to do will disable Task Manager and Regedit (the old "Task Manager has been disabled by your Administrator" routine). The stock Partially Limited setting will allow this to happen. A higher Auto-Sandbox level will prevent it. There is no reason not to bump it up.

 

It seems like Comodo could do with changing their default settings. Thanks for your work Cruelsister.

 

Thanks for the info and explanation, Cruelsister. Much appreciated!

 

I agree 100%

I install and try out a lot of different software and I'm yet to see any adverse effects using "Fully-Virtualized" sandbox.

 

CIS's sandbox is not mature: many exploits and bugs. I don't use it, only Defense + in Paranoid Mode, so I can also check better my system.

 

@Cruelsister..
Thank you for your information and testing,much appreciated.
Hmm..trying to deliberately infect a computer with comodo installed and failing..wow that is indeed a very cruel thing to do and i feel sorry for the computer lol.

On a serious note.There have been instances where some malware has bypassed the sandbox and these are documented on the comodo forum although whether they were encryptors i am not sure and hopefully these holes have been fixed.

 

I hope so too, Amiga. But one thing I'm discovering about Comodo is that the words "hope" and "fixed" are used quite often in the same sentence regarding their products...

 

Yes i would have to agree with you there..Up to now apparently 400 bugs have been fixed.

I think it would be safe to say that v6.0 was released far too early.

I visited some malware sites earlier and i will give comodo credit here as it stopped everything and their av has improved a lot over the years.

Currently its on a trial period here to see how it performs in terms of resource usage etc and at the moment it is very well behaved and functions far better than v6.0.

Time will tell.

 

That's true. It definitely seems to be improving. And I'm finding that no matter what else I try as far as internet security is concerned, I eventually wind up back at CIS. What they make available for free - in spite of the bugs - is pretty impressive.

 

Agreed.
For free its a fabulous program.

 

They have been doing great bug fixing over the last builds IMO. 6.2 is quite stable. The AV is not lacking, actually it's really powerfull now.

 

What would you say is the main contributing factor in the av's recent dramatic improvement?

 

Yes.

 

Yes what? I meant what has caused the av to improve so much?

 

Ah sorry. Valkyrie.

 

Is Valkyrie being used as the cloud now?

 

Valkyrie is being used to generate signs for unknown files. Especially the advheur part.

 

Thanks for the clarification Spywar. Do you think there's any chance Comodo would add a web filter?

 

Sorry, don't know.