Malware Hub Report Comodo AntiVirus - May / June / July 2022 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

harlan4096

Moderator
Thread author
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
8,023
Comodo AntiVirus - May / June / July 2022 Report
Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.
__

System Status Abbreviations
:

P : Protected
NC : Not Clean
I : Infected
E : Encrypted

* : Partially Blocked
* : BB Dynamic Bonus Test (only Behavior Blocker module running)

Second Opinion Scanners Status Abbreviations:

C : Clean
I : Infected

Additional Abbreviations:

WV : WiseVector StopX
HMP : HitManPro
NPE : Norton Power Eraser
EEK: EmsiSoft Emergency Kit
KVRT : Kaspersky Virus Removal Tool

BSR : Before System Reboot
ASR : After System Reboot




May 2022​
Samples
Pack​
Static
Detection​
Dynamic
Detection​
Total
Detection​
System Files
Encrypted​
2nd Opinion
Scanners​
System
Final Status​
Thread
Link​
02/05/2022​
1​
0 / 1​
1 / 1​
1 / 1​
No (Auto Containment On)
N/A
P
09/05/2022​
2​
0 / 2​
0 / 2​
1 / 2*
0 / 2​
No (Auto Containment On)*
Yes (Auto Containment Off)
N/A*
E
P*
E
14/05/2022​
1​
0 / 1​
0 / 1​
0 / 1​
No (Auto Containment On)*
No
N/A*
C
P*
BSR: I
ASR: NC
16/05/2022​
2​
0 / 2​
1 / 2*
0 / 2​
1 / 2*
0 / 2​
No (Auto Containment On)*
No
N/A*
I
P*
BSR: I
ASR: I
VirusScope OUTSIDE THE CONTAINER​
+ SHOW POPUPS ALERTS​
24/05/2022​
2​
0 / 2​
2 / 2*
1 + 1* / 2​
2 / 2*
1 + 1* / 2​
No (Auto Containment On)*
No
N/A*
C: EEK
I: WV NPE KVRT
P*
I
28/05/2022​
2​
0 / 2​
0 / 2*
0 / 2​
0 / 2*
0 / 2​
No (Auto Containment On)*
Yes
N/A*
C
P*
E
06/06/2022​
2​
0 / 2​
0 / 2*
0 / 2​
0 / 2*
0 / 2​
No (Auto Containment On)*
No
N/A*
C: NPE KVRT
P*
BSR: I
ASR: P
12/06/2022​
2​
0 / 2​
2 / 2*
2 / 2​
2 / 2*
2 / 2​
No (Auto Containment On)*
No
N/A*
C
P*
P
20/06/2022​
2​
0 / 1​
0 / 2*
0 / 2​
0 / 2*
0 / 2​
No (Auto Containment On)*
No

N/A*
I
P*
BSR: I
ASR: I
ANTI-VIRUS
+ VIRUS SCOPE + CONTAINMENT DISABLED​
HIPS ENABLED​
19/07/2022​
3​
0 / 3​
3 / 3*
3 / 3​
3 / 3*
3 / 3​
No (Auto Containment On)*
No
N/A*
C
P*
P
23/07/2022​
1​
0 / 1​
0 / 1*
1 / 1​
0 / 1*
1 / 1​
No (Auto Containment On)*
No
N/A*
C
P*
P
 
Last edited:

harlan4096

Moderator
Thread author
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
8,023
It seems CA with sandbox enabled (Auto-Containment), has an additional behaviour feature that not available when it is disabled 🤔

In at least 2 or 3 tests, CA detected suspicious behaviour when executing a malware sample with sandbox enabled, but didn't in the same test with sandbox disabled 🤷‍♂️
 

mellowtones242

Level 2
Verified
Aug 11, 2018
89
It seems CA with sandbox enabled (Auto-Containment), has an additional behaviour feature that not available when it is disabled 🤔

In at least 2 or 3 tests, CA detected suspicious behaviour when executing a malware sample with sandbox enabled, but didn't in the same test with sandbox disabled 🤷‍♂️

I believe the CA doesn't function properly once Auto-Containment is disabled.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,980
The results so far speaks very well by themselves in this case. It's an AV solution from a vendor that has extremely major issues without the Auto-containment enabled. Can almost not recall any other AV in the Hub doing so consistent poorly.

I can guess our small help of trying to submit the samples to the developer/s will not help much. Or at least we won't be able to see some sudden automatic improvement before this test period is done. I hope I'm wrong. :coffee:
 

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
343
The results so far speaks very well by themselves in this case. It's an AV solution from a vendor that has extremely major issues without the Auto-containment enabled. Can almost not recall any other AV in the Hub doing so consistent poorly.

I can guess our small help of trying to submit the samples to the developer/s will not help much. Or at least we won't be able to see some sudden automatic improvement before this test period is done. I hope I'm wrong. :coffee:
Yes. Comodo will simply add detections like "Malware@xxxxx" for undetected samples if you submit them for analysis. However, "Malware@xxxxx" detections are based on hash, so a small modification on the sample will cause Comodo to fail to detect.
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,851
It seems CA with sandbox enabled (Auto-Containment), has an additional behaviour feature that not available when it is disabled 🤔

In at least 2 or 3 tests, CA detected suspicious behaviour when executing a malware sample with sandbox enabled, but didn't in the same test with sandbox disabled 🤷‍♂️
Yes, by default Comodo's behavioural protection called "VirusScope" only monitors processes running in their container. If you disable the containment, the behavioural protection will not work properly either. You can change that by allowing VirusScope to monitor processes outside of the container somewhere in the settings.

Edit:

Here, found it:
Screenshot 2022-05-17 152448.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,980
Yes, by default Comodo's behavioural protection called "VirusScope" only monitors processes running in their container. If you disable the containment, the behavioural protection will not work properly either. You can change that by allowing VirusScope to monitor processes outside of the container somewhere in the settings.

Edit:

Here, found it:
screenshot-2022-05-17-152448-png.266736
That makes sense and fun thing, both me and @harlan4096 was watching those settings and others earlier today. Thanks and will be interesting to watch for the next test. (y)
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,851
I thought that the test was based on default settings with Auto Containment on and then with it off, is this the case?
Yes, you are right. By default the auto-containment is active I think. But if one disables auto-containment, the behavioural component doesn't work anymore in default settings. So he has to keep that in mind for his future tests.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,980
Time for a end assessment on this specific Free AV product. This time around anyway as the Hub might of course re-visit CA ( Comodo Antivirus ) in the future and do another test.

I'm gonna start off with the positive side/part. Comodo's Auto Containment ( AC ) feature is a very good one and been a pleasure to watch in action. That it's ON by default is not just user friendly and smart, but also essential crucial. It's what save this product from a total embarrassment failure, but most important, it saves any normal common user that wouldn't know what a Horror story the Antivirus ( AV ) module is. I must admit that my previous assessment was plain wrong. It's even much much worse!

If AC for any reason would go down, be turned OFF etc, it's not a machine and system I personal would wanna come close to. It would be treated just the same as the US army and several of the Swedish military force branches does with their infected machines. Physically destroyed or " Nuked " is a word I know is used. But on the other hand it matters less in the big picture since it's a brand/vendor that is very unknown, specific in Scandinavia and Europe. Unless one talk about certificates, but that's a enough messy story on it's own and belongs in another thread/section.

Not a single static catch/detection during this specific test, speaks for itself more then enough or should anyway. The AV module/part of CA is so extremely utterly poor and weak that Comodo would probably be much better off rip that out and replace it with something that actually works. @harlan4096 was kind enough and even tried to tweak/harden, but sadly not even that helped. The Hub submissions on undetected samples is always done to try help the vendors/developers, but in this case we have no idea other then it for sure never was a priority, and never was fixed.

The HUBs disclaimer!
This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions. We encourage you to compare these results with others and take informed decisions on what security products to use. Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Huge thanks for another great test @harlan4096 (y):emoji_beer: and looking forward to the next.
 

ErzCrz

Level 12
Verified
Top poster
Well-known
Aug 19, 2019
566
I have such a love/hate for CIS. I've returned and gone away from it dozens of times. It's hard finding other free products with such an effective containment. I've tried the tweaked HIPS protecting the entire drive in case containment gets disabled but I'm not aware of any malware or software that can turn containment off. Anyway, interesting results ;)
 

ErzCrz

Level 12
Verified
Top poster
Well-known
Aug 19, 2019
566
"...Horror story the Antivirus ( AV ) module is..."
:D Problem is they turned so much of it off by default, it practically only works with containment. Heuristics OFF by defaullt. Light database rather than full database by default. Network drive scanning disabled by default, hips on in safe mode used to be a default and it doesn't even show a pop-up connecting to networks, It just calls them all Home. It also only scans .zip and .exe compressed file formats unless you add your own. No wonder I run it Proactive Config with Cruelsister's restricted containment level tweak ;)
 

Kiss

Level 3
Oct 6, 2021
112
I have such a love/hate for CIS. I've returned and gone away from it dozens of times. It's hard finding other free products with such an effective containment. I've tried the tweaked HIPS protecting the entire drive in case containment gets disabled but I'm not aware of any malware or software that can turn containment off. Anyway, interesting results ;)
you are a masochist then :ROFLMAO: