App Review The Comodo's challenge.

[Trident]

And yes, unfortunately, Comodo is clearly not infallible (no AV is anyway).

If Comodo could 100% solve this problem, everyone else would too and then there won’t be malware, anti-malware, there wouldn’t even be MalwareTips.

 

[rashmi]

I disabled HIPS not to make the attack easier, but because it is a pretty popular practice when the Auto-Containment is set to Untrusted. As we can see, there can be some cons of that.

Thank you for the test. Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test. The vendor's configuration should be tested for such tests, in which case proactive comes with HIPS enabled. But the test was informative and showed, as you mentioned, that there can be some cons to the popular practice.

 

[Andy Ful]

Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test.

The video is not a test about the overall protection of Comodo AV, because the method used in the video is not a full attack.
In my opinion, it can be a part of the full attack. How strong can be Comodo against the full attacks can depend on Comodo's settings and the details of the attacks.

 

[ErzCrz]

Not many, but you do not know which should be blocked. Furthermore, some external LOLBins can do the same.

Thanks. All about layers I guess. Thankful that i have CyberLock to help bolster whatever security setup I'm using.

 

[B-boy/StyLe/]

I always use HIPS module enabled.

Same here. I am from the old school and still like to have it around.

 

[Nikola Milanovic]

This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented

 

[Shadowra]

This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented

As I said to you in mp, you must not have watched the video because you can see the auto-sandbox being triggered when the program is run.
As explained, he used a script with LOLBins that cut Comodo's services.
And yes, it's dramatic, and for me it could be a security problem.

It's true that Comodo is efficient, but it's not as perfect as its competitors.

 

[wat0114]

The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.

There is also the bug (does it still exist in the latest release??) where all the HIPS rules disappear without warning.

 

[Andy Ful]

It's true that Comodo is efficient, but it's not as perfect as its competitors.

It is not perfect but in my opinion, it can still be a decent protection. I would not choose an average competitor to show the attack method.
Before making a video, I thought that with strict Auto-Containment and Proactive configuration one could safely skip HIPS. But as @ozer.metin (Comodo staff) mentioned, HIPS can be an essential part of Comodo's protection. I am not sure if HIPS can close all variants of the attack, but most of them can be prevented for sure.

 

[Andy Ful]

The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.

I am not sure if @cruelsister intended to tweak Comodo against all highly targeted attacks. Furthermore, her settings were created several years ago and still could prevent almost all attacks (I tried several times). Even if someone can use my method as a part of the infection chain, it will be probably a targeted attack.

 

[rashmi]

Overall, not an issue, at least for home users (my opinion). I suggest keeping HIPS disabled for not-knowledgeable users and setting containment to block instead for users who don't use containment, suspend alerts, or use silent mode. Containment set to block would prevent such attacks, correct, @Andy Ful?

 

[Andy Ful]

Containment set to block would prevent such attacks, correct, @Andy Ful?

No.

 

[rashmi]

No.

Won't containment set to block prevent the attack from executing?

 

[ForgottenSeer 107474]

To be continued see part 2

 

[Andy Ful]

Won't containment set to block prevent the attack from executing?

No means No. Containment does not work.

 

[Trident]

because only few fanatics use Comodo's products.

They will be very sad watching these videos. All 5 of them.

 

[Andy Ful]

In the second part of Comodo's challenge, I tried Proactive Configuration + HIPS + max settings for Script Analysis, but Comodo crashed. So, one must be careful with HIPS.
The less problematic but still very strong config is similar to @cruelsister settings.

 

[Andy Ful]

Guys, your critique of Comodo does not help in this thread.
Any AV can be criticized, but people who use Comodo do not complain much.

 

[rashmi]

No means No. Containment does not work.

Can you PM me the attack files?

 

[Victor M]

I use Xcitium OpenEDR. Plus I use WDAC. The WDAC layer is for banning the things I never use like certain LoL.bins. And, I block cmd and powerhshell until I need to use those 2. And I turned on HIPS. Security common sense, you turn off, disable, block things you don't use.