Blackday trojan versus HIPS

Eh well... OS can be reinstalled easily. Your data destroyed by ransomware cannot be reinstalled really. You either have a backup, or have lost those permanently. I seriously do not get the thinking behind this design. Sandbox is pretty much a misnomer for similar feature.

 

So, honestly, the best way to use this sandbox seems to be to always run unknown program via right click - and forget the auto sandbox feature

In this way i think that an option to clean, browsing via Comodo GUI, all the sandboxed entries created in Vritualroot folder is needed (otherwise we'll be full of unnecessary "temp" files)

 

Interesting...
How about Avast ver6 Sandbox..? Can someone test this with Avast Sandbox so users will know "if" it also fails or not? I am sure a lot here are eager to know how it will fair as compared with the others who were tested. Anyone...?

Mamutu would nice also. Privatefirewall...?

 

I think only certain types of ransomwares could able to destroy non-OS files bypassing comodo's sandbox. But, the said ransomwares (threads created by agile) and its variants are detected by CAV and cloud scanners (as per egemen).

Only problem is what if unknown variant knocks our door??
For this, the simple mitigation is just add following to protected file/folder list
- file types
- personal folders (documents/movies/music/installations)

I think treating rundll32.exe as limited app would even mitigate the issue without the above trick. but some one needs to test it...

 

AV is not any solution here. Stuff gets missed by AVs daily. Does not even have to be ransomware, imagine some "autosandboxed" script merely tries to wipe %USERPROFILE% - does not seem like CIS "autosandbox" would say a beep about this?

 

Thanks

 

Appguard'd defense is directed to keeping malware out of your PC by denying programs being executed by guarded applications. So when you have moved something out of user space, into admin space and executing it is sort of shooting it in the back. Testing it this way is like prooving you can shoot a security guard in the back.

Most HIPS have protection on many attack vectors, like loading of a driver, installing a driver, getting debugging rights, process modification, dll-injection, etc. AG only watches process (memory) modification of those attack vectors, to close the posible exploit gap of changing a guarded aps memory and THEN getting executed.

Regards Kees

 

I think I tested AG in the wrong way. Actually I wanted to check the sandbox function of AG once a nalware is allowed to execute but I could not find an easy way to do this.

Infcat I have used AG very less that caused this mistake. Sorry for that. I was not sure, that,s the reason I did not even contact AG support and waited until some AG user commnets on my findings.

If you find a way to test AG as I want let me know. May be I decrease the protection level down from max?

Thanks for ur correction.

 

Well ApGuard is very difficult to test. You need a website and some live javascript exploit,or a media file with an exploit. Everything else is comparable by installing something as trusted with GeSWall. There is no prevention (other than MBG Gruard) after something is allowed to execute by the user. I allways enjoy reading your test post by the way.

 

Thanks.

BTW I executed the sample with medium settings from desktop. It will run gaurded by this way. Almost all malicious actions were stopped except that ntuser.ini and desktop files were overwritten with malware copies plus a few other eired things, My Documents became hidden from the wondow when you open My Computer and some hidden system files in C partion became visisble etc etc.

 

Where are you getting the idea from to guard this malware.exe before running it?

Nevermind, lol. I didn't read above where Kees1958 addressed this. Sorry

 

Thanks for the tests, much appreciated.
If anyone with this sample and sandboxie - please post the results ^^ also avast sandbox would be interesting too.

 

With one of PG, DSA, SSM or WinSonar (Shield Up!) + EXE Hound, or MD, this bug doesn't stand a chance. We need better malware writers. I'm getting bored with these guys and their collective lack of creativity.

Dave

 

Thank you for all the tests.

Could blackday do any damage to system if it starts inside LUA?

 

Same sentiments here. Waiting here. Especially Avast sandbox because I am using it along with SBIE. Soem are waiting on DefenseWall / BufferZone too.

 

Great job aigle! Curious how Malware Defender will act. Also awaiting DWPF result.

 

Thanks aigle for all the HIPS test you do!

And thanks 3x0gR13N for testing KIS... I would have asked for..

 

drive sentry blocks it and every new trojan whatever scum rofl

 

can you test Mamutu?

 

did drvesentry has a signiture for it or the behabiour blocker or hips engine found it?thanks

 

Going to test this against ProcessGuard & Zemana, soon.

Thanks to aigle for the baddie

 

let us know clone ranger

 

Testing blackday Trojan against ProcessGuard & Zemana

Disabled Avira & Prevx & enabled ShadowDefender

DC'd black-day.exe



Due to



Unticked that & DC'd black-day.exe again & allowed this



PG blocked this



Process Explorer showed LOTS of activity as black-day was busy doing it's dirty deeds. This included altering files on my D/Partition as well as C/ Fortunately i had enabled both partitions with SD If not

After a few minutes i had seen enough, and unexpectedly i was able to kill black-day.exe via Task Manager

Not a peep out of Zemana though ? So i allowed Service installations in PG & tried again. Zemana still didn't alert me to anything ! Let's not forget that Z is NOT meant to be a full blown HIPS product, the extra protection it does give along with it's Excellent KL duties is a bonus. And i have personally had it blocking other nasties etc in previous tests.

Rebooting and thanks to SD everything was back to normal

So ProcessGuard on it's own was enough to stop this nasty dead on arrival

 

DriveSentry is a WhiteList Programm..

 

Would Comodo's HIPS intercept the changes if the sandbox is disabled?