The UAC bypasses usually happen when the security does not use strong containment. In the case of Comodo with containment set to Restricted or Untrusted, bypassing UAC would be much harder. I cannot recall any example of bypassing UAC in such containment.
It does and disabling LUA can stop that exploit too.
When LUA is disabled, everything executed by the user starts by default as administrator. So, the "Run as administrator" option is not needed anymore.
That particular exploit will be blocked on SUA independently of the LUA enabled/disabled.
In an administrative account, you mean. In SUA, it is, and will hamper installers and applications that require elevated privileges on every execution.
Yes.
Thank you. I am taking your advice in this instance, as I am of the understanding that a lot of exploits these days are designed to work in user context, in which case I would expect more mileage from Cruel CF than from UAC. I also have a standard account for regular use.
CIS / CF is still completely free. You can get CIS/CF Premium (Free) from here: CIS/CF Version 12.3.3.8152 which is the latest version. It's the Premium Version to download and then you can choose with the installer whether to install both Firewall and Antivirus or just one or the other as detailed in @cruelsister 's video: Comodo Firewall 2025 Setup & Commentary. This latest version fixes the recent Certificate issue.
malwaretips.com
I wonder if some third party hips like hitman pro alert , intercept x can prevent something like that as it has some mitigations against loading, injection of dll files into protected processesI conducted a simple test with restricted RunDLL32 via Script Analysis and the unknown DLL (other settings like in the Comodo killer).
When the DLL was executed by RunDLL32, it was contained. When the same DLL was loaded via DLL hijacking, it was not contained.
It is not good, because such an attack is very simple and does not require an exploit.
In the standard attacks via LOLBins, the DLL can be contained if the LOLBin that can execute the DLL is restricted.
My DLL was unknown but not harmful, so malicious actions of DLL hijacking can probably be prevented by HIPS.
That would be nice. If there are some types of drive-by downloads that can get through browser protections and Comodo, another layer might be needed.
intezer.com
It's pretty lightweight and when configured with cruelssister settings it doesn't conflict with av software (virus scope , hips disabled)
I'm presuming that your Anti-Exploit tool would prevent this or perhaps one of your hardening tools. Is there an in the wild example of this exploit? Was viruscope enabled in the test? Just curious why it hasn't been at least detected or flagged by behaviour analysis.I found another Comodo containment bypass (technique known for over 5 years) via VBA macro. That bypass is rarely used in the wild and allows the injection of the EXE file into Excel/Word. Comodo only sees that a trusted application does something (Excel.exe or Word.exe), so the EXE file is not contained.
In the screenshot above we can see the same application "New GUI" executed normally (contained by Comodo) and executed via office macro (not contained).
Even if Comodo uses Paranoid HIPS the user has to be cautious because the HIPS alert informs only that Winword.exe tries to execute Winword.exe.
Anyway, no need to worry if macros are not allowed.
Edit.
I changed the screenshot (Killswitch in English).
Interesting. Thanks for testing. I'm surprised that the payload itself wasn't contained and therefore any sub procesess. suppose it proves at the very least that computer security is all about layers and best practices.
