Discussion in 'other anti-malware software' started by aigle, Jul 5, 2008.
I will do "what Bellgamin wants".
Obviously not just text files it attacks.
I guess the best I could do with EQS would be to limit access to these files types. Thinking of the number of pop-up's, don't think I'll bother.
Do any behavioural blockers like Threatfire or Mamutu detect this kind of behaviour? What about Defensewall? Seems to me that protection from ransomware like this is something for a 'smart' behavioural blocker rather than a classical HIP's.
Seems you are right. I have not tried behav blockers with this malware but will try to test with TF.
I have personally tested the GPcode trojan in question against both DefenseWall and Primary Response SafeConnect. The former was able to successfully block and contain it while the latter was not.
Peace & Gratitude,
I am a CFP user. As such, I strongly support your proposal to add such filters to CFP (Defense+). I want to endorse your comments at Comodo's forums, but couldn't find your post. Link please?
GW stops it too.
These kind of features would be useful as an heuristic analyzer module in a classical HIPS. Then, you would have an hybrid between a HIPS and a behav. blocker.
Thanks for test results. Didn't expect DW (or GW) to protect against this. I thought protection from ransomware would be more prominent in their feature list.
Any chance you could PM me a link to GPcode. I'd like to test against OA's run safer and Mamutu.
Always expects unexpected.
Lesson learnt. Seems like this protection could be quite unique though. Looking forward to seeing if TF and Mamutu are up to the challenge. Response from OA is that this is a feature that may be added in future.
Does DW protect against GPcode simply by running malware file untrusted or does the resource protection need to be used?
If this threat is the KD.exe, then Sandboxie protects. Also OA actually does now in some ways. If the exe is downloaded from the web thru a drive by, and you are running your browsers with Run Safer, it will indeed not allow this thing to do damage. I've tested that.
Also OA will have two new features. One is direct disk access, and other is automatically running an unknown program at lower rights. Test both in beta's and both work.
Well, I'm not sure if DW covers all the file types Gpcode encodes. But most of them are, as I know, the most important for an average user. Will check out later.
Tested sample of GPcodei courtesy CogitoErgoSum.
Sandboxie completely isolates infection
OA run safer fails to protect
Mamutu quiet as a mouse in Paranoid Mode (waste of good memory space IMO)
AntiVir detects infection
EQS 3.41 unable to do anything about it
I haven't used DW for a while since there is a conflict on my system when I run Sandboxie, OA and DW together.
As I understand it, an untrusted process cannot modify any other files and this is how it protects against GPcode. Are you saying there are some exceptions to this rule for certain file types?
No, it,s not.
Okay. Got a sample and tested. Nasty little critter.
ShadowDefender did it's job well as did Sandboxie.
OA's Runsafer didn't and couldn't do anything. I would suspect none of the policy based sandbox will.
I ran it with both OA and SSM on to see what it was doing. Both just alerted it wanted to run. It did nothing else, so clearly it didn't need system privileges. By the time the next pop up's came about the vbs file, it was too late.
GW( i think) and DW will protect against it.
Okay, so they are protecting files also?
I would like to test this GPcode do not have sample though
Why not. Registry n files both. No protection if u can,t protect files. Just they don,t rely heavily on virtualization, only as musch as needed.
I PMed u, pls share ur results but take care not to loose ur data.
thanks.I will post after test.Here is what I got from KAV.
I tried it with GW to be sure. Excellent job by GW on default settings.
Separate names with a comma.