Comodo I.S. 5.8 FINAL vs. Trojan.Win32 GPCODE ( comodo bypassed

Comodo I.S. 5.8 FINAL vs. Trojan.Win32 GPCODE ( comodo bypassed)!!!!
~~~ link to mediafire download removed ~~~

 

http://www.youtube.com/watch?v=fYM8f3HXAXk

 

The workaround
-http://www.youtube.com/watch?v=p2ZV4aEeNy0&feature=channel_video_title-

 

So what? How will you be infected by gpcode anyway?

 

I believe the workaround has been discussed in the comodo forums including steps to take on certain scenarios. Here

 

I did this test a while ago lol AV/heuristics pick it up and the manual sandbox breaks it.

 

To play fair put any other Internet Security package in a VM. Shut off the AV (you'll have to shut down the AV as just about EVERYONE detects it). Run GpCode against it. How do you think it will do?

With CIS you can add a rule simply and easily to prevent harm. Could you do the same with the major AV suites?

 

With CIS I ended up just disabling hte autosandbox and manually sandboxing instead.

 

how does sandboxie handle this?

 

Default Sandboxie settings should break it.

 

It's so good to see how a "bypass" in Comodo deserve a thread while the other products that are bypassed daily by hundreds of malware doesn't deserve it.
/ironic mode OFF

More info here: https://forums.comodo.com/news-anno...do-58-bypassed-by-trojan-gpcode-t77548.0.html

It will be fixed in v6
https://forums.comodo.com/leak-test...-the-gpcode-t65960.0.html;msg512678#msg512678

Egemen

 

and this is why I don't rely on just one layer of security.

 

If the user adds an item to the protected files, then COMODO auto sandbox will block it.

?:\*

-----------------------
So, the problem is just the rule of protected files only.

 

apart from above suggestion from urs, i added following entries and i don't have any issues during my daily usage -

 

anyone test it against online armor ??

 

At last, someone with common sense!

I've been proposing those rules here and at Comodo forums but everybody has turned a blind eye on it. Those rules are a NO BRAINER because nearly 90% of the Trojan Fake Alerts and rootkits execute from these locations...Even McAfee has been suggesting these rules to be implemented by system administrators for VirusScan Enterprise 8.7i and 8.8i wherever this software is run [our company runs it on nearly 5000 workstations].

Thus, I do not see the real reason why Comodo hasn't implemented these simple rules on a default installation of CSI or the Firewall with D+

Win XP
C:\Documents and Settings\*\Local Settings\Application Data\*.exe
C:\Documents and Settings\*\Local Settings\Application Data\*.sys



Win 7

C:\Documents and Settings\*\Application Data\*.exe
C:\Documents and Settings\*\Application Data\*.sys

See my posts:

https://www.wilderssecurity.com/showpost.php?p=1944177&postcount=420

https://www.wilderssecurity.com/showpost.php?p=1958260&postcount=513



Carlos

 

THIS!
Me wants to check out Online Armor and how it performs with different settings, pleaaaaaaaaaaase

 

Can't you just deny execution through windows in those areas?

 

To back up what I stated in my post above you can read this 20 pages .pdf document by McAfee where they do recommend system administrators to implement the aforementioned rules to avoid being hit by fake AVs and other malware.

Pages 15 & 16 of this document make reference to the folders that should be protected on Win XP and Vista/7.


----https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23178/en_US/McAfee_Labs_Threat_Advisory-Combating_FakeAlerts.pdf ------





Carlos

 

How can someone do this within Windows?

EDIT: Or should I say, the easiest?

I guess applocker can do this?

 

not all users know how to deny execution

 

Given the right circumstances and configuration it can block it, i guess just not by default

 

Frankly speaking carlos, i followed your suggestions to add these file paths to my protect file and folder list.
Now this question goes to you - the pdf link which you have given above, tells to protect the following paths for post vista os's

C:\Users\*\AppData\local\*.exe
C:\Users\*\AppData\local\*.sys
C:\Users\*\AppData\local\*.dll
C:\Users\*\AppData\Roaming\*.exe
C:\Users\*\AppData\Roaming\*.sys
C:\Users\*\AppData\Roaming\*.dll

But your suggestion was to add .exe and .sys groups which starts at c:\document and settings\... not c:\users\...

Am i missing something here?

Thanks,
Harsha.