App Review Comodo Internet Security 11 Review | Test vs Malware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Comodo is really just a big reputation service. All reputation services are fallible. But reputation services are naturally good at zero-day protection, since a zero-day has not been around long enough to build a good reputation for itself, deserved or otherwise.
 
  • Like
Reactions: Behold Eck, ZeroDay, Tiny and 6 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,147
OK- I tested this malware. But before I begin I would like to thank both Morphius and BoraMurder for assistance. Such gloomy handles for sweet people!!!

I must admit that I obsessed over this one- not because I wanted to be an apologist for Comodo, but instead as a user of CF myself all such "breaches" must be investigated to determine validity. That being said:

For testing I did like I was trained- set up a logic tree procedure before doing anything. And as such:

1). As the malware was from 2010, I felt the most appropriate OS to use was Win7.
2). Win7 was installed on a VM. both HitManPro and Norton Power Eraser were downloaded, installed and run. This was to ensure a pristine baseline for the system.
3). The malware was run on this clean and unprotected system. Once run the file will spawn an Identical twin into Roaming as well as asking for Privilege Elevation; the system then Blue Screens. On system restart it was found that the initial file (on the desktop) had changed itself to a hidden file, and the Twin was not hidden but still existed in Roaming. When the twin was run from Roaming, it first checks if there is one already in Roaming and if so will shut itself down. Scans with NPE and HMP showed that NPE only found the Roaming twin, but HMP found both the hidden desktop file as well as the twin.
4). I installed Comodo Internet security and left everything at Default (Fun Fact- CIS at default will have the Sandbox enabled and the HIPS disabled, but CF will have the HIPS enabled and the sandbox disabled at default. Isn't that curious?).
Anyway, running the file with the sandbox enabled at the default setting of PL will both prevent the Desktop file from hiding itself, will block the Privilege elevation, and will only allow the twin to be dropped into VT Root.
5). For fun, I then disabled the sandbox and enabled HIPS at Safe Mode. The HIPS altered to the dropping of the twin and the request for elevation. When I allowed the latter the System Blue Screened.
6). CF at my settings will allow the drop into VT Root but the malware dies a quick death.

So to sum up, I have absolutely no idea how Leo got the results that he did. Perhaps it was the stupid shotgun-run of malware Python Script that was used (hardly real world, but certainly a time saver for a video), or some other screw up. Personally I don't know nor do I care. I DO know that Comodo protects against this malware.

I also wish that some YouTube testers would know both the product tested, the malware used, and would verify results prior to publication. But perhaps that is asking too much...

Finally, thanks again to both Morphius for the heads-up that the malware was indeed available and to Bora for providing it to me. You guys are why MT rocks.
 
  • Like
  • Hundred Points
Reactions: kylprq, Behold Eck, Venustus and 16 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
cruelsister said:
OK- I tested this malware. But before I begin I would like to thank both Morphius and BoraMurder for assistance. Such gloomy handles for sweet people!!!

I must admit that I obsessed over this one- not because I wanted to be an apologist for Comodo, but instead as a user of CF myself all such "breaches" must be investigated to determine validity. That being said:

For testing I did like I was trained- set up a logic tree procedure before doing anything. And as such:

1). As the malware was from 2010, I felt the most appropriate OS to use was Win7.
2). Win7 was installed on a VM. both HitManPro and Norton Power Eraser were downloaded, installed and run. This was to ensure a pristine baseline for the system.
3). The malware was run on this clean and unprotected system. Once run the file will spawn an Identical twin into Roaming as well as asking for Privilege Elevation; the system then Blue Screens. On system restart it was found that the initial file (on the desktop) had changed itself to a hidden file, and the Twin was not hidden but still existed in Roaming. When the twin was run from Roaming, it first checks if there is one already in Roaming and if so will shut itself down. Scans with NPE and HMP showed that NPE only found the Roaming twin, but HMP found both the hidden desktop file as well as the twin.
4). I installed Comodo Internet security and left everything at Default (Fun Fact- CIS at default will have the Sandbox enabled and the HIPS disabled, but CF will have the HIPS enabled and the sandbox disabled at default. Isn't that curious?).
Anyway, running the file with the sandbox enabled at the default setting of PL will both prevent the Desktop file from hiding itself, will block the Privilege elevation, and will only allow the twin to be dropped into VT Root.
5). For fun, I then disabled the sandbox and enabled HIPS at Safe Mode. The HIPS altered to the dropping of the twin and the request for elevation. When I allowed the latter the System Blue Screened.
6). CF at my settings will allow the drop into VT Root but the malware dies a quick death.

