Serious Discussion Comodo discussions

[New_Style_xd]

Hello, did you see this here?

Comodo Internet Security 2025 Flaws Allow Remote Code Execution With SYSTEM Privileges

Security researchers have uncovered a series of critical vulnerabilities in Comodo Internet Security 2025, exposing users to remote code execution (RCE).

gbhackers.com

 

[rashmi]

@rashmi,

You must solve the problem of properly whitelisting SystemSpace, which is allowed by default (no whitelisting required) in WHHLight for PE files via WDAC.
Otherwise, some Windows updates can fail.

@rashmi,
If I correctly recall, Comodo uses many rules to properly whitelist the system processes. It would be necessary to check if your general DLL block rule does not break them.

I'll use the WHHLight whitelist, then add more as needed, review other modules, and monitor logs/issues.

 

[rashmi]

@Andy Ful, I conversed with DeepSeek and provided the rules (security with usability):
C:\Windows\System32\*.dll
C:\Program Files*\*.dll
C:\Program Files (x86)\*.dll
C:\ProgramData\*
C:\Users\rashmi\AppData\Local\*
C:\Users\rashmi\AppData\Roaming\*
C:\Windows\Installer\*
C:\Windows\Temp\*

DeepSeek adjusted/suggested the rules (security with usability):
C:\Windows\*.dll
C:\Program Files*\**\*.dll (covers both 64- and 32-bit)
C:\ProgramData\**\*.dll
C:\Users\rashmi\AppData\**\*.dll (keep a watch for any strange folder)
C:\Windows\Temp\*.dll
C:\Windows\Installer\*.dll

DeepSeek also suggested replacing the C:\Windows\Temp\*.dll rule with more secure rules.
C:\Windows\Temp\MSI*.dll
C:\Windows\Temp\~nsu*.dll
C:\Windows\Temp\wufiles\*.dll

 

[Andy Ful]

You can also get some insight from Bouncer rules:
# Some priority rules to get rid of pesky warnings on current Windows 10 machines

C:\Windows\Temp\CR_?????.tmp\*
C:\Windows\Temp\EDGEMITMP_*.tmp\*
C:\$WinREAgent\Scratch\????????-????-????-????-????????????\*
C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
C:\Windows\Temp\????????-????-????-????-????????????\Dism*
C:\Windows\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\MpSigStub.exe
C:\Windows\Temp\????????-????-????-????-????????????\MpUpdate.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MPGEAR.DLL
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MPENGINE.DLL
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MpSigStub.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MpUpdate.dll

# Default configuration
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*

#DISM GET_BEGIN
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MsiProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\IntlProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\IBSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\UnattendProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Wow64Provider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\SmiProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\AppxProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\AssocProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\GenericProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\TransmogProvider.dll

 

[rashmi]

@Andy Ful, Is it workable to use WHHLight with Comodo Firewall in this manner?

Microsoft Defender disabled.

Comodo Firewall: Proactive config, Default containment (WHHLight folder ignored), and HIPS disabled.
WHHLight: SWH off, SS off, and WDAC on (Comodo folders whitelisted).

 

[HydraDragonAntivirus]

Hello, did you see this here?

Comodo Internet Security 2025 Flaws Allow Remote Code Execution With SYSTEM Privileges

Security researchers have uncovered a series of critical vulnerabilities in Comodo Internet Security 2025, exposing users to remote code execution (RCE).

gbhackers.com

dmknght find this.

 

[rashmi]

@Andy Ful, Is it workable to use WHHLight with Comodo Firewall in this manner?

Microsoft Defender disabled.

Comodo Firewall: Proactive config, Default containment (WHHLight folder ignored), and HIPS disabled.
WHHLight: SWH off, SS off, and WDAC on (Comodo folders whitelisted).

You state, "There is no need to use Microsoft Defender, but it can be recommended with ConfigureDefender settings." It seems this means Microsoft Defender can be inactive but not disabled. In that case, the above is not possible.

 

[Andy Ful]

@Andy Ful, Is it workable to use WHHLight with Comodo Firewall in this manner?

Microsoft Defender disabled.

Comodo Firewall: Proactive config, Default containment (WHHLight folder ignored), and HIPS disabled.
WHHLight: SWH off, SS off, and WDAC on (Comodo folders whitelisted).

It may be workable, but I do not like such setups. WDAC and Comodo protect similar areas and do not cover some important fileless attack vectors (like shortcuts). I assume that you would like to use WDAC to cover DLL hijacking. However, shortcuts are probably even more dangerous.

You state, "There is no need to use Microsoft Defender, but it can be recommended with ConfigureDefender settings." It seems this means Microsoft Defender can be inactive but not disabled. In that case, the above is not possible.

It means that you can use another AV (not necessarily MD + ConfigureDefender).

 

[Andy Ful]

@rashmi,

You can try Comodo + WHHLight (SWH = OFF) with hardened Comodo's Script Analysis (instead of SWH = ON). Most fileless attacks use some of the LOLBins included in Script Analysis settings. I think that FirewallHardening could be recommended in this setup.

However, a simpler setup would be Comodo (Autocontainment OFF, hardened Script Analysis) + WHHLight (WDAC ON, SWH OFF)

 

[rashmi]

It may be workable, but I do not like such setups. WDAC and Comodo protect similar areas and do not cover some important fileless attack vectors (like shortcuts). I assume that you would like to use WDAC to cover DLL hijacking. However, shortcuts are probably even more dangerous.

What if: (for DLL hijacking and shortcuts)

Just experimenting:

Comodo (proactive, default containment, and HIPS disabled)
Containment exclusions:
C:\ProgramData\WindowsHybridHardening_Tools

WHHLight (SWH on, SS off, and WDAC on)
SWH and WDAC whitelists:
C:\VTRoot
C:\ProgramData\Comodo
C:\ProgramData\Comodo Downloader
C:\ProgramData\Shared Space
C:\Users\rashmi\AppData\Roaming\Comodo

SWH menu:
Not Configured
Not Configured
Not Configured
High
Restricted SMB1
Unrestricted

SRP File Types:
LNK (remove all extensions)

 

[Andy Ful]

What if: (for DLL hijacking and shortcuts)

Just experimenting:

Comodo (proactive, default containment, and HIPS disabled)
Containment exclusions:
C:\ProgramData\WindowsHybridHardening_Tools

WHHLight (SWH on, SS off, and WDAC on)
SWH and WDAC whitelists:
C:\VTRoot
C:\ProgramData\Comodo
C:\ProgramData\Comodo Downloader
C:\ProgramData\Shared Space
C:\Users\rashmi\AppData\Roaming\Comodo

SWH menu:
Not Configured
Not Configured
Not Configured
High
Restricted SMB1
Unrestricted

SRP File Types:
LNK (remove all extensions)

Deleting SRP file types will not remove restrictions for VBScript, JScript, BAT, and CMD files. Those file types are specially protected in SRP, and usually produce most of the rare blocks when SWH = ON with default settings. So, in practice, you can simply use WHHLight with WDAC=ON and remove from the default SRP File Types those often used (if there are some).

SWH menu: Not Configured, Not Configured, Not Configured, High, Restricted SMB1, Unrestricted, still restricts PowerShell to Constrained Language Mode.
So finally:

1. VBScript, JScript, BAT, and CMD are blocked in UserSpace except for scripts explicitly whitelisted (by file path or hash).
2. Shortcuts are blocked in UserSpace except standard locations (others can be whitelisted).
3. PowerShell is restricted to Constrained Language (PS1 scripts can be whitelisted but not CmdLines).

You can try the setup from your post, and inspect/whitelist rare blocks.

 

[rashmi]

@Andy Ful, Configuring Comodo is troublesome. I'm experimenting with Comodo and your tools. I expected I'd reduce DLL hijacking and LNK vulnerabilities, reconfigure others, and benefit from Microsoft ISG and SmartScreen, as I don't use an antivirus.

 

[rashmi]

@Andy Ful, I tried hardening Comodo; I enabled all script analysis options, enabled VirusScope to monitor inside/outside the container, and enabled termination of unrecognized autorun entries related to new/modified registry items. Intel TDT is not applicable to my system. I would also enable HIPS, but it occasionally freezes the system (I'll try HIPS later, as I haven't tried it recently).

Overall, I didn't have any issues, but the script analysis is troublesome; kinda impossible to whitelist some.

 

[oldschool]

@Andy Ful, Configuring Comodo is troublesome. I'm experimenting with Comodo and your tools. I expected I'd reduce DLL hijacking and LNK vulnerabilities, reconfigure others, and benefit from Microsoft ISG and SmartScreen, as I don't use an antivirus.

You can use only @Andy Ful's tools if you don't use an AV, and you can use Comodo in default configuration. Or not use Comodo at all.

 

[rashmi]

You can use only @Andy Ful's tools if you don't use an AV, and you can use Comodo in default configuration. Or not use Comodo at all.

It's cool, thank you! I'm not overly cautious; I prefer a simple security setup. I mainly use Comodo on my system and Kaspersky on our kids', with a few adjustments. Currently, the kids' systems run H_C, CD, and FH; mine have Comodo, H_C, and WHHLight on separate Eazy Fix snapshots. I created this thread for Comodo and some experiments, not to disrupt other threads, particularly @Andy Ful's, with my comments. I tag @Andy Ful, not for a response, but for any insight or suggestions he might have.