Gpcode trojan versus HIPS

Discussion in 'other anti-malware software' started by aigle, Apr 26, 2011.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Another test for classical HIPS.

    Gpcode trojan is ransomware. It encrypts many data file types on ur PC and you will loose your data.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Comodo Defence Plus - default settings but tightened the autosandbox to Untrsuted instead of partially limited.

    It failed. Gpcode successfully encrypted many files on my PC.

    cis 1.jpg
    cis 2.jpg
     
    Last edited: Apr 26, 2011
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    GesWall- Passed. Gpcode could not touch any files. It created some dummy files that were all isolated by GW.

    gw1.jpg
    gw 2.jpg
     
    Last edited: Apr 26, 2011
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    OnlineArmor- It has a very nice feature. It detects if some executable wants to get a list of files on a partition/ drive/ memory stick etc. If you block it, malware can,t modify the files/ data etc.

    Only possible bug I faced that OA did not give me a pop up about gpcode trying to get a list of files( a pop up is expected behavior). It rather stopped gpcode itself from getting list of files( may be due to a cloud based blacklist?).

    Any way gpcode could not do any harm.

    oa 1.jpg
    oa 2.jpg
    oa 3.jpg
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    AppGuard- with high settings I run Gpcode from C:\Program Files folder as a gaurded application and gpcode could not do any harm.

    AG Passed.

    ag 1.jpg
    ag 2.jpg
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Comodo is crap at default IMO :)
    You should disable all the auto allow, auto trust, scan in "cloud".

    If we want to be more techie, then tinker the settings and sandbox :D
    All these auto trust and auto allow and scan in cloud makes the program friendlier but cripples a LOT the classical HIPS.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, it,s not the auto-allow or auto-trust that is the problem here. Problem here is a deficient feature in Comdo Defence Plus. There is no filter/ rule for the malicious behavior of gpcode in Comodo defence plus. So once it,s allowed to be executed, comodo sandbox or HIPS can not contain it. Same is true for many other HIPS like EQS, MD, etc.

    OA made a smart move and added such a feature. Comodo developers are still lazy to do this IMHO.
     
  8. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    Requesting test for Bufferzone PRO Free :)
     
  9. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    aigle if possible please test it against zonealarm free:rolleyes:
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmm... zone alarm has no HIPS, it,s just a FW so it will fail the test for sure.
     
  11. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    aigle, if possible please test it against KIS (all components disabled except Application Control, System Watcher, and Proactive Defense) or share sample via PM :)
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    what about DefenseWall HIPS 3.11?
     
  13. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Test Outpost firewall and PrivateFirewall.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So sorry but I wil not be able to test on request pls. Hope you people will not mind. PM me if you want more details.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I noticed you are testing an old version of Online Armor, and also the free version. The latest premium release would perform much better than this older version. They added an AE (anti-executable), registry, and File Protection. The AE is my favorite addition to OA V5. It denies many more threats by default without having to prompt the user for input.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    OA already passed so i did not use the latest version.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So it,s a blacklist? Is it there in free version?

    Thanks
     
  18. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Comodo thinks that because gpcode is catched from their av, so there is no problem.

    imho this is an huge, and well known, bypass - but they don't think so
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    What?! So, they assume that their (horrible IMHO) AV is installed, so they ignore known malware in FW/HIPS since it "should be catched" by their AV? Oh maaan, this thing is going downhill really fast in the name of so called "usability".

    o_O :gack:
     
  20. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    - It's called 'File & Registry Shield'. I guess 'whitelist/whitelisting', is a better terminology regarding this approach?

    - Nope, only in the paid version; OA Premium. (Emsisoft has really given an extra reason to pay..;))
    From their online feature list;

    'By default, if an Unknown program tries to create, delete, modify or read a file in a location that matches a file rule, Online Armor will alert you to this behavior, giving you a chance to Allow or Block it. Untrusted programs are Blocked from taking these actions by default.

    By default, if an Unknown program tries to create, delete, modify or read a registry key in a location that matches a registry rule, Online Armor will alert you to this behavior, giving you a chance to Allow or Block it. Untrusted programs are Blocked from taking these actions by default.
    '

    OA Premium 5.0 features; link.

    P.S. Kudos for your testing.
     
    Last edited: Apr 27, 2011
  21. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    and what about anti-executable?
     
  22. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    I've already done what aigle is doing now - a while ago I tested various programs against this threat out of personal curiosity. I had the same results as aigle.
    To fill some missing information...
    Privatefirewall handled it very well here. It blocked it in the way Online Armor did.
    DefenseWall also managed to protect the files.

    Comodo Firewall/IS, Malware Defender and Real-time Defender could protect files if such rules are created manually but by default they do fail. MD and RtD however do protect files in the root directory of each drive at least but that's about it.
     
  23. zerotox

    zerotox Registered Member

    Joined:
    Jul 16, 2009
    Posts:
    419
    And what about LUA/SUA with SRP - will it pass?
     
  24. NormanN

    NormanN Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    67
    Thanks for the tests. I'm loving OA and DefenseWall (on different comps).

    P
     
  25. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Thanks for the information but how about Outpost?It failed?Thanks and Regards.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.