So to sum up, I have absolutely no idea how Leo got the results that he did. Perhaps it was the stupid shotgun-run of malware Python Script that was used (hardly real world, but certainly a time saver for a video), or some other screw up. Personally I don't know nor do I care. I DO know that Comodo protects against this malware.

I also wish that some YouTube testers would know both the product tested, the malware used, and would verify results prior to publication. But perhaps that is asking too much...

Finally, thanks again to both Morphius for the heads-up that the malware was indeed available and to Bora for providing it to me. You guys are why MT rocks.
Click to expand...
The trusted status of the file was removed shortly before you performed your test:
Video - Comodo Internet Security 11 Review | Test vs Malware
I think you would have seen very different results if you had run the test a day earlier
 
  • Like
Reactions: Sunshine-boy, Tiny, stefanos and 9 others
D

Deleted member 178

shmu26 said:
The trusted status of the file was removed shortly before you performed your test:
Video - Comodo Internet Security 11 Review | Test vs Malware
I think you would have seen very different results if you had run the test a day earlier
Click to expand...
Yes, we all know that a file with trusted status is ignored by all modules, except by the HIPS in Paranoid Mode.

cruelsister said:
I also wish that some YouTube testers would know both the product tested, the malware used, and would verify results prior to publication. But perhaps that is asking too much...
Click to expand...
right now, it is your test (above) that is flawed ^^

itwt
 
Last edited by a moderator:
  • Like
Reactions: ForgottenSeer 58943 and shmu26
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Unless Comodo is running in Paranoid mode, like @Umbra said, it is basically just a reputation service, and not necessarily the best of them.

But there are ways to deal with this drawback:
1 Run a decent AV alongside. This is the easiest solution.
2 Cut down the Trusted Vendors List drastically; keep only what you really need. And also disable cloud lookup.
3 Run HIPS in Paranoid mode. (this is for expert users who don't care very much about their sanity)
 
  • Like
Reactions: Behold Eck, Sunshine-boy, Tiny and 7 others
D

Deleted member 178

shmu26 said:
Unless Comodo is running in Paranoid mode, like @Umbra said, it is basically just a reputation service, and not necessarily the best of them.

But there are ways to deal with this drawback:
2 Cut down the Trusted Vendors List drastically; keep only what you really need. And also disable cloud lookup.
3 Run HIPS in Paranoid mode. (this is for expert users who don't care very much about their sanity)
Click to expand...
Almost my settings: Comodo Internet Security Setup/configuration thread (Setting Only)
with Paranoid , you can keep the cloud lookup.

in fact Paranoid Mode is best for static systems, once the system is trained, you won't see so many alerts.
 
  • Like
Reactions: Behold Eck, InnoScorpio, harlan4096 and 2 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,147
shmu26 said:
I think you would have seen very different results if you had run the test a day earlier
Click to expand...

Not at all. As I stated, the file WAS able to be run (see point #5 in my last post). With Paranoid Mode enabled (and sandbox disabled) I did receive 3 other popups, the last one being that the file tried to use cmd.exe. If this was allowed the system Blue Screened. So the results were the same, really.

Regarding the Valkyrie results, CF is not as closely tied to it as is CCAV. If that file is run with CCAV installed, after an initial file is sandboxed popup, the AV will popup saying malware is detected. One does not get such an AV alert with CF, not that it is needed.

Umbra said:
right now, it is your test (above) that is flawed
Click to expand...

Ah, Umbra! My tests are never flawed (I'm not Leo).
 
  • Like
Reactions: Behold Eck, ZeroDay, simmerskool and 5 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
cruelsister said:
Not at all. As I stated, the file WAS able to be run (see point #5 in my last post). With Paranoid Mode enabled (and sandbox disabled) I did receive 3 other popups, the last one being that the file tried to use cmd.exe. If this was allowed the system Blue Screened. So the results were the same, really.
Click to expand...
Regarding point #5, you saw HIPS prompts only because the file no longer had trusted status. If it was trusted, you would not see a single prompt from HIPS, not even from cmd.exe. This is well known. Unless, of course, you ran it in Paranoid mode, which is completely irrelevant to the point.
 
