App Review Comodo Cloud AV - Autosandbox only - petya bypassed

[509322]

Bug reporting requires determination and persistence.

Some bugs only get fixed if the reporter endeavors to get their bug report in front of the real decision-maker - and, even then, only if the reporter doggedly keeps on the decision-maker about it.

There is no use in arguing that "It shouldn't be that way." In such instances, it just is what it is.

If a person submits a bug report, and then 10, 15, 20 or more people reply to that bug report "Hey ! I can verify this bug" - then it will get some attention. Then you have to stay on top of it. It's a lot of time and effort sometimes.

 

[509322]

LOL reminds me of the vet who said what are you complaining about. Just get a new dog.

The point is, unless the malware physically damages a system, there won't be any $500 payouts. Plus, some users don't understand the guarantee and surely will argue that they are due the $500.

And they ain't gonna fall for this trick: "I have no restore\reset media..."

 

[ozone]

Bad for Windows Seven users

Bad for user with old mobo
Windows 7 support UEFI, and if I remember correctly Vista too.

it's the GPT that stops petya. If you have GPT, that means you don't have MBR, which is what petya messes with.

doesn't GPT have some type of MBR for backward compatibility or protection, what will happen if petya overwrites it

 

[509322]

it's the GPT that stops petya. If you have GPT, that means you don't have MBR, which is what petya messes with.

MBR modification can still mess with GPT. You might have to repair it, but it is unlikely that you would have to contend with the mess that Petya, Satana, and other MBR-modifying ransomware\malware creates.

Check what FW says here: Interesting AntiRansomware freeware

 

[509322]

Bad for user with old mobo
Windows 7 support UEFI, and if I remember correctly Vista too.

There is a freeware MBR protection driver from Cisco\Talos.

Be careful if you decide to uninstall it.

The uninstall directions are poorly written. Ask others that have uninstalled it if need be.

If the uninstall goes badly, you can get a BSOD INACCESSIBLE_BOOT_DEVICE. And that can be real trouble - resulting in you having to clean install the OS.

doesn't GPT has some type of MBR for backward compatibility or protection, what will happen if petya overwrites it

If that happens it will need to be repaired.

Check what FW says here: Interesting AntiRansomware freeware

 

[ozone]

I've found this article about petya
New ransomware with an old trick: “Petya” parties like it’s 1989
and video with petya infecting gpt-uefi system

 

[509322]

I've found this article about petya
New ransomware with an old trick: “Petya” parties like it’s 1989
and video with petya infecting gpt-uefi system

Watching the video it appears that the video maker is inspecting for damage and needed repairs.

Like people have said, GPT is not completely immune to damage by MBR-modifying malware.

 

[KGBagent47]

Bad for user with old mobo
Windows 7 support UEFI, and if I remember correctly Vista too.

I just meant most Windows 7 computers were shipped without UEFI

 

[Deleted member 2913]

@Evjl's Rain

New version with fix for petya released
http://download.comodo.com/ccav/installers/ccav_installer.exe

Can you test new release against petya?

 

[Wave]

Also this might be why some of the leading AVs aren't blocking MBR ransomware behavior without signatures.

They don't block Master Boot Record manipulation via signatures, if the sample will access the Master Boot Record so it can write to it, it won't just be flagged by generic signatures. Doing it dynamically would be the win, not wasting time trying to do it with signatures.

Anyway, regarding the Master Boot Record, it's still commonly used, so no that would not be the reason.