App Review Comodo Firewall vs a new Data Stealer

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Sorry for the dense question. Today's not been a good day. That "stealer" CPF was tested against was correctly signed, was it not? If that was the case, then apps like Cyberlock, Spyshelter, etc., which rely on signing verification will be of little to no use here. Am I right? Maybe it's time to look elsewhere if they can be circumvented so easily.
CyberLock does not rely on digital signatures, rather it uses digital signatures for file insight to provide to the end-user. CyberLock would easily block this attack.
 

rashmi

Level 12
Jan 15, 2024
577
Sorry for the dense question. Today's not been a good day. That "stealer" CPF was tested against was correctly signed, was it not? If that was the case, then apps like Cyberlock, Spyshelter, etc., which rely on signing verification will be of little to no use here. Am I right? Maybe it's time to look elsewhere if they can be circumvented so easily.
The malware has invalid digital signatures.
 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
892
Even AI has been able to make a virus that can't be detected, can they not make a solution that can win at every turn? Can't someone make a tool that can overcome.?

I'm sure we would all use it.
If you are willing to sacrifice some time and effort and if you want a reasonable secure system this thing would be the best bet out there for a non corporate user to have in their disposal.
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 114834

I see a lot of tension and love here. Am I still on MalwareTips? 😂😂🤣

That's because they stammer for truth, but when you hand them truth, they state, no not that truth, please don't shatter my illusions of grandeur. Please don't disrupt my version of reality where I gain fake popularity by misleading users. It's not like they can be harmed by malware or misinformation.

They are the true winners because end of the day, they’ve invested in R&D, they’ve established what’s hot on the market, they’ve developed it and paid to market it. They then extract sweet profits out of it and couldn’t care less who will be proclaimed a winner and where.

Now, getting on to what’s hot on the market, users like convenience and automation and for that, they are ready to pay. This has been proven times and times again, this has been the business model historically of many companies and products and generates billions.

The “let me ask the user” approach is not preferred. Majority of users don’t care whether or not wuaclt.exe will inject a module into svchost.exe.
This approach works only for a very small audience and it is up to a vendor to decide whether they want to cater for a football game in a Dutch village or for the UEFA final game (Hopefully at Wembley Stadium one day).

Vendors have developed automated and layered solutions that provide sufficient security to real people, encountering real-life situations. This method has not been proven to not work.

I invite everyone who believes that asking the user is better than automation, to go and do their laundry at the river as well, with the laundry soap. This is more “effective” than using a washer. But does more effective always equal better? I’ll let you answer that for yourself.

Absolute truth there, most can not handle that type software and leaving security in the hands of uninformed users that have no idea how the operating system works let alone how software should interact with it legitimately is actually idiotic.
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,783
CyberLock does not rely on digital signatures, rather it uses digital signatures for file insight to provide to the end-user. CyberLock would easily block this attack.
yes I "tested" this file (see other thread) with Harmony in win10_vm also running CL, and CL stopped the attack (or that's what it looked like to me)
 
Last edited:

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
So in the end, Comodo Firewall will block it, or it will be user dependent?
Yes it was stopped. Initially the VirusScope Cloud would have immediately deleted it (but in the video I ignored that warning, which as noted is unwise). But the other important thing is that a Firewall alert popped up which, especially in the case of Data Stealers, should never ever be ignored (which I did anyway).

This latter point is essential to note as any Stealer cannot succeed if it is unable to transmit the stolen data out to Malware Command. This is also why one should never, ever just rely on Windows Defender Firewall (no matter how tricked out) as it is barely an inconvenience to shut it down prior to transmission.

Finally if CF was put into Silent Mode (like in the 2nd part of my last Comodo video) there would have been no popups at all- the file would have just been deleted prior to activation.
 
Last edited:

New_Style_xd

Level 1
Sep 10, 2022
16
Sim, foi parado. Inicialmente o VirusScope Cloud o teria excluído imediatamente (mas no vídeo ignorei esse aviso, que conforme observado não é sensato). Mas a outra coisa importante é que surgiu um alerta de Firewall que, especialmente no caso dos Data Stealers, nunca deveria ser ignorado (o que eu fiz de qualquer maneira).

Este último ponto é essencial a ser observado, pois qualquer Stealer não poderá ter sucesso se não conseguir transmitir os dados roubados ao Comando de Malware. É também por isso que nunca se deve confiar apenas no Firewall do Windows Defender (não importa o quão enganado seja), pois é um inconveniente desligá-lo antes da transmissão.

Finalmente, se CF fosse colocado no Modo Silencioso (como na 2a parte do meu último vídeo do Comodo), não haveria nenhum pop-up - o arquivo teria sido excluído antes da ativação.
I always watch your videos, they are very well made. It would be perfect if you were talking in the video as if it were a tutorial.

You could create videos showing how to configure everything, but you could talk in the video.

Hugs.
 

Antig

Level 2
Mar 23, 2021
57
How boring...:not being hit by a real virus for a couple of decades! I dont remember what it was,but it happened more than 20 years ago, then I discovered the great Kevin McAliveley BOCLEAN and i was glad to pay for it,as it assured a complete protection,especially if you added Melihs new firewall; a pity the two divorced,something really good might have ensued from their collaboration,but ,anyway,nowadays we could take advantage from what cruelsister suggested regarding firewalls and other progs, so everything-in spite of continous attempts to enlive the scene- keeps being as boring as ever....
 

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
878
I always watch your videos, they are very well made. It would be perfect if you were talking in the video as if it were a tutorial.

You could create videos showing how to configure everything, but you could talk in the video.

Hugs.
Nah, with notepad I think it`s easier to pick up points by pausing it. Also that heavy Bronx accent would make the use of an interpreter a must.

Regards Eck:)
 

rashmi

Level 12
Jan 15, 2024
577
Finally if CF was put into Silent Mode (like in the 2nd part of my last Comodo video) there would have been no popups at all- the file would have just been deleted prior to activation.
According to your configuration, "restricted" mode blocks network connections from unrecognized programs, as mentioned in your videos and some user posts. I would like to confirm if this is the case, as the help files mention nothing about network connection prevention.
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 114834

Yes it was stopped. Initially the VirusScope Cloud would have immediately deleted it (but in the video I ignored that warning, which as noted is unwise). But the other important thing is that a Firewall alert popped up which, especially in the case of Data Stealers, should never ever be ignored (which I did anyway).

This latter point is essential to note as any Stealer cannot succeed if it is unable to transmit the stolen data out to Malware Command. This is also why one should never, ever just rely on Windows Defender Firewall (no matter how tricked out) as it is barely an inconvenience to shut it down prior to transmission.

Finally if CF was put into Silent Mode (like in the 2nd part of my last Comodo video) there would have been no popups at all- the file would have just been deleted prior to activation.
Viruscope clearly stopped the sample with the option to clean by the user presented in which you ignored once to demonstrate further. There is no doubt the product is capable. As noted I was not mentioning anything about the product, only the method and the unnecessary commentary.

Only have a couple questions that clear things up for me.

1. Is the product at default settings out of the box?

2. Is it possible to make demonstrations without product bashing other products, since true real world testing does not take place in this forum?

These two things make what you are doing more credible all the way around.
 

Decopi

Level 8
Verified
Oct 29, 2017
361
Comodo is not a Security System; it's merely a security layer.
The issue arises when irresponsible fanatics attempt to market pangasius (security layer) as salmon (Security System).

Comodo is not a virus or malware detector. It functions solely as a binary blocker, and its ability to automate blocking does not transform it into an antivirus or antimalware solution (painting a pangasius with orange color, does not turn it into salmon). The binary function is always the same: either block (unknown) files or allow (known) files (where the criteria of "known" and "unknown" is dependent on a obscure subjective database). Consequently, Comodo effectiveness is entirely dependent on the user.