  • Like
Reactions: Behold Eck, Sunshine-boy, Deleted member 178 and 3 others
F

ForgottenSeer 58943

Comodo.png
 
  • Like
Reactions: Behold Eck, Venustus, jtshadow92 and 8 others
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
If I may. So in the Leo video, the activity is sandboxed version of the file spawning and then running to run its twin outside the box? The twin then asks for permissions it would not have been able to request in the sandbox (game over when this is able to execute). I feel like straight up this is a bypass now that @shmu26 brings this into view and the facts on the file status have been revealed. It would take HIPS to catch this and then on Paranoid Mode.

If this a bypass, should it be classified another instance of the Comodo Cloud assigning incorrect trust to the file?

Reading all of the posts, I am struck by the data that is available to Comodo for keeping file statuses updated. They are doing the reputation work, but it seems that changes that could easily be autiomated (and happen very quickly) are languishing for ages (2010 or 2014). Wondering out loud here, but I wonder if something in the Comodo Cloud data crunching datasets sort of made the determination to care less about this file...maybe based on a low harmfulness rating or something? This is all I can come up with. Still, had this been a serious thing, it would have been a big problem if I understand the situation correctly.

One thing this video and discussion maybe can do is help highlight the differences between the versions. There are serious differences in the way the programs affect or issue trust to a file. CF is I feel less a reputation service than CIS or CCAV, because it doesn't (seems to me at least) rely heavily on the cloud. It's the simplest of the 3. I hear the other differences too, for example, the alerts from CCAV each with an opportunity to bork the sacred trust rating and wreck the system. All this brings me back to the simple settings for Comodo that do work for getting unvalidated (by proper digital signature) into a sandbox. This is further limited some by the TVL. It's actually pretty good even if long. Also, HIPS can help identify what the application wants to do if a user cares to know. CF is at least good for this, if maybe prone to a cloud mistake here or there->DEFINITELY a BIG problem if so that must be addressed. Just not sure I have all the pieces put together yet to say that this is 100% sorriness. I mean it could be at least a significant portion of "try hard with a little bit of cunning mixed in" (translated "ignore pulling together our facts on older and non-serious threats until we get caught up").

Anyway, CF is free and simple and it rarely takes a hit. Interesting it did here and in Leo's video of all things...
 
Last edited:
  • Like
Reactions: Behold Eck, Nestor, simmerskool and 3 others
BoraMurdar

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
cruelsister said:
OK- I tested this malware. But before I begin I would like to thank both Morphius and BoraMurder for assistance. Such gloomy handles for sweet people!!!

I must admit that I obsessed over this one- not because I wanted to be an apologist for Comodo, but instead as a user of CF myself all such "breaches" must be investigated to determine validity. That being said:

For testing I did like I was trained- set up a logic tree procedure before doing anything. And as such:

1). As the malware was from 2010, I felt the most appropriate OS to use was Win7.
2). Win7 was installed on a VM. both HitManPro and Norton Power Eraser were downloaded, installed and run. This was to ensure a pristine baseline for the system.
3). The malware was run on this clean and unprotected system. Once run the file will spawn an Identical twin into Roaming as well as asking for Privilege Elevation; the system then Blue Screens. On system restart it was found that the initial file (on the desktop) had changed itself to a hidden file, and the Twin was not hidden but still existed in Roaming. When the twin was run from Roaming, it first checks if there is one already in Roaming and if so will shut itself down. Scans with NPE and HMP showed that NPE only found the Roaming twin, but HMP found both the hidden desktop file as well as the twin.
4). I installed Comodo Internet security and left everything at Default (Fun Fact- CIS at default will have the Sandbox enabled and the HIPS disabled, but CF will have the HIPS enabled and the sandbox disabled at default. Isn't that curious?).
Anyway, running the file with the sandbox enabled at the default setting of PL will both prevent the Desktop file from hiding itself, will block the Privilege elevation, and will only allow the twin to be dropped into VT Root.
5). For fun, I then disabled the sandbox and enabled HIPS at Safe Mode. The HIPS altered to the dropping of the twin and the request for elevation. When I allowed the latter the System Blue Screened.
6). CF at my settings will allow the drop into VT Root but the malware dies a quick death.

So to sum up, I have absolutely no idea how Leo got the results that he did. Perhaps it was the stupid shotgun-run of malware Python Script that was used (hardly real world, but certainly a time saver for a video), or some other screw up. Personally I don't know nor do I care. I DO know that Comodo protects against this malware.

I also wish that some YouTube testers would know both the product tested, the malware used, and would verify results prior to publication. But perhaps that is asking too much...

Finally, thanks again to both Morphius for the heads-up that the malware was indeed available and to Bora for providing it to me. You guys are why MT rocks.
Click to expand...


I made a video, right before Comodo blacklisted the file. Just to share with the world
 
  • Like
Reactions: Venustus, ZeroDay, Andytay70 and 15 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,147
Hi Guys- I understand the question about the change from Trusted (although I can't say I agree as the file itself is not signed there WAS indeed a difference). Anyway I did a test and before I say anything about the results I want to see if there are any criticisms about how I proceeded:

I have a VM dedicated to CF version 11(build 6606). The baseline date of this setup is 6/27/2018. I clone stuff off of this baseline to test various things.

1). I disabled Network connections on my system and confirmed it was off.
2). I opened VirtualBox and deleted all the clones, so I will be using the 6/27/18 version.
3). I started the CF11 VM.
4). Once started, I changed the settings from Cruel Comodo to the setup used in Leo's video as it pertains to the sandbox and HIPS (HIPS disabled, sandbox at Partially Limited).
5). I transferred the file in question to the VM via a USB
6). I ran the file and noted the results.

My question to you is do you consider this procedure equivalent to running the file BEFORE its status was changed? If you do not, please let me know and I'll shut up about this. You can also be mean as I respect you guys too much to be offended!
 
  • Like
Reactions: Behold Eck, ZeroDay, harlan4096 and 5 others
Tiny

Tiny

Level 3
Verified
Well-known
Dec 29, 2016
131
cruelsister said:
You can also be mean as I respect you guys too much to be offended!
Click to expand...

Yep, I honestly wish there would be more mutual respect and objectivity too, instead of the one-upmanship going around these days.

shmu26 said:
1 Run a decent AV alongside. This is the easiest solution.
2 Cut down the Trusted Vendors List drastically; keep only what you really need. And also disable cloud lookup.
3 Run HIPS in Paranoid mode. (this is for expert users who don't care very much about their sanity)
Click to expand...

Agreed. Although I just do the first 2.

Umbra said:
1- you delete the whole comodo's TVL crap
2- you open Killswitch or whatever
3- you add vendors that have process running in the background.
4- you export the TVL.
Click to expand...
 
  • Like
Reactions: Behold Eck, Nestor, simmerskool and 1 other person
klaken

klaken

Level 3
Verified
Well-known
Oct 11, 2014
112
It is a false negative, All AV have had some in their life.
It is not something to go crazy either. The important thing is that they changed it before it was dangerous for domestic users.

Even if you have this error, it is normal to stop the malware 0 day.
 
  • Like
Reactions: Hector1, BoraMurdar, Moonhorse and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Based on the disjointed comments , there must have been some posts in between that were deleted by the mods. Good thing I went offline before this thread went ballistic :)

Most and maybe all forum members would agree that Comodo, when properly configured, does a lot to protect home users.
The disagreements begin when it is expected to be as infallible as the Catholics once believed the Pope to be.
 
Last edited:
  • Like
Reactions: ZeroDay, Hector1 and AtlBo
Sunshine-boy

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,760
klaken said:
All AV can have this error, without exceptions.
Click to expand...
No, others Avs don't whitelist the malicious files and it is not just an error it's a Horror Story.
klaken said:
clean signatures = no detected malware by signatures = not detected by any av.
Click to expand...
Other Avs have System watcher, Hardened Mode, Smart screen or... to avoid these errors(?!).
 
Last edited:
  • Like
Reactions: Venustus, erreale, stefanos and 3 others

Similar threads

NB InfoTech
    • Like
App Review Huorong Internet Security Antivirus Review
Replies
5
Views
754
Video Reviews - Security and Privacy
Dave Russo
Dave Russo
NB InfoTech
    • Like
App Review Bitdefender vs Ransomware | Bitdefender Total Security Antivirus Review | 2023 [TESTED]
Replies
0
Views
557
Video Reviews - Security and Privacy
NB InfoTech
NB InfoTech
NB InfoTech
    • Like
App Review Kaspersky Standard Antivirus Review | Kaspersky Standard Antivirus vs 100 + 10 Malware Sample | 2023
Replies
0
Views
810
Video Reviews - Security and Privacy
NB InfoTech
NB InfoTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top