- Dec 23, 2014
- 8,513
The enterprise version may be free of that bug. Also, if I correctly recall, @Loyisa posted that the enterprise version is better for fighting DLL hijacking.
Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)
- Thread starter vitao
- Start date
The enterprise version may be free of that bug. Also, if I correctly recall, @Loyisa posted that the enterprise version is better for fighting DLL hijacking.
- Dec 12, 2016
- 1,382
Yes it helps a lot against ransomware unless you use defender /other av that already has TDT then it should be on (you will get a notification from comodo that some other program is using TDT ) and since it runs on the graphic cores it's very efficient
- Aug 19, 2019
- 1,171
TDT is unchecked by default but it's dependent on your intel chip being compatible (vPro INtel Thred Detection Technology but only a handful of chips seem to be fully compatible with it. Just leave it unchecked unless you have at least 13th gen chip which is fully vPro compatible. Intel TDT Compatible Chips. CIS 2025 runs fine at my end in my tests with it.
rashmi
Level 12
- Jan 15, 2024
- 553
A Comodo Forum moderator reported that they have fixed the issue in Xcitium. PoC bypass Auto-Sandbox CIS
Did @Loyisa or @vitao also test Comodo's default "run virtual" setting without the "restriction level"?
bazang
Level 7
- Jul 3, 2024
- 306
InfoSec is not a Comodo forum moderator, I do not think.
You can see Melih's position with this post. "Legitimate workaround" means, to him, if he wants it fixed or not. And Melih's "fast" usually means months.
It is a software with $0 revenue. People are lucky that Melih makes it available at all. I do not see anybody do anything other than complain about bugs, but nobody is sending donations to Comodo so that Melih will assign a dedicated developer staff to the code base.
There is no dedicated Comodo developer team! There never has been!
Melih has developers on staff, many of which are subcontract and not located in the U.S. He moves them around from project to project, if, when, and how he sees fit. Comodo has never followed a dedicated product team model. There is no dedicated Comodo developer staff!!
- Aug 19, 2019
- 1,171
The "restricted level" unchecked or not set will just default to Partially Limited which is the issue. The flaw is the restriction level being ignored. One can hope the fix filters through to CIS/CF but it'll be low priority as always. When there was a bypass back in 2018, the enterprise products got a fix 2 weeks before the consumer version. We'll see how long it takes to come through.
- Dec 12, 2016
- 1,382
Lol bringing your own driver , dll with most extreme (proactive)
Isn't legitimate
poor enterprise customers no wonder it's one of the cheapest products
rashmi
Level 12
- Jan 15, 2024
- 553
The default setting is "run virtually," which means "full virtualization," with the "restriction level" deactivated. A Comodo Forum moderator clarified the UAC issue affects the "restriction level" setting, not the "default" setting. The moderator's post explained, "Also UAC doesn’t apply when not using restriction levels as the the default setting is to run virtually."
bazang
Level 7
- Jul 3, 2024
- 306
When Melih created Comodo, his intention was never to sell it to home users (consumers) and enterprises. So the intention was never to generate revenue. Without revenue there is no money to pay for the development and other teams to fully support the product(s).Lol bringing your own driver , dll with most extreme (proactive)
Isn't legitimate
Everybody that complains about Comodo bugs - why don't they send donations to Comodo? Why do they expect Melih to fund the entire Comodo code base and infrastructure out of his own pocket? If the situation were reversed, and the complainers were placed in Melih's shoes, they would not spend millions of dollars to fix bugs. LOL. No. They. Would. Not.
"Subscriptions" are for the support, not the software. It says this in every single one of Comodo's various EULAs and Terms of Service (TOS).
Melih makes what he thinks is good enough. He's said it himself: "Don't like it? Then don't use it. I'd rather you go use something else. Please. Go away."
- Aug 19, 2019
- 1,171
Thanks. I read that post but also thought the containment level that was set was also ignored. Anyway, I'll have to re-watch video to comment to OP and get back on topic.
rashmi
Level 12
- Jan 15, 2024
- 553
Could the UAC and restriction level problem be affecting the "run virtually" key setting? This is the reason I posed the question, "Did they also test the default, which involves running virtually with the restriction level deactivated?"
- Apr 5, 2021
- 620
You could probably use this and nothing would change. You still won't get compromised, and it will have nothing to do with your "next new AV"
It will instead have everything to do with whats between your ears
- Dec 23, 2014
- 8,513
It looks like a few possible Comodo bypasses recently posted on MT might discourage some readers from using CIS. I do not think that it is justified.
CIS on default settings is as good as any popular AV on default settings. Indeed, the Comodo detection is rather poor, but it is strongly supported by the auto-containment.
If one wants very strong protection then the below solutions are very similar (high number of false positives):
I am not going to discuss other aspects like detection, usability, performance, etc. Some people like the protection model of CIS, and many probably do not. But all can live in peace.
CIS on default settings is as good as any popular AV on default settings. Indeed, the Comodo detection is rather poor, but it is strongly supported by the auto-containment.
If one wants very strong protection then the below solutions are very similar (high number of false positives):
- Microsoft Defender (ConfigureDefender HIGH or MAX settings) + Smart App Control.
- Kaspersky (paid) with @harlan4096 settings.
- Microsoft Defender + Comodo Firewall (@cruelsister settings) + Script Analysis tweaks (or Defender ASR rules).
I am not going to discuss other aspects like detection, usability, performance, etc. Some people like the protection model of CIS, and many probably do not. But all can live in peace.
Last edited:
- Mar 12, 2024
- 63
some mod could change the title if possible?It is probably too late to change the title of this thread.
In the video, Comodo correctly recognizes the benign/legal file as trusted but does not recognize ransomware as trusted (contrary to the title). Comodo will allow loading the ransomware DLL if it is not on the File Reputation List or has an Unrecognized reputation (after an on-demand scan). It blocks loading the DLL if it is recognized as malicious.
If the same ransomware DLL was executed via restricted LOLBin (like rundll32.exe), Comodo would properly confirm/check/apply the DLL's reputation and could contain it.
The correct title might look like:
Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)
Post updated.
i cant...
- Nov 16, 2018
- 52
Is there a guide for this "Script Analysis tweaks (or Defender ASR rules)"?It looks like a few possible Comodo bypasses recently posted on MT might discourage some readers from using CIS. I do not think that it is justified.
CIS on default settings is as good as any popular AV on default settings. Indeed, the Comodo detection is rather poor, but it is strongly supported by the auto-containment.
If one wants very strong protection then the below solutions are very similar (high number of false positives):
I am not sure about the setup similar to point 3 based only on CIS. I cannot evaluate the impact of the attacks based on pure DLL hijacking (benign EXE + malicious DLL and nothing else). The detection of DLLs by CIS is poor, and containment cannot help either. So, the protection against such attacks depends mainly on HIPS. There are no tests that could show how effective can be HIPS. However, pure DLL hijacking attacks are probably very rare in the non-enterprise environment, so it is possible that CIS protection can be similar to those previously mentioned. I mentioned Microsoft Defender because from my tests it follows that it has the top detection of malicious DLLs, so it can support the potential weakness of Comodo.
- Microsoft Defender (ConfigureDefender HIGH or MAX settings) + Smart App Control.
- