Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)

Bot

AI-powered Bot
Apr 21, 2016
4,472
Thanks for sharing the video and adding subtitles in multiple languages. This will definitely help many users understand the issue better. And no worries about the delay, we all know life can get hectic at times.
 

bazang

Level 7
Jul 3, 2024
347
Yeah? So what? It is not different than any other security software that misses ransomware. Those other security software miss it way more often than Comodo.

All the videos showing bypasses would be meaningful if 1) the Comodo products had revenue that paid for full-time dedicated development teams and 2) anybody was stating "Comodo is unbeatable" (which there is nobody saying that).

The only credible thing to do is show how Comodo performs against every other security software using many hundreds of samples. If it prevents infection at a greater rate, then it is protecting better than those that do worse. If it does not prevent infection at a greater rate, then it is protecting worse than those that do better.

"One-off" POC and similar videos of Comodo failing to do this or that apply only to the specific POC or malware used. They should not be used to extrapolate or generalize about Comodo - which I think there is a big push here by some that have an agenda against Comodo.

Comodo is software. Software has problems. Comodo software is further problematic because it has no revenue and therefore no dedicated development team.

A few POCs and an undetected ransomware are not very enlightening. Nobody ever expects any software to be 100% bullet proof. Nobody here at MT or elsewhere has ever said that Comodo is unbeatable or not free of weaknesses & vulnerabilities.

But the videos are great click-bait.
 

vitao

Level 2
Thread author
Mar 12, 2024
64
hello,

ah yes... Well who to turn to? it's getting complicated thanks for this video.
Added a caption and description in French.

Good afternoon.

Listen, I don't know if it's about resorting to something different. It depends on each individual. I particularly continue to use CIS because it protects me as I need and these exploits are specific to it. So far, no malware using this type of technique to affect CIS has reached my computers, so I'm sticking with it. When that happens, we will always have options like Kaspersky Free or Panda Free.
:)
 
Last edited by a moderator:

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,673
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake. I wonder if denying System permissions would help?
 

Attachments

  • capture_11082024_161753.jpg
    capture_11082024_161753.jpg
    30.2 KB · Views: 68

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake. I wonder if denying System permissions would help?

It is different. It uses DLL hijacking = benign application + malicious DLL.
The executed application is truly benign. The POC would work even if the benign application was unsigned, but sufficiently popular. (y)
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,673
The POC would work even if the benign application was unsigned, but sufficiently popular.
Well, unsigned apps are not allowed on my PC, by default. Not to mention that ramdisk fails to run signed admin apps in desktop/downloads folder as well. 😅
Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f
 

Attachments

  • capture_11082024_173653.jpg
    capture_11082024_173653.jpg
    94.9 KB · Views: 59

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
Well, unsigned apps are not allowed on my PC, by default. Not to mention that ramdisk fails to run signed admin apps in desktop/downloads folder as well. 😅
Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

It is a good policy. (y)
However, it allows running unsigned applications (only elevation is blocked). It also can be bypassed via UAC bypass.
A stronger way is using SUA and ConsentPromptBehaviorUser = 0.
Do you use another tweak to disable running unsigned apps?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake.

Smart App Control (SAC) can block the attack from the video. The benign application will be allowed, but the malicious DLL will be blocked.
The advantage of SAC (and WDAC) is that it can block DLL hijacking.
Of course, in targeted attacks the attacker can use valid certificate to sign the DLL and then the attack can pass by SAC.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,673
Do you use another tweak to disable running unsigned apps?
Several, still this is under the assumption that the user would run a random exe, I would never. I just wonder whether the ransomware works without system rights, wannacry sure fails.
As far as I know ransomware uses SeDebugPrivilege/SeTcbPrivilege, basically system permissions, so without it, it is can not do anything. It is easy to change permissions, but it does not, thus far.
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
Several, still this is under the assumption that the user would run a random exe, I would never. I just wonder whether the ransomware works without system rights, wannacry sure fails.
As far as I know ransomware uses SeDebugPrivilege/SeTcbPrivilege, basically system permissions, so without it, it is can not do anything. It is easy to change permissions, but it does not, thus far.
It is more complicated. Using SeDebugPrivilege/SeTcbPrivilege is necessary for high privileged operations, but most ransomware attacks will continue without privilege escallation. Simply, the ransomware will skip hight privileged actions and encrypt the files in UserSpace.
 

vitao

Level 2
Thread author
Mar 12, 2024
64
It is a good policy. (y)
However, it allows running unsigned applications (only elevation is blocked). It also can be bypassed via UAC bypass.
A stronger way is using SUA and ConsentPromptBehaviorUser = 0.
Do you use another tweak to disable running unsigned apps?
does cis has any sort of compatibility with it, via config files etc? or am i dreaming?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
does cis has any sort of compatibility with it, via config files etc? or am i dreaming?
Those tweaks cannot be done from CIS.
The tweak posted by TairikuOkam is well known, but it will prevent many installations of unsigned applications.

Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

That tweak can block the original Comodo bypass in your first video. The malware was unsigned, so it will fail to run instead of elevate. If it would be a ransomware, the execution could be continued in the sandbox with standard rights (no escape).
 

vitao

Level 2
Thread author
Mar 12, 2024
64
thanks for the tip bt
Those tweaks cannot be done from CIS.
The tweak posted by TairikuOkam is well known, but it will prevent many installations of unsigned applications.

Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

That tweak can block the original Comodo bypass in your first video. The malware was unsigned, so it will fail to run instead of elevate. If it would be a ransomware, the execution could be continued in the sandbox with standard rights (no escape).
thanks for the tip but i am not going to mess with reg when cis should solve its problems. but its a nice trick. i wonder if one day microsoft will turn on defender sandbox by default and improve it...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,550
i wonder if one day microsoft will turn on defender sandbox by default and improve it...

Defender sandbox is not auto-containment of unrecognized applications. It is used only to protect some Microsoft Defender processes against exploitation/tampering.
 

vitao

Level 2
Thread author
Mar 12, 2024
64
no. its just you trying to complete sentences for me. improve means improve. just that.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top