How to be protected against GPcode Ransomware with CIS

[Deleted member 178]

because of that : http://malwaretips.com/Thread-Comodo-I-S-5-8-FINAL-vs-Trojan-Win32-GPCODE-comodo-bypassed-by-acafacaa1?pid=26882#pid26882

those are the steps you can do:

Hi Guys,

Let me comment on this one more time. First of all, if configured, CIS can very well protect against this and any other threats proactively.

First lets see what this gpcode does: It gets to the users computer drive by download and searches for the files in users harddisk. It then encrypts all picture and text files i.e. damages some non-OS-essential files.

Is this a threat to the user ? YES!
Is this a real threat to be prevented ? YES!
Does CIS prevent against this now? YES!

Then how does COMODO protect against this BY DEFAULT. By default, antivirus detection is enough to detect gpcode and any of its variants. Lets not make false comments by saying CIS does not protect its users against gpcode. CIS DOES prevent against the REAL threat wih its antivirus right now.

Now lets talk about preventing this proactively.

Is there a way to configure CIS to prevent this proactively? YES.

Method 1: Add you sensitive files/folders to CIS protected files list and you are done. For example, you can add My Documents, My Pictures folders or *.doc, *.txt, *.jpg etc. to your protected files list and it can be protected.

Method 2: Always run your WEB browsers in COMODO Sandbox by adding them to Sandbox pemanently. And while doing this, make sure File system and registry virtualization are both enabled. If you do this and accidently get gpcode or something like gpcode or actually any virus from WEB, they will be running in a virtual file system and hence they can not acess your files or folders.

You can also directly run GPCODE with right-click menu in CIS sandbpx and you will see it cant do anything.

Ofcourse CIS is capable of preventing it proactively as of now. However, these settings are not configured by default.

So why is COMODO not making an immediate HACK to prevent this proactively. Some other products are preventing it already.

We do not need to make a HACK but offer you a proper solution which is proven to prevent this and any similar threat while not affecting your daily work with your computer.

The proper solution is the active file system virtualization of *SOME* automatically sandboxed applications by default. Yes, we are right now working on this kind of a ideal automatic sandbox which is going to be in CIS 6 and will work similar to method 2.

It is NOT a HACK but a properly engineered solution that *avreage joe* wont have problems when CIS is installed.

It takes 10 minutes to write a HACK which simply checks each applications right to enumerate files and folders and thats it. You are there. And what would be the cost? Joe's photo editor will create a popup asking him if he wants some application to list files. Or Marry, while his new MP3 player builds a playlist, it might conflict.

link: https://forums.comodo.com/leak-testingattacksvulnerability-research/weakness-of-the-gpcode-t65960.0.html;msg512678#msg512678

in addition you can add this on blocked file to block it: *_CRYPT and protect your file by adding them to Protected Files and Folders (D+ tab) in this method: *.jpg|

jpeg can be substituted by any extensions but the | sign MUST be put behind it so that sandboxed apps can't modify the extension.


and also doing this:

https://forums.comodo.com/news-announcements-feedback-cis/comodo-58-bypassed-by-trojan-gpcode-t77548.0.html;msg554632#msg554632

 

[AyeAyeCaptain]

But having ABP + No-Script with Firefox, stops it hitting you in the first place so it seems. Also am sure I've read somewhere that the AV/Cloud picks this nasty up?

So much to be discussed on this it's unreal hehe.

 

[MrXidus]

Wonderful information umbra.

Thanks for sharing.

+

 

[Deleted member 178]

Also am sure I've read somewhere that the AV/Cloud picks this nasty up?
So much to be discussed on this it's unreal hehe.

yes Comodo AV detect it so you will not be infected, and yes you have few chances to be infected unless you "play" with it.

P.s:Thanks MrXidus

 

[AyeAyeCaptain]

Also am sure I've read somewhere that the AV/Cloud picks this nasty up?
So much to be discussed on this it's unreal hehe.

yes Comodo AV detect it so you will not be infected, and yes you have few chances to be infected unless you "play" with it.

P.s:Thanks MrXidus

But even so, many users will/have been hit by this, due to using either IE or other browsers without the blocking functions such as no-script, ABP etc. Am sure with the ammount kat & speedtest users that visit the site, good chunk would of been hit by it before the providers had definitions/cloud for it.

Interesting to read about such things I may say, sounds bit nasty that?

 

[Hungry Man]

I haven't seen ANY malware break through the manual sandbox. Not GPCode and not blackday. Even at the partially limited level if you run an application in the manual sandbox (right click - sandbox) it won't break through.

That's what I started doing and I turned the autosandbox off.

 

[AyeAyeCaptain]

I haven't seen ANY malware break through the manual sandbox. Not GPCode and not blackday. Even at the partially limited level if you run an application in the manual sandbox (right click - sandbox) it won't break through.

That's what I started doing and I turned the autosandbox off.

Thanks for your input Hungry Man.

 

[Jack]

GPCode isn't exactly new so any antivirus should be able to detect it.......And to be fair this ransomware isn't that widespread into the wild so that could be a real threat for the regular users....

 

[Deleted member 178]

this kind of video is recurrent when Comodo release a new version of CIS, always have some guys who want to test the new version against this malware.

 

[Hungry Man]

Yup. First thing I did when I got the beta was test it.

But it's not a huge deal. Simply manually sandboxing was enough.