App Review Comodo Internet Security 11 Review | Test vs Malware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
AtlBo said:
Makes one wonder sometimes about what could get inside of software company and pass on information like this
Click to expand...

There have always been (and still are) targeted malware that attempts to steal FTP credentials in order to upload stuff to a Vendor site. And you would be amazed at the information that can be acquired (ie Credentials) with a Low-Cut blouse and a 10K bribe. And the Piriform fiasco may still be valid if the Blackhat would have the sense to pulse the connection (once a week) instead of always on.
 
  • Like
Reactions: harlan4096, ForgottenSeer 65838, simmerskool and 7 others
cruelsister said:
There have always been (and still are) targeted malware that attempts to steal FTP credentials in order to upload stuff to a Vendor site. And you would be amazed at the information that can be acquired (ie Credentials) with a Low-Cut blouse and a 10K bribe. And the Piriform fiasco may still be valid if the Blackhat would have the sense to pulse the connection (once a week) instead of always on.
Click to expand...
 
I wonder... With CS settings, why does HIPS become redundant? Imagine a whitelisted vendor gets their servers compromised, wouldn't HIPS module help you showing you that a very basic software like e.g CCleaner wants to access specific weird sectors of the OS? I believe auto-containment does not apply for trusted vendors software...
 
  • Like
Reactions: AtlBo, simmerskool, Nestor and 2 others
RoboMan said:
I wonder... With CS settings, why does HIPS become redundant? Imagine a whitelisted vendor gets their servers compromised, wouldn't HIPS module help you showing you that a very basic software like e.g CCleaner wants to access specific weird sectors of the OS? I believe auto-containment does not apply for trusted vendors software...
Click to expand...
CS settings is without HIPS not because the HIPS is useless or not, but just because CS hates HIPS and anti-exe thingies.
Remember CS settings are her personal settings that fit her needs and her taste, it is not a setting that was recommended by Comodo or any of their staff.
 
Last edited by a moderator:
  • Like
Reactions: mellowtones242, abdou17, russ0408 and 4 others
CS settings are to make CF usable for everyone even the average Joe. With CS settings Comodo won't bother you much at all and it will offer extremely good protection. It's a very good balance between usability and protection.
 
  • Like
Reactions: AtlBo, simmerskool, Morphius and 14 others
Thank you! I've realised the only way to make HIPS not redundant with CS Settings is to set it at paranoid mode. Else it will just show HIPS alerts for unknown software, which is already contained automatically by sandbox... And Paranoid mode is really great but holy moly is that an alert for explorer.exe trying to communicate with explorer.exe LOL that gets me nervous
 
  • Like
Reactions: AtlBo, simmerskool, cruelsister and 5 others
COMODO HIPS is good learning tool. SpyShelter HIPS is even better. Kaspersky, ESET, other HIPS... too many problems. However, almost no one bothers to learn using a HIPS. Shame. It is one of the best learning tools\methods.
 
Last edited by a moderator:
  • Like
Reactions: 128BPM, simmerskool, RoboMan and 5 others
Robo- With an elevated sandbox settings the HIPS is essentially unneeded. At one time the HIPS did indeed add something to system security (this was for a particular RAT, which I did a video on a few years ago); however this hole in Containment was plugged, and now having the HIPS on with my settings adds nothing but popups.

For those (not mentioning any names) that say Paranoid Mode should be used, please dazzle us with some malware file that would be prevented by Paranoid Mode + Cruel Comodo that would NOT be prevented by the Cruel settings alone.

(Hear the Crickets....).
 
  • Like
  • Applause
Reactions: kylprq, AtlBo, Nightwalker and 7 others
cruelsister said:
For those (not mentioning any names) that say Paranoid Mode should be used, please dazzle us with some malware file that would be prevented by Paranoid Mode + Cruel Comodo that would NOT be prevented by the Cruel settings alone.
Click to expand...
ummmmm.....ummmmmm..... ah i have it at the tip of my tongue.....aaaaaaaaaaahh so hard to remember......

AH YES ! the stupidly (2 times) whitelisted malware.

thanks bye.
 
Last edited by a moderator:
  • Like
Reactions: security.paranoid, vtqhtr413, Nightwalker and 4 others
Umbra said:
CS settings is without HIPS not because the HIPS is useless or not, but just because CS hates HIPS and anti-exe thingies.
Remember CS settings are her personal settings that fit her needs and her taste, it is not a setting that was recommended by Comodo or any of their staff.
Click to expand...

so your saying that comodo default settings are sufficient to protect your pc :emoji_thinking:
 
  • Like
Reactions: stefanos and vtqhtr413
cruelsister said:
For those (not mentioning any names) that say Paranoid Mode should be used, please dazzle us with some malware file that would be prevented by Paranoid Mode + Cruel Comodo that would NOT be prevented by the Cruel settings alone.

(Hear the Crickets....).
Click to expand...
What about a signed malware from a trusted vendor? (infected installer from the vendor's original legit server). If the vendor's app auto-updates or offers an update that is accepted by the user, and requires no extra payload download, since the downloaded installer is modified with the needed intructions and commands, would Comodo catch it with CS settings?
 
  • Like
Reactions: harlan4096, simmerskool, Mahesh Sudula and 4 others
RoboMan said:
What about a signed malware from a trusted vendor? (infected installer from the vendor's original legit server). If the vendor's app auto-updates or offers an update that is accepted by the user, and requires no extra payload download, since the downloaded installer is modified with the needed intructions and commands, would Comodo catch it with CS settings?
Click to expand...

No... not likely at all... it's not gong to be blocked by any security soft. Malicious code embedded inside a trusted digitally signed file. Nope.
 
  • Like
Reactions: ZeroDay, harlan4096, simmerskool and 4 others
RoboMan said:
What about a signed malware from a trusted vendor? (infected installer from the vendor's original legit server). If the vendor's app auto-updates or offers an update that is accepted by the user, and requires no extra payload download, since the downloaded installer is modified with the needed intructions and commands, would Comodo catch it with CS settings?
Click to expand...

I guess it depends on the kind of certificate that was used, most certificates used to sign malware are very quickly revogated or are the kind that are "ignored" by most security solutions.

But if someone ever cross with a malware signed by something like a Adobe certificate I am almost sure that the all hell breaks loose.
 
  • Like
Reactions: ZeroDay, harlan4096, simmerskool and 3 others
RoboMan said:
What about a signed malware from a trusted vendor?
Click to expand...

R- These (a Trusted File from a Trusted Vendor) are rare as Hen's teeth and are not wasted on peasants like us (but instead will be targeted)- they are VERY difficult and EXPENSIVE to acquire. However note that a High Quality stolen certificate (like from Adobe) will get by EVERYTHING (I did a couple of videos on this a few years ago).

Note that the bulk of signed malware will be from some inconsequential publisher that will be from some fly-by-night Mook and would NEVER (never ever) make it to any TVL list.
 
  • Like
  • Applause
Reactions: kylprq, Moonhorse, stefanos and 6 others
cruelsister said:
R- These (a Trusted File from a Trusted Vendor) are rare as Hen's teeth and are not wasted on peasants like us (but instead will be targeted)- they are VERY difficult and EXPENSIVE to acquire. However note that a High Quality stolen certificate (like from Adobe) will get by EVERYTHING (I did a couple of videos on this a few years ago).

Note that the bulk of signed malware will be from some inconsequential publisher that will be from some fly-by-night Mook and would NEVER (never ever) make it to any TVL list.
Click to expand...
Thank you and thanks everybody for your kind answers :)
 
  • Like
Reactions: Moonhorse, vtqhtr413, Tiny and 3 others
RoboMan said:
Thank you and thanks everybody for your kind answers :)
Click to expand...
However i agree most of the vendors give it a clean sheet bindly by seeing at its Signature..
But pro active modules like EXpolit and Behaviour blockers will kick in after execution if any nasty work is going on under ground
Statically -YES , but no dynamically
Since modules work on behaviour interception not on Hash, or signature verification..HIPS and BB are 2 two different topics
I have seen a dozen times AV's like F secure, Avast, Bit defender, G data, Kaspersky , Eset (Modified) intercepting the attack after execution
Vendors like Comodo, and others who work on hashes scanning however lose the battle
AVIRA (Cloud) works in similar way (triggers only for unknown hash and signature)..witha naked trusted signature you can bypass it
 
  • Like
Reactions: RoboMan and oldschool
Mahesh Sudula said:
But pro active modules like EXpolit and Behaviour blockers will kick in after execution if any nasty work is going on under ground
Click to expand...

Nope. It doesn't work that way. Once it is white listed, it is white listed.

The exception to this is when the user has configured settings to alert to or block "All" or everything = the user isn't trusting anything.

NOTE: I am not talking about child processes, the abuse of Windows processes, etc.
 
Last edited by a moderator:
  • Like
Reactions: oldschool, RoboMan, ZeroDay and 3 others

You may also like...