There is nothing inherently wrong with this approach. As a security layer, blocking or not blocking may be useful for some users, and they are free to use and advocate for this software as a security layer. However, this approach is ineffective for 99% of users (this is one of the reasons why the market largely buried Comodo years ago).
By the way, by hardening Windows security settings, users can achieve same Comodo blocking capabilities. Windows itself doesn't do that, precisely because it knows that "blocking" is not suitable for 99% of users.

Being a software user-dependent creates two main problems: 1) 99% of users lack the expertise to decide what to block or allow; and 2) A blocker does not identify virus or malware, which leads to tons of false positives and, worse, can lead to allow the execution of threats it mistakenly identifies as "known" (it already happened in the past).

The malware shown in the video posted in this thread had already been detected by most other security software on the market. It's a strain of an older, well-known malware, originally developed by teenagers. There is nothing particularly unique about this malware. Additionally, Viruscope is notorious for its inconsistency; its threat detection capabilities are erratic and unreliable. Using Comodo Antivirus or Comodo Viruscope modules carries a high 100% risk of infection.

Furthermore, the video in this thread illustrates that containerization becomes ineffective when the user authorizes the executable through Viruscope. It's also important to note that Comodo has been abandoned since 2018. In 2024, it was rebranded as "2025" just with a new facelift, without any upgrades, nor new features, nor fixes for the old bugs.

In summary, although Comodo is free, it's not recommended for 99% of users. And most users do not need a blocker like Comodo when many of the leading security systems on the market are genuine virus and malware detectors (not mere user-dependent blockers) and are available for free.
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I just tried 2 different samples of the same malware, and a solution "oblivious to malware".
Before the file could even be saved:
1722003475068.png
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
The file would still be contained for those using Xcitium ;)
The signature on the file is also invalid :ROFLMAO:
All in all... Nice find.

View attachment 284459View attachment 284460
From Second ZERO it was contained. Unless they actually stole a CERT from MS HEHEHE. Nothing is truly bullet proof. It's just amazing to see how many different security technologies can either detect it or not. Its like eye candy
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
From Second ZERO it was contained. Unless they actually stole a CERT from MS HEHEHE. Nothing is truly bullet proof. It's just amazing to see how many different security technologies can either detect it or not. Its like eye candy
A lot of the stealers invoke the browser. This means that your browser is put into the container and unless access to the network is restricted, passwords, and more crucially session cookies, also enter the container. They are then ready for exfiltration, just like the stealer would do without containment.

So the containment is not the magical pill that will solve all your malware problems.
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
A lot of the stealers invoke the browser. This means that your browser is put into the container and unless access to the network is restricted, passwords, and more crucially session cookies, also enter the container. They are then ready for exfiltration, just like the stealer would do without containment.

So the containment is not the magical pill that will solve all your malware problems.
I have it set to restricted modes and disallow reads and writes to chrome profiles and other directories. Just like you... I make the tool better. I miss Harmony to be honest.
 

tofargone

Level 6
Jun 24, 2024
264
Comodo is not a Security System; it's merely a security layer.
The issue arises when irresponsible fanatics attempt to market pangasius (security layer) as salmon (Security System).

Comodo is not a virus or malware detector. It functions solely as a binary blocker, and its ability to automate blocking does not transform it into an antivirus or antimalware solution (painting a pangasius with orange color, does not turn it into salmon). The binary function is always the same: either block (unknown) files or allow (known) files (where the criteria of "known" and "unknown" is dependent on a obscure subjective database). Consequently, Comodo effectiveness is entirely dependent on the user.

