Comodo and GpCode revisited

Discussion in 'other anti-malware software' started by cruelsister, Jun 24, 2013.

Thread Status:
Not open for further replies.
  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Over the past few days I have tried to the best of my ability to infect computers protected by the new build of CIS6 with the Full Virtualization setting enabled to no avail. Former issues of the creation and deposition on the drives of Hidden files, various daughter programs, etc. no longer exist. Even CIS at stock seemed to be better. But as there is a difference between "seemed" and reality I decided to revisit a class of malware that Comodo had issues with in the past- the GpCode encryptors.

    To those that may be unfamiliar, the encyptors are a particularly nasty form of malware that will encrypt documents, pictures, etc. rendering them totally inaccessible. Although around for a while, they were a particular problem in 2008-9 with a resurgence in 2011 (this is when the Comodo susceptibility was discovered). Having some time I decided to revisit this topic.

    Digging around in my vault I selected a number of samples; the oldest was from 6-2008, the newest from late 2011. I then installed the latest version of CIS at totally default settings. The only thing that will vary would be the Behavior Blocker level. Please note that I had to disable both the AV component and network access. These samples are old and will be detected and eradicated by definitions and the cloud.

    1). With the BB at Full V- samples were run. No encryption seen, although I did get a popup notice (loved the Green Border) saying my files were now encrypted (lies, all lies!). This popup vanished either by a reboot or just by emptying the sandbox.

    2). With the BB at Untrusted- Like in the past, no malicious changes were seen.

    3). With the BB at Limited- Nothing whatsoever happened. System protected.

    4). With BB at the (sadly) default level of Partially Limited- Although CIS shrugged off some, it was not the case with all. The first and oldest sample was successfully able to break out of the sandbox with such a porous restriction level and zap my documents. At this point I suppose that I should delve into a further subtest of CIS at default with the various little additions made to protected files and folders that was such a hot topic on the Comodo boards back in 2011, but why bother? It is much more efficient just to right click the Comodo icon and step the sandbox up a level.

    To conclude, please don't use the Partially Limited Auto Sandbox level. There is no reason to do so when better options exist.
     
    Last edited: Jun 24, 2013
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    I always have mine set to block :)
     
  3. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    The problem with BB is that it reacts silently, without warning that it blocks or somehow else limited unknown app.
     
  4. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    So Cruelsister, would you personally recommend setting the sandbox at "untrusted" or "fully virtualized"? Thanks!
     
  5. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    The users can add one line to the protected files.

    ?:\*
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    One more better thing, Defence plus now blocks file infectors ( blackday trojan) and encrypters ( go code Trojan). It wil give a pop up alert of direct disk access by malware and if you deny this, malware can,t do its harm. Nice work indeed.
     
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Guess I should have been a bit clearer-

    1). Blackday was the name for a 2011 encryptor variant (if memory serves that was the term coined by Symantec). This is indeed blocked.
    2). For the 2008 variant, the ?:\* and/or the "\Device\KsecDD" doesn't protect. Even if it did, as I pointed out it is a bunch easier to just right click an icon and bump the auto sandbox setting up a notch than playing around in Protected files adding things that most users can't understand in the first place.

    To Solar- You will get a BB popup letting one know that the file has been sandbox as whatever.

    To MHL- I absolutely would run CIS at either Full V or Untrusted. You will get the same BB alert if you run into something unknown no matter what Sandbox setting you are using, so no difference there. And I have never noticed any real world inconveniences among the settings.

    Choosing between Untrusted and Full V is users choice. With Untrusted if you run into some malware you may see some orphaned files or actually live malware daughters in places like App Data or Roaming. They will just sit there until one does a 3rd party scan and they get picked up. Some have called this a Fail; I call it trivial.

    With the Full V setting all will be contained in a directory on your C drive that CIS creates (VT Root). Clean the sandbox and it is gone.

    One last thing- please again note that the files discussed are very old (even the excellent Mb has only retained a definition for one of the samples) and aren't out in the Wild anymore (no sample requests, please!). However there are currently malware that as part of whatever the package is meant to do will disable Task Manager and Regedit (the old "Task Manager has been disabled by your Administrator" routine). The stock Partially Limited setting will allow this to happen. A higher Auto-Sandbox level will prevent it. There is no reason not to bump it up.
     
    Last edited: Jun 24, 2013
  8. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    It seems like Comodo could do with changing their default settings. Thanks for your work Cruelsister.
     
  9. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    Thanks for the info and explanation, Cruelsister. Much appreciated!
     
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I agree 100%

    I install and try out a lot of different software and I'm yet to see any adverse effects using "Fully-Virtualized" sandbox.
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    CIS's sandbox is not mature: many exploits and bugs. I don't use it, only Defense + in Paranoid Mode, so I can also check better my system.
     
  12. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    @Cruelsister..
    Thank you for your information and testing,much appreciated.
    Hmm..trying to deliberately infect a computer with comodo installed and failing..wow that is indeed a very cruel thing to do and i feel sorry for the computer lol.

    On a serious note.There have been instances where some malware has bypassed the sandbox and these are documented on the comodo forum although whether they were encryptors i am not sure and hopefully these holes have been fixed.
     
  13. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    I hope so too, Amiga. But one thing I'm discovering about Comodo is that the words "hope" and "fixed" are used quite often in the same sentence regarding their products... ;)
     
  14. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Yes i would have to agree with you there..Up to now apparently 400 bugs have been fixed.:eek:

    I think it would be safe to say that v6.0 was released far too early.;)

    I visited some malware sites earlier and i will give comodo credit here as it stopped everything and their av has improved a lot over the years.

    Currently its on a trial period here to see how it performs in terms of resource usage etc and at the moment it is very well behaved and functions far better than v6.0.

    Time will tell.:D
     
  15. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    That's true. It definitely seems to be improving. And I'm finding that no matter what else I try as far as internet security is concerned, I eventually wind up back at CIS. What they make available for free - in spite of the bugs - is pretty impressive.
     
  16. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Agreed.
    For free its a fabulous program.:thumb:
     
  17. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    They have been doing great bug fixing over the last builds IMO. 6.2 is quite stable. The AV is not lacking, actually it's really powerfull now.
     
  18. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    What would you say is the main contributing factor in the av's recent dramatic improvement?
     
  19. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Yes. :thumb:
     
  20. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Yes what? I meant what has caused the av to improve so much?
     
  21. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Ah sorry. Valkyrie.
     
  22. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Is Valkyrie being used as the cloud now?
     
  23. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Valkyrie is being used to generate signs for unknown files. Especially the advheur part.
     
  24. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Thanks for the clarification Spywar. Do you think there's any chance Comodo would add a web filter?
     
  25. spywar

    spywar Registered Member

    Joined:
    Oct 23, 2012
    Posts:
    583
    Location:
    Paris
    Sorry, don't know.
     
Loading...
Thread Status:
Not open for further replies.