App Review Comodo Firewall Bypassing a Bypass

[Andy Ful]

With UAC enabled and a person blocking everything that resulted in a UAC popup may make one "Feel Good" but won't add very much to overall security especially as UAC can be easily bypassed (I'm sure I made a couple of videos on this in the past).

The UAC bypasses usually happen when the security does not use strong containment. In the case of Comodo with containment set to Restricted or Untrusted, bypassing UAC would be much harder. I cannot recall any example of bypassing UAC in such containment.

 

[Andy Ful]

@Andy Ful @cruelsister Does Silent Mode with the firewall set to block popup requests obviate the need to disable UAC?

You probably had in mind disabling LUA by using the reg tweak or GPO. This makes the Comodo sandbox fully functional. But, at the same time, anything running outside the sandbox is more vulnerable. The malware/exploit does not need to use privilege escalation or UAC bypass.

Second, if it does not, would disabling UAC after setting to always notify stop this exploit?

It does and disabling LUA can stop that exploit too.
By the way, if you disable LUA then UAC is automatically set to "Never notify."
But, when LUA is enabled and you set UAC to "Never notify", this will not change the LUA.

I understand it would cripple run-as and apparently mess with auto containment.

When LUA is disabled, everything executed by the user starts by default as administrator. So, the "Run as administrator" option is not needed anymore.

Third, I saw a brief mention of standard user accounts. What impact does it have to run Cruel CF in silent mode and block popup requests within a standard account, with or without UAC disabled?

That particular exploit will be blocked on SUA independently of the LUA enabled/disabled.
The advantage of using SUA happens when the UAC bypass is not contained by Comodo.

 

[Sephirothnight]

And still would love a single example of a dll-hijacking malware file getting by CF (in the Wild SHA256 old or new would be adequate).

Hi,
thank, good vidéo and Dead Can Dance it's very "big" good.

 

[ebocious]

When LUA is disabled, everything executed by the user starts by default as administrator. So, the "Run as administrator" option is not needed anymore.

In an administrative account, you mean. In SUA, it is, and will hamper installers and applications that require elevated privileges on every execution.

 

[simmerskool]

And even setting the UAC slider to Never Notify will still allow UAC to be enabled, opening up a system to potential issues.

so then do you disable UAC in the registry? please advise.

 

[Andy Ful]

In an administrative account, you mean.

Yes.
On SUA, disabling LUA (EnableLUA = 0) works as setting UAC to "Never notify" and also as setting ConsentPromptBehaviorUser = 0.
But on the Administrator account those settings work differently.

 

[ebocious]

No- please note that UAC (enabled) will prevent CF from reacting (as it normally would) to this attack, so any Comodo setting change after that file is run would be of no consequence. The real question here is if the use of UAC can be justified by anyone, especially as some cutesy cmd line arguments can be added to bring down other AM applications.

With UAC enabled and a person blocking everything that resulted in a UAC popup may make one "Feel Good" but won't add very much to overall security especially as UAC can be easily bypassed (I'm sure I made a couple of videos on this in the past). And even setting the UAC slider to Never Notify will still allow UAC to be enabled, opening up a system to potential issues.

But as always, your system, your choice.

Thank you. I am taking your advice in this instance, as I am of the understanding that a lot of exploits these days are designed to work in user context, in which case I would expect more mileage from Cruel CF than from UAC. I also have a standard account for regular use.

I don't know if you saw a comment I made previously, but I understand that CF is no longer free (only antivirus). The free firewall still gets signature updates, but not version updates. Are you using the paid product now, or sticking with the last free version?

 

[ErzCrz]

Thank you. I am taking your advice in this instance, as I am of the understanding that a lot of exploits these days are designed to work in user context, in which case I would expect more mileage from Cruel CF than from UAC. I also have a standard account for regular use.

I don't know if you saw a comment I made previously, but I understand that CF is no longer free (only antivirus). The free firewall still gets signature updates, but not version updates. Are you using the paid product now, or sticking with the last free version?

CIS / CF is still completely free. You can get CIS/CF Premium (Free) from here: CIS/CF Version 12.3.3.8152 which is the latest version. It's the Premium Version to download and then you can choose with the installer whether to install both Firewall and Antivirus or just one or the other as detailed in @cruelsister 's video: Comodo Firewall 2025 Setup & Commentary. This latest version fixes the recent Certificate issue.

 

[Andy Ful]

Why I do not recommend disabling LUA:

App Review - Comodo's killer.

I created this video as a supplement to the discussion in another thread: https://malwaretips.com/threads/comodo-firewall-bypassing-a-bypass.133411/ The original bypass and Comodo's killer do not work if Core isolation is properly configured on Windows.

malwaretips.com