Some unique HIPS features

Kav denied Access no word from Norton AntiBot.All detection logs gone after reboot.Kudos to shadow Defender as well.

 

Does GPcode scan all partitions for files?
What files besizes txt does it attack?

 

Viruslist
Who's Behind GPcode

 

Yes, it does so.

 

TF does not detect GPcode trojan.

 

Related to this post:

https://www.wilderssecurity.com/showpost.php?p=1275920&postcount=50

Here is GesWal,s log.

 

How long takes GPCode to do it's job?
Are there any signs of activity?

I mean, if somebody unprotected gets hit by this, is there any chance to tell something wrong is happening and stop it from task manager before it destroys all files?

 

Sob.

Clapping!!!

@ aigle, Pete, etc --- Thanks to all for the testing & info! A special thanks to aigle for starting this very helpful & educational thread.

 

Takes about 10 minutes on my PC.
Interesting watchng it do it's work with FileChangeAlarm on.
Lot's of hard disk activity is only indication.
Yes, it can be stopped by task manager.

Seems I was wrong about behavioural blockers.
Attempts to encrypt files in my view should be detected by the likes of TF & Mamutu.

If it is the case that you have to specify which files to protect with GW, then it doesn't really pass the test for me.

CogitoErgoSum
Did you have to specify which files to protect with Defensewall? I thought that an untrusted process could not modify any files with possible exceptions to be confirmed by Ilya (see post #41)

 

Not exactly. DW has built-in list of the file's extensions untrusted can't modify. Other types files can be. So, some files can be encrypted with GPcode untrusted, but DW do cover the most important ones with built-in ruleset and resource protection function. Also, the files you think important can be protected with "Secured files" function.

 

Peter, you are nmistaken. GW protects against it with default settings out of the box. You don,t need to tell him which files to protect. It protects ALL files.

 

It,s a mis-understnading. See my post above.

 

Hello hammerman,

FYI, the "only" other thing that I have done regarding the protection of specific files/folders with DefenseWall is put my "Documents" folder which contains private/sensitive information under the care of "Secured Files".


Peace & Gratitude,

CogitoErgoSum

 

Thanks Ilya - I understand now.

Do you think it is feasible to detect the encrypting behaviour of malware like GPcode? DW, GW and Sandboxie seem to do a good job of isolating the effects but there doesn't seem to be a program that detects the actual behaviour. NeoavaGuard HIPS seems to have made an effort to detect this but doesn't go far enough. Is it possible to detect when a file is read and re-written in an encrypted form?

 

Well, it is possible, but this will cause significant system's slowdown as requires calculate an entropy of the new file realtime. False positives are here too. Also, such the system hardly can be generic- malware may re-write file in one byte buffer, for instance, this will cause impossibility to recover an original file when an entropy engine will flags encryption. Not really clever solution, it _can_be_bypassed_.

 

Has anyone tested DriveSentry versus this threat? After all, DS claims to specialize in protecting files -- shouldn't it do the job in this case?

 

I think you may be right. It is referred to here.

http://blog.drivesentry.com/

 

It,s not job of a sandbox. It,s job of a behav blocker I think.

 

It would be nice to see How DriveSentry handle this threat.I would like to test it my self but I was very unlucky with DS after 3 BSOD I removed it.

 

Totally agree. The only programs effective against GPcode so far are GW, DW and Sandboxie. They have proved their worth. Nothing as far as I know detects the actual encrypting behaviour.

When a program is busy making all your data files unreadable, I would have said that was suspicious behaviour worthy of a response! When needed, Mamutu was wondering what to do next.

I need to think about a new setup after this. Paranoia is setting in again.

 

Aigle,

Could you please re-test when not using a confidential folder? I got simular results as Peter, but I used an old configuration of GeSWall Pro (to let my printer working properly, I had given the named pipe Lsass more access rights = which is a weakening of the protection level)

Regards Kees

 

If I´m correct this GPcode trojan basically works about the same as a file invector, and like I said a while back, current HIPS won´t protect you against this method, you need a sandbox for this. NG does try to protect, but fails, so would be cool if it could virtualize this action (like SBIE) and then give you the alert, you would then immediately know that you´re dealing with malware, without suffering any damage.