My OperaComodo Anti-Ransom protection settings
Wednesday, August 15, 2012 7:22:45 AM
Comodo Internet Security (CIS) has been one of the rare security programs that probably provides the toughest computer protection you can currently imagine. You can literally execute anything you want without getting infected. However, despite their efforts to make it easier to use it's still somewhat harsh on the novice users. When it starts to ask questions about system interfaces connecting to others, casual users will get lost and often decide with the wrong answer in the dialogs, possibly infecting the system.
I've tested Comodo Internet Security quite few times and it's sandboxing system seems to be very effective. There was however one class of malware that it doesn't really protect you from. Ransomware crypters.
Basically CIS prevents malware from modifying system files but it doesn't really protect from altering user files, because that would make loads of popups during normal system usage.
So, even with fully enabled CIS program, ransomware crypters could encrypt all your photos and documents without CIS making any sounds. Not anymore, at least not for the known ones that exist up to this point.
Enhanced protection mode
It is highly recommended to use "Enhanced Protection Mode" in CIS, especially on 64bit systems.
It may cause some compatibility issues in very rare cases but from my experience most systems should be fine. To do so, do the following...
- Click "Defense+" in the main interface and select "Defense+ Settings"
- Add checkmark in the "Enable Enhanced protection mode" checkbox
- Restart the system when CIS asks you to restart
Setting up Anti-Ransom rules for CIS 5.10
- Open main CIS interface and click "Defense+" button above
- Click "Computer Security Policy" and confirm with Yes on a warning dialog
- Click "Protected Files and Folders" tab
- Click "Groups..." button
- Click "Add" and then "Add a new group..." button
- Give the new group name "Anti-Ransom" and click Apply
- Scroll down the list and right click "Anti-Ransom" and select "Add..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
\Global??\FltMgrMsg
- Right click "Anti-Ransom" again and select "Add..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
\Device\KsecDD
- Click "Apply" in the "File Groups" window
- Click "Add...", select "File Groups" and then "Anti-Ransom" on the list
Scrolling down the "Files and Folders Protection" list should now have Anti-Ransom rules at the end.
- Now open "Blocked Files" tab, "Add..." button and then "Browse..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
*.locked
Click "Ok" in the "Computer Security Policy" window
Protection
These settings will not protect you by default (except the *.locked rule), however, if you see a warning popup about some unknown application trying to access \Global??\FltMgrMsg or \Device\KsecDD , make sure to click "Block". This will effectively prevent "GPcode" and "Ransom.Xorist" ransom malware (different security vendors may use different names) from encrypting user files.
These protection rules were found by Comodo forum user Ronny.
Summary
These settings are merely a workaround at the moment, however i truly hope that Comodo will incorporate some sort of protection for this kind of malware in the upcoming Comodo Internet Security 6 program scheduled to be released later this year.
I've tested Comodo Internet Security quite few times and it's sandboxing system seems to be very effective. There was however one class of malware that it doesn't really protect you from. Ransomware crypters.
Basically CIS prevents malware from modifying system files but it doesn't really protect from altering user files, because that would make loads of popups during normal system usage.
So, even with fully enabled CIS program, ransomware crypters could encrypt all your photos and documents without CIS making any sounds. Not anymore, at least not for the known ones that exist up to this point.
Enhanced protection mode
It is highly recommended to use "Enhanced Protection Mode" in CIS, especially on 64bit systems.
It may cause some compatibility issues in very rare cases but from my experience most systems should be fine. To do so, do the following...
- Click "Defense+" in the main interface and select "Defense+ Settings"
- Add checkmark in the "Enable Enhanced protection mode" checkbox
- Restart the system when CIS asks you to restart
Setting up Anti-Ransom rules for CIS 5.10
- Open main CIS interface and click "Defense+" button above
- Click "Computer Security Policy" and confirm with Yes on a warning dialog
- Click "Protected Files and Folders" tab
- Click "Groups..." button
- Click "Add" and then "Add a new group..." button
- Give the new group name "Anti-Ransom" and click Apply
- Scroll down the list and right click "Anti-Ransom" and select "Add..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
\Global??\FltMgrMsg
- Right click "Anti-Ransom" again and select "Add..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
\Device\KsecDD
- Click "Apply" in the "File Groups" window
- Click "Add...", select "File Groups" and then "Anti-Ransom" on the list
Scrolling down the "Files and Folders Protection" list should now have Anti-Ransom rules at the end.
- Now open "Blocked Files" tab, "Add..." button and then "Browse..."
Insert this into "Add new item" field and click "Apply" and then "Yes" (use copy&paste!):
*.locked
Click "Ok" in the "Computer Security Policy" window
Protection
These settings will not protect you by default (except the *.locked rule), however, if you see a warning popup about some unknown application trying to access \Global??\FltMgrMsg or \Device\KsecDD , make sure to click "Block". This will effectively prevent "GPcode" and "Ransom.Xorist" ransom malware (different security vendors may use different names) from encrypting user files.
These protection rules were found by Comodo forum user Ronny.
Summary
These settings are merely a workaround at the moment, however i truly hope that Comodo will incorporate some sort of protection for this kind of malware in the upcoming Comodo Internet Security 6 program scheduled to be released later this year.
How to use Quote function: