Comodo I.S. 5.8 FINAL vs. Trojan.Win32 GPCODE ( comodo bypassed

Discussion in 'other anti-malware software' started by manar58, Oct 31, 2011.

Thread Status:
Not open for further replies.
  1. manar58

    manar58 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    75
    Comodo I.S. 5.8 FINAL vs. Trojan.Win32 GPCODE ( comodo bypassed)!!!!
    ~~~ link to mediafire download removed ~~~ o_O
     
    Last edited by a moderator: Oct 31, 2011
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
  3. manar58

    manar58 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    75
  4. mrpink

    mrpink Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    376
    The workaround
    -http://www.youtube.com/watch?v=p2ZV4aEeNy0&feature=channel_video_title-
     
  5. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    330
    So what? How will you be infected by gpcode anyway? :p
     
  6. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    I believe the workaround has been discussed in the comodo forums including steps to take on certain scenarios. Here
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I did this test a while ago lol AV/heuristics pick it up and the manual sandbox breaks it.
     
  8. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    :thumb: :thumb: :thumb:
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    To play fair put any other Internet Security package in a VM. Shut off the AV (you'll have to shut down the AV as just about EVERYONE detects it). Run GpCode against it. How do you think it will do?

    With CIS you can add a rule simply and easily to prevent harm. Could you do the same with the major AV suites?
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    With CIS I ended up just disabling hte autosandbox and manually sandboxing instead.
     
  11. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,191
    Location:
    USA,IA
    how does sandboxie handle this?
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Default Sandboxie settings should break it.
     
  13. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,085
    It's so good to see how a "bypass" in Comodo deserve a thread while the other products that are bypassed daily by hundreds of malware doesn't deserve it. :D
    /ironic mode OFF

    More info here: https://forums.comodo.com/news-anno...do-58-bypassed-by-trojan-gpcode-t77548.0.html

    It will be fixed in v6
    https://forums.comodo.com/leak-test...-the-gpcode-t65960.0.html;msg512678#msg512678

    Egemen
     
    Last edited: Oct 31, 2011
  14. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    and this is why I don't rely on just one layer of security.
     
  15. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    If the user adds an item to the protected files, then COMODO auto sandbox will block it.

    ?:\*

    -----------------------
    So, the problem is just the rule of protected files only.

    :cautious:
     
  16. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    apart from above suggestion from urs, i added following entries and i don't have any issues during my daily usage -
     

    Attached Files:

  17. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    anyone test it against online armor ??
     
  18. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    At last, someone with common sense!

    I've been proposing those rules here and at Comodo forums but everybody has turned a blind eye on it. Those rules are a NO BRAINER because nearly 90% of the Trojan Fake Alerts and rootkits execute from these locations...Even McAfee has been suggesting these rules to be implemented by system administrators for VirusScan Enterprise 8.7i and 8.8i wherever this software is run [our company runs it on nearly 5000 workstations].

    Thus, I do not see the real reason why Comodo hasn't implemented these simple rules on a default installation of CSI or the Firewall with D+

    Win XP
    C:\Documents and Settings\*\Local Settings\Application Data\*.exe
    C:\Documents and Settings\*\Local Settings\Application Data\*.sys



    Win 7

    C:\Documents and Settings\*\Application Data\*.exe
    C:\Documents and Settings\*\Application Data\*.sys


    See my posts:

    https://www.wilderssecurity.com/showpost.php?p=1944177&postcount=420

    https://www.wilderssecurity.com/showpost.php?p=1958260&postcount=513



    Carlos
     
  19. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    THIS! :thumb:
    Me wants to check out Online Armor and how it performs with different settings, pleaaaaaaaaaaase :rolleyes: :D
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can't you just deny execution through windows in those areas?
     
  21. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    To back up what I stated in my post above you can read this 20 pages .pdf document by McAfee where they do recommend system administrators to implement the aforementioned rules to avoid being hit by fake AVs and other malware.

    Pages 15 & 16 of this document make reference to the folders that should be protected on Win XP and Vista/7.


    ----https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23178/en_US/McAfee_Labs_Threat_Advisory-Combating_FakeAlerts.pdf ------





    Carlos
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    How can someone do this within Windows?

    EDIT: Or should I say, the easiest?

    I guess applocker can do this?
     
  23. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    not all users know how to deny execution
     
  24. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Given the right circumstances and configuration it can block it, i guess just not by default :D
     
  25. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Frankly speaking carlos, i followed your suggestions to add these file paths to my protect file and folder list.
    Now this question goes to you - the pdf link which you have given above, tells to protect the following paths for post vista os's

    C:\Users\*\AppData\local\*.exe
    C:\Users\*\AppData\local\*.sys
    C:\Users\*\AppData\local\*.dll
    C:\Users\*\AppData\Roaming\*.exe
    C:\Users\*\AppData\Roaming\*.sys
    C:\Users\*\AppData\Roaming\*.dll

    But your suggestion was to add .exe and .sys groups which starts at c:\document and settings\... not c:\users\...

    Am i missing something here?

    Thanks,
    Harsha.
     
Loading...
Thread Status:
Not open for further replies.