cruelsister

Level 36
Verified
Trusted
Content Creator
Part 4 of the Ransomware series. (and my last one for a while). Note that the ransom screens that popped up on occasion were the extent of what the ransomware could do (nothing at all encrypted); but if you didn't even want the ransom screens, just up the sandbox level to Untrusted.

Music: Lisa Gerrard- Elegy

 

ctrlz

Level 2
My settings are different, but I'm quite confident the result would be similar:
- I don't auto-block firewall requests: anyway the downloaded file would be sandboxed
- I have HIPS enabled: in Safe Mode it doesn't generate many popups
- I don't suppress privilege elevation alerts by default: this could be the only problem, just in case I manually choose to run outside the sandbox

Thanks for the test @cruelsister
 

lab34

Level 6
Hello,
as always a very informative test.

Today, with this video, I realized something : the notifications are mastered by Windows on Windows 10. Not exactly the same menu on the general options.
Every time I saw your videos, I thought "she have a different version of CFW" but now I understand that your videos are on Windows 7 :oops:

(sorry for the noob remark)

Windows 10:
Capture.JPG


Windows 7:
Capture.JPG
 

cruelsister

Level 36
Verified
Trusted
Content Creator
Kaspersky properly set is excellent. The only main deficiency I had found was in Boot Time protection, soon fixed.

Lab- the reason I use Windows 7 in my videos is that it still has about a 50% market share. Personally I use W10 and love it (with StartIsBack++).
 

Arequire

Level 23
Verified
Content Creator
@cruelsister I assume you set "Do not show privilege alerts: Run inside container" for demonstration purposes at 00:00:53 in the video? It can be interchangeable with the "Block" option I believe?
Either option will achieve the same result in the end.
If you had it set to block the ransomware's initial execution would be completely blocked due to it requesting privilege elevation from the get-go and because it's unrecognised by Comodo. Even if it didn't initially request privilege elevation it would be sandboxed until it requested said privilege elevation and then subsequently terminated by Comodo.
With it set to run inside container you'd get a notification that the ransomware had been sandboxed and it would just sit inside the sandbox unable to do anything of note. The ransomware would eventually self-terminate or be terminated when you either clear the sandbox or restart your PC.

Edit: I reworded it so it was easier to understand.

Sorry for hijacking your question @cruelsister. :oops: You'll probably be able to explain it better than I have.
 
Last edited:

cruelsister

Level 36
Verified
Trusted
Content Creator
No issues! The only reason that I had that option checked is that it will suppress popups for unknown and unsigned applications from giving the user a choice to give that application privilege escalation. For those that have UAC enabled, this would just be duplication. For those with UAC disabled, a rule of thumb should be to NEVER EVER allow PE for an unknown. Checking this box just will remove that popup option, but otherwise will not really add anything to protection.
 

cruelsister

Level 36
Verified
Trusted
Content Creator
AV Gurus- Yeah, send me a link. I'm on the road now for quite a while but I'll check it when I can. By the way, would the file happen to be signed?
 

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
  • Like
Reactions: harlan4096