AVLab.pl Analysis of system protection against active online malware – July 2025

Status
Not open for further replies.
Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Andy Ful said:
Post corrected (text in italics)
CIS uses by default the partially limited sandbox the autocontainment without setting the "Restriction Level", so evasive malware can sometimes escape from it (as documented by Comodo) or contact with the C2 server. For more protection, the user can use Restricted or Untrusted containment settings.
Click to expand...
Does "Documented by Comodo" imply a developer/official response? Only a couple of well-informed mods are active on Comodo Forums now, but mod comments are not official and thus not valid.

The "Restriction Levels" do not prevent network connections. You will see a firewall alert if malware tries to connect; you will not get a firewall alert if malware fails or crashes.

Andy Ful said:
I had in mind the Comodo help documentation (containment restriction levels) and some technical posts from the Comodo Forum (related to the recent sandbox escape). This information is not new to you.
Click to expand...
"Restriction Levels" define what is allowed and restricted. Higher restriction levels impose more limits. It doesn't mean malware can escape containment with the default level. These restriction levels operate within full containment, like layered containment; thus, Comodo labelled them "Optional." The recent containment escapes affected restriction levels as well, not just the default, if I remember correctly.
 
rashmi said:
Does "Documented by Comodo" imply a developer/official response? Only a couple of well-informed mods are active on Comodo Forums now, but mod comments are not official and thus not valid.
Click to expand...

I think it was a moderator (DecimaTech). Melih and @Umut (official Comodo staff) also participated in this thread and did not correct anything posted by DecimaTech. I think that those posts include valid information; however, you cannot take them as an official statement.
https://forums.comodo.com/t/poc-bypass-auto-sandbox-cis/362726/14
https://forums.comodo.com/t/poc-bypass-auto-sandbox-cis/362726/21
https://forums.comodo.com/t/poc-bypass-auto-sandbox-cis/362726/46


rashmi said:
"Restriction Levels" define what is allowed and restricted. Higher restriction levels impose more limits. It doesn't mean malware can escape containment with the default level. These restriction levels operate within full containment, like layered containment; thus, Comodo labelled them "Optional." The recent containment escapes affected restriction levels as well, not just the default, if I remember correctly.
Click to expand...

As you can read from the provided links, some restriction levels (higher than partially limited) were intended to prevent bypass, although they did not due to incompatibility with UAC. However, it is not important. There are known ways to tamper with Comodo drivers and services, so the sandbox design can be bypassed (if someone is highly motivated). You cannot assume that malware that bypassed Comodo has to do it without bypassing the sandbox.
Anyway, I think that bypassing Comodo fully from the sandbox will be rather related to possible incompatibility with Windows UAC, like in the recent bypass. Although this particular bypass was patched, there is no information about solving the UAC incompatibility. A similar problem was in Sandboxie, where the higher isolation required disabling elevation to Administrator rights.
 
Last edited:
  • +Reputation
Reactions: simmerskool
Andy Ful said:
The Valkyrie verdict is Trusted. So this probably was not the Comodo Sandbox bypass, but a false negative (I explained this possibility in my previous post).
However, the current verdict does not completely exclude the possibility of escaping the partially limited sandbox. To be sure, we had to see the Valkyrie verdict during the AVLab test in July (Verdict Unknown = sandbox bypass).

View attachment 290492
Click to expand...
Could you share me the SHA1 so i can check with the team i am starting to work for Xcitium as Malware Analyst
 
Andy Ful said:
Currently the detection is corrected:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
Okay, yes we see that its detected
1756210731493.png
 
  • +Reputation
Reactions: simmerskool
I'll be brief about Comodo:
My message is not intended to insult Comodo's staff or its users, but I am speaking as a tester.

Comodo as an AV engine is a real joke. It detects too few threats, and some of them are even old...
Comodo pushes everything to the Sandbox, which can be a good compromise, but also insufficient.

All it takes is for malware to be signed or steal the signature that is placed in Comodo's Whitelist => No sandbox, malware allowed...
I'm still waiting for Valkyrie to be integrated into the AV engine, at which point its engine will be almost on par with the competition...
 
  • Like
  • +Reputation
  • Applause
Reactions: Sorrento, simmerskool, ForgottenSeer 94738 and 6 others
Shadowra said:
Comodo as an AV engine is a real joke. It detects too few threats, and some of them are even old...
Comodo pushes everything to the Sandbox, which can be a good compromise, but also insufficient.
Click to expand...

Yes, this can make the AV tester unhappy.:)
It is also hard to interpret the results because the protection design automatically protects most Comodo users against false negative detections.
 
Last edited:
  • +Reputation
Reactions: simmerskool, Captain Awesome and Shadowra
Shadowra said:
I'll be brief about Comodo:
My message is not intended to insult Comodo's staff or its users, but I am speaking as a tester.

Comodo as an AV engine is a real joke. It detects too few threats, and some of them are even old...
Comodo pushes everything to the Sandbox, which can be a good compromise, but also insufficient.

All it takes is for malware to be signed or steal the signature that is placed in Comodo's Whitelist => No sandbox, malware allowed...
I'm still waiting for Valkyrie to be integrated into the AV engine, at which point its engine will be almost on par with the competition...
Click to expand...
Hello @Shadowra according to Xcitium,Valkyrie on Comodo Free will not be included because its a premium feature only for Xcitium

Best Regards
Nikola
 
  • Like
  • Wow
Reactions: ForgottenSeer 94738, Parkinsond and Shadowra
Although its free and its very good at detecting unknown malwares on Comodo it will not be included

Best Regards
Nikola
 
Shadowra said:
I'll be brief about Comodo:
My message is not intended to insult Comodo's staff or its users, but I am speaking as a tester.

Comodo as an AV engine is a real joke. It detects too few threats, and some of them are even old...
Comodo pushes everything to the Sandbox, which can be a good compromise, but also insufficient.

All it takes is for malware to be signed or steal the signature that is placed in Comodo's Whitelist => No sandbox, malware allowed...
I'm still waiting for Valkyrie to be integrated into the AV engine, at which point its engine will be almost on par with the competition...
Click to expand...
Hello @Shadowra you mind dropping some SHA1s so i can check with the team?

King Regards
Nikola
 
  • Like
  • +Reputation
Reactions: Sorrento, Behold Eck and simmerskool
Status
Not open for further replies.

You may also like...