There is nothing inherently wrong with this approach. As a security layer, blocking or not blocking may be useful for some users, and they are free to use and advocate for this software as a security layer. However, this approach is ineffective for 99% of users (this is one of the reasons why the market largely buried Comodo years ago).
By the way, by hardening Windows security settings, users can achieve same Comodo blocking capabilities. Windows itself doesn't do that, precisely because it knows that "blocking" is not suitable for 99% of users.

Being a software user-dependent creates two main problems: 1) 99% of users lack the expertise to decide what to block or allow; and 2) A blocker does not identify virus or malware, which leads to tons of false positives and, worse, can lead to allow the execution of threats it mistakenly identifies as "known" (it already happened in the past).

The malware shown in the video posted in this thread had already been detected by most other security software on the market. It's a strain of an older, well-known malware, originally developed by teenagers. There is nothing particularly unique about this malware. Additionally, Viruscope is notorious for its inconsistency; its threat detection capabilities are erratic and unreliable. Using Comodo Antivirus or Comodo Viruscope modules carries a high 100% risk of infection.

Furthermore, the video in this thread illustrates that containerization becomes ineffective when the user authorizes the executable through Viruscope. It's also important to note that Comodo has been abandoned since 2018. In 2024, it was rebranded as "2025" just with a new facelift, without any upgrades, nor new features, nor fixes for the old bugs.

In summary, although Comodo is free, it's not recommended for 99% of users. And most users do not need a blocker like Comodo when many of the leading security systems on the market are genuine virus and malware detectors (not mere user-dependent blockers) and are available for free.
So you are saying CF's strength is in the fact that it will deny unknown vs known, and that the success is based upon the quality of the known database, and user response, kind of like PCMatic
 

Decopi

Level 8
Verified
Oct 29, 2017
361
So you are saying

It's not me... it's reality that confirms the facts:
If an user only activates Comodo's antivirus module... that user will have 100% chance of getting infected. We can confirm that fact by googling the web, but we can also confirm that fact with videos showing Comodo's antivirus failing, and even worse, the total lack of videos proving that the antivirus works also confirms its failure. By the way, that's the reason why the video posted in this thread is not using Comodo's antivirus... useless! Therefore, Comodo cannot be used to detect virus/malware.
Without the antivirus, all the other Comodo's modules are nothing more than mere blockers. And every blocker, with or without database, with or without automation, is always dependent on the user.
Therefore, in real world, Comodo is not an antivirus/antimalware, it's a blocker.

CF's strength

Strengths or weaknesses are relative, depend on user profile. Blockers like Comodo are useful for 1% of the users (and they might talk about subjective strengths). In the other hand, blockers like Comodo are useless for 99% of the users (and they might see only weaknesses). The vast majority of users are unable to say what to block or allow. Also, there is no logic in using a blocker, when 99% of the users can use excellent real antivirus/antimalware, and for free!
That fact was proven in real life, where Comodo was buried by the market. The concept never took off. 99% of users never heard about Comodo.

is in the fact that it will deny unknown vs known, and that the success

Comodo is not successful. Comodo 2025 is a zombie, an abandon-ware from 2018, which was resuscitated, facelift, and renamed to "2025". It's a dangerous software, full of unfixed bugs.
For 1% of users who prefer to use blockers, Comodo can be useful. But that doesn't mean Comodo is a success.

is based upon the quality of the known database, and user response, kind of like PCMatic

Comodo's database is absolutely poor, and it has already failed in the past. But even if it were a 100% perfect database, the real problem is that Comodo as a blocker only works when the user works.

It's very important to always repeat that Comodo as a blocker can be useful for few users. But it's irresponsible to generalize presenting Comodo as an unbeatable complete security system, when Comodo is nothing more than an old layer of security, full of unfixed bugs.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
According to your configuration, "restricted" mode blocks network connections from unrecognized programs, as mentioned in your videos and some user posts. I would like to confirm if this is the case, as the help files mention nothing about network connection prevention.
I'm pretty sure running Restricted will just block the connection rather than showing a firewall alert.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top