Comodo CIS Bug fix policy

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,132
Exactly!

I was about to write the same thing. Svchost is a nice comms backdoor for every running app, background process or service.
It's a major shortcomming of CIS Firewall!
Just for info. CF does sandbox svchost sub-processes of malware or untrusted files and firewall alert pops up. Source: Comodo Firewall vs Data Stealer - Cruelsister
1725728772036.png

I should have a look and compare how other AVs/FWs compare but just something I've observed in CS's CF tests. Currently looking at how to lock down Windows Firwall but given that I have the Home version of Win 11 I think my options are limited to firewall hardening blocking lolbins.
 

Decopi

Level 8
Verified
Oct 29, 2017
353
Comodo by default considers all Windows Services, all SVCHOST and an endless list of other files to be "safe"/"trusted".

A "safe"/"trusted" file in Comodo, inside or outside of a sandbox, will always have free comms. Any (irresponsible/immoral) fanatic can confirm this, by observing that tons of his files right now are using comms through SVCHOST.

It is important to remember that Comodo's "safe/trusted" label is an arbitrary list that is outdated (not updated in the last 15 years). So, at Comodo, hundreds of files are considered "safe"/"trusted" by default.

The problem is unsolvable because Comodo does not allow customizations of Windows Services, SVCHOST and tons of other files. It is not a configuration problem, but rather a problem with the deprecated old Comodo model.

Therefore, as another MT member rightly stated: "Svchost is a nice comms backdoor for every running app, background process or service". Or in my own words: "Comodo Firewall is a placebo".
 
Last edited:

Pico

Level 6
Thread author
Feb 6, 2023
263
Would the svchost FW alert also have been shown when FW was set to safe mode as svchost is a windows trusted service?
To my knowledge trusted things (like svchost) get unlimited internet access in containment with FW set to safe mode leaking (stolen) data.

Malware aside, Comodo CIS FW can't filter svchost traffic by parent process / service.
Do you (or others) know about what other (free) FW do allow / support svchost filtering by parent process / service?
Would be very glad to know that.
 
  • Like
Reactions: Divine_Barakah

zidong

Level 2
Jul 15, 2024
50
With all the complaints about Comodo, you don't see anybody running to MalwareTips complaining that they were infected with Comodo installed. You experience bugs? So what? Who cares? Those are your troubles. Figure it out. This is information security. That's what resourceful people do. They don't give up and they figure it out.
Yes, no one is infected because no one uses it. Same for North Korean SiliVaccine. No one is infected, because no one usеs it.
If you want 100% protection install SiliVaccine antivirus + Comodo Firewall.
 

simmerskool

Level 35
Verified
Top Poster
Well-known
Apr 16, 2017
2,438
I should have a look and compare how other AVs/FWs compare but just something I've observed in CS's CF tests. Currently looking at how to lock down Windows Firwall but given that I have the Home version of Win 11 I think my options are limited to firewall hardening blocking lolbins.
fwiw I got a little more into Windows Firewall Control WFC and it does have some firewall security features, but I do not know how effective they are. But I feel better enabling them :ROFLMAO:
 
  • Like
Reactions: wat0114 and ErzCrz

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
617
And even if you customize the Svchost (as you did in your post), at Comodo it can only be done in a generic way, for example, a simple “allow” “port: 53” (necessary for DNS) opens all comms for any malware.
Respectively, the rules for it can be more restrictive than this, as in my DNS rule I also restricted svchost to remote IP addresses cloudflare (1.1.1.1, 1.0.0.1).

I could have done the same, for example, for Windows time to remote port 123, and/or remote HTTP (port 80), but I chose not to. It is actually a lot of work to create rules like this for all running applications requiring network comms in any application firewall, including Windows firewall, but with a better interface, this work can be reduced. Windows firewall has the serious limitation of not supporting wildcards in path rules, and I seem to remember Comodo has a similar limitation - not quite the same - one that I posted elsewhere some time ago in another forum here:


Keep in mind also with Comodo, that all settings once configured can be backed up and restored at any time if necessary.

Btw, even though in Comodo, svchost rules can not be tied to specific services it hosts, I believe this is not a security issue. That's because any svchost rule in comodo will affect all services it is hosting. Windows firewall w/Advanced security has the option to tie svchost rules to specific services it hosts, but one can also create rules that affect all services:

svchost-DNS Client firewall rule.jpg

Therefore the rule created this way would apply to all running svchost processes in Windows.

Not defending Comodo and those in charge of its development, just trying to state facts as I understand them. As for malicious processes harnessing svchost or any other Windows process for comms, well it should be contained in the sandbox with the Cruel setup or similar, thereby mitigating or eliminating that threat.

Assuming Melih is in charge, I would like to see him either:
  1. Spearhead an initiative to investigate and fix all reported bugs and shortcomings and provide a free version, or
  2. Spearhead an initiative to investigate and fix all reported bugs and charge a fee (freemium) for it, or
  3. Announce and discontinue the development of the free version and post a disclaimer to "use at your own risk"
 

bazang

Level 5
Jul 3, 2024
221
The only remaining action is to combat the irresponsibility and immorality of Comodo and its fanatics, in order to prevent readers from being misled and deceived by these Comodo-garbage-threads.
It is irresponsible and immoral for Comodo anti-fanatics to make false statements. You make a lot of false statements about Comodo.

Yes, no one is infected because no one uses it. Same for North Korean SiliVaccine. No one is infected, because no one usеs it.
If you want 100% protection install SiliVaccine antivirus + Comodo Firewall.
Correction to your false statement. It is because that people use Comodo that they remain infection-free.

The claim that nobody uses it is a deliberate false statement on your part. CIS\CFW routinely has 25,000+ downloads per week in India alone. Lots of people use it there because it has a reputation for being zero cost (0 Rupees) while providing solid protection with CS settings. Indians are way more IT saavy and know how to figure out workarounds. The end objective is to find a solution instead of whining, complaining, and lying about Comodo.

You can keep trying by making more false statements. You do realize that lying is irresponsible and immoral, right?
 

bazang

Level 5
Jul 3, 2024
221
True, they all gave up on Comodo CIS and started using other better and maintained solutions.
Correction to your statement. CIS\CFW have always had a strong user base. Just because you and others don't use it, that is not the reality for millions of other people in the world. They do use CIS\CFW and manage to have no problems with it.
 
  • Hundred Points
Reactions: rashmi

Decopi

Level 8
Verified
Oct 29, 2017
353
Respectively, the rules for it can be more restrictive than this, as in my DNS rule I also restricted svchost to remote IP addresses cloudflare (1.1.1.1, 1.0.0.1).

DNS providers (1.1.1.1, 1.0.0.1, whatever) are not direct IP addresses (they are just DNS resolvers). Therefore, at Comodo, any malware can use svchost to connect to any IP, using any DNS resolver. For example, one of your rules is: "C:\Windows\System32\svchost.exe Allow UDP Out Any 1.0.0.1 Any 53 DNS-Cloudflare"... means that in your Comodo a malware using svchost can connect to any IP trough 1.0.0.1
At Comodo, the only way to customize svchost is by customizing IPs, not the DNS resolver, but the direct comm between svchost and any specific IP. And that's impossible to be done, because daily your device uses thousands of different IPs.

I could have done the same, for example, for Windows time to remote port 123, and/or remote HTTP (port 80),

Again, limiting the port won't limit any IP.
At Comodo, any malware using Windows Services, svchost or any file labeled as "safe"/"trusted"... the malware will have comms to any IP.
And again, in this example also you can't customize IPs at Comodo for Windows Time or for other Windows Service because Microsoft IPs change weekly.

Btw, even though in Comodo, svchost rules can not be tied to specific services it hosts, I believe this is not a security issue.

I do respect your opinion! But I disagree. IMHO is a major flaw! At Comodo, any malware can exploit a "safe"/"trusted" file, having comms to any IP.
Comodo firewall is a placebo.

That's because any svchost rule in comodo will affect all services it is hosting. Windows firewall w/Advanced security has the option to tie svchost rules to specific services it hosts, but one can also create rules that affect all services:

View attachment 285396

Therefore the rule created this way would apply to all running svchost processes in Windows.

Here is not the right thread, but I ensure you that Windows Firewall and several other third-party firewall, they not just have a better GUI than Comodo, but they allow the complete customization of any file (including Windows Services, svchost, etc etc etc).

As for malicious processes harnessing svchost or any other Windows process for comms, well it should be contained in the sandbox with the Cruel setup or similar, thereby mitigating or eliminating that threat.

Again, with all due respect, I disagree.
Comodo is built in modules. And you and me are talking specifically about Firewall. And Comodo Firewall has dangerous breaches. It's unacceptable to justify or to minimize or to omit any security breach in Comodo Firewall by pointing to another module.
That said, it's always important to remember that the Comodo Containment module itself has several security breaches.

Assuming Melih is in charge, I would like to see him either:
  1. Spearhead an initiative to investigate and fix all reported bugs and shortcomings and provide a free version, or
  2. Spearhead an initiative to investigate and fix all reported bugs and charge a fee (freemium) for it, or
  3. Announce and discontinue the development of the free version and post a disclaimer to "use at your own risk"

Totally agree with you! Excellent comment.
And also it'll be nice to see Comodo incorporating a strong real antivirus/antimalware, with new modules based in virus/malware detection (not "blocker", "deny-all", "zero-trust" blah blah blah).
However, based on the past 20 years, it's easier to discover that The Earth is flat, than to see Comodo fixing bugs or incorporating modern technologies.
 
Last edited:
  • Like
Reactions: Divine_Barakah

Pico

Level 6
Thread author
Feb 6, 2023
263
Just for info. CF does sandbox svchost sub-processes of malware or untrusted files and firewall alert pops up. Source: Comodo Firewall vs Data Stealer - Cruelsister

I should have a look and compare how other AVs/FWs compare but just something I've observed in CS's CF tests. Currently looking at how to lock down Windows Firwall but given that I have the Home version of Win 11 I think my options are limited to firewall hardening blocking lolbins.
Would the svchost FW alert also have been shown when FW was set to safe mode as svchost is a windows trusted service?
To my knowledge trusted things (like svchost) get unlimited internet access in containment with FW set to safe mode leaking (stolen) data.

Malware aside, Comodo CIS FW can't filter svchost traffic by parent process / service.
Do you (or others) know about what other (free) FW do allow / support svchost filtering by parent process / service?
Would be very glad to know that.

@Moderators, something went wrong with previous post #323, you may want to delete or keep post #323, thank you.
 

Pico

Level 6
Thread author
Feb 6, 2023
263
CIS\CFW have always had a strong user base.
With the emphasis on the past tense: had a strong user base.
Look at Comodo forum, user base has reduced to only one or two people.
The active and dynamic user base of the olden days is gone, no one believes in Comodo anymore.
I feel sorry for the one or two hamsters trapped in that Comodo CIS running wheel...
 
  • Love
Reactions: Decopi

bazang

Level 5
Jul 3, 2024
221
With the emphasis on the past tense: had a strong user base.
What is stated and the language I used is not past tense. It meant exactly what it meant - which is from Day 1 CIS\CFW has had a strong user base. If you do not know what that means in English, it means from the beginning to this very moment and beyond CIS\CFW totals in the millions.

The extent of participation on the Comodo forum is not an indication of anything. The total number of downloads per week is a much more realistic measure of the extent of the user base.

You can keep trying but it is not going to work.
 

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,132
Would the svchost FW alert also have been shown when FW was set to safe mode as svchost is a windows trusted service?
To my knowledge trusted things (like svchost) get unlimited internet access in containment with FW set to safe mode leaking (stolen) data.

Malware aside, Comodo CIS FW can't filter svchost traffic by parent process / service.
Do you (or others) know about what other (free) FW do allow / support svchost filtering by parent process / service?
Would be very glad to know that.

@Moderators, something went wrong with previous post #323, you may want to delete or keep post #323, thank you.
It was in Safe Mode in CS's tests as it is by default. Her setup has the Containment Level set as Restricted which doesn't allow the contained to connect out and you only see an alert for an untrusted file. Comparied with the default Partially limited when you have firewall alerts for the contained see: CF Containment Variations - Partially limited timestamp

I'm not sure, maybe a combination of HIPS or Firewall rule or Firewall set in Custom Mode and only tick the save rule box for connections you don't want repeated alerts for.
1725793249928.png
 

Pico

Level 6
Thread author
Feb 6, 2023
263
What is stated and the language I used is not past tense. It meant exactly what it meant - which is from Day 1 CIS\CFW has had a strong user base. If you do not know what that means in English, it means from the beginning to this very moment and beyond CIS\CFW totals in the millions.

The extent of participation on the Comodo forum is not an indication of anything. The total number of downloads per week is a much more realistic measure of the extent of the user base.

You can keep trying but it is not going to work.
CIS 2025 was downloaded only 541 times over the past 100 days. That's roughly 38 downloads per week that's indeed a very realistic measure of the extent of the user base.
Not one or two people are using it but there are only three of them using it.

Just stating the facts nothing more than that.
 
  • Love
Reactions: Decopi

Pico

Level 6
Thread author
Feb 6, 2023
263
It was in Safe Mode in CS's tests as it is by default. Her setup has the Containment Level set as Restricted which doesn't allow the contained to connect out and you only see an alert for an untrusted file. Comparied with the default Partially limited when you have firewall alerts for the contained see: CF Containment Variations - Partially limited timestamp

I'm not sure, maybe a combination of HIPS or Firewall rule or Firewall set in Custom Mode and only tick the save rule box for connections you don't want repeated alerts for.
As I see it restricted has got nothing to do with Firewall behavior:

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

Svchost is a system trusted service (executable) it could connect out in containment in FW safe mode, perhaps I'm missing something.
 
  • Hundred Points
Reactions: Decopi

Decopi

Level 8
Verified
Oct 29, 2017
353
By Comodo default settings all Windows Services files, all Svchost instances, and another long list of files are considered "safe"/"trusted".

By Comodo default settings, any file labeled as "safe"/"trusted" always had, has and will have free comms.

At Comodo any sandboxed, restricted, containerized blah blah blah (whatever you want to call it), if labeled as "safe"/"trusted" then always had, has and will have free comms.

At Comodo any virus/malware can use Windows Services, Svchost instances, and any other file labeled as "safe"/"trusted" to access free comms.

At Comodo, the "safe"/"trusted" label is based on an arbitrary list (not updated in 15 years).

Therefore, Comodo Firewall always was, is and will be a placebo.

PS: The problem has no solution, because default or not default, Comodo Firewall settings don't allow the customization of Windows Services files, Svchost instances, and many other files.
 
Last edited:

bazang

Level 5
Jul 3, 2024
221
CIS 2025 was downloaded only 541 times over the past 100 days. That's roughly 38 downloads per week that's indeed a very realistic measure of the extent of the user base.
That is only for a single download node.

The total global downloads of CIS\CSF over the past 100 days is > 100,000 separate download instances. The average annual downloads have been consistently around 1.5 million per annum for a long time.

Just stating the facts. Nothing more. Nothing less.

You can keep trying but it is not going to work.
 

Pico

Level 6
Thread author
Feb 6, 2023
263
That is only for a single download node.

The total global downloads of CIS\CSF over the past 100 days is > 100,000 separate download instances. The average annual downloads have been consistently around 1.5 million per annum for a long time.

Just stating the facts. Nothing more. Nothing less.

You can keep trying but it is not going to work.
I'm only aware of two public download nodes, first node on Comodo forum second node on Comodo site and on both nodes people have troubles to find to correct download link. Also, CIS 2025 wasn't available on Comodo site for public download for some time when it was released.
I take your > 100,000 downloads with a grain of salt.
 

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,132
As I see it restricted has got nothing to do with Firewall behavior:

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

Svchost is a system trusted service (executable) it could connect out in containment in FW safe mode, perhaps I'm missing something.
I'm referring to when it's a child process of unknown or malware, the svchost process is in Containment, virutalized and not allowed to connect out. e.g. running edge in the container which is a trusted file won't connect to the interenet if I don't allow it to via the firewall alert as below. If you change the Firewall Mode to Custom it will alert for every connection whether trusted or not .
1725802045575.png

Anyway, just informing of how CF works not trying to convince anyone here. Hopefully, whatever firewall you do use, alerts or blocks those svchost connecting you don't want. I like running CF in Custome Mode when I'm feeling paranoid but that's more for blocking windows privacy leaks.
 

Decopi

Level 8
Verified
Oct 29, 2017
353
With regards to current Comodo user base, these are the numbers officially informed by Comodo until past 08/19/2024:

Total number of active global users CIS previous 2025 versions = 83 (OBS: The measurement is made based on telemetry. The total number of new downloads is under 3 per week, but repeated IPs are discarded, and usually new downloads doesn't mean new users).

Total number of global active users CIS 2025 version = 496 (OBS: The measurement is made based on telemetry. The total number of new downloads is under 40 per week, but repeated IPs are discarded, and usually new downloads doesn't mean new users).

Total number of global active CIS fanatics members of MT = less than 5 irresponsible/immoral guys.

The current total active global user base of all CIS versions is around ±600 users.

Additional facts:

Comodo global market share is negligible when compared to major competitors. This is not new information; Comodo has not had a market share for the past 20 years. The average-Joe-user has never heard about Comodo. And a recent poll here at MT confirmed that 92% of MT members are not interested nor concerned with Comodo.

Revenues 2023 + until today are few millions, an average of just US$25 million. Almost none of this money comes from CIS products.

Over the years they lost almost all of their staff. Today they have a small team of ±30 people on average, mostly dedicated to administrative functions. They have reduced their workspace, and today they occupy a small office.

PS: Source is Comodo website, Comodo official forum, Comodo staff and information published on the internet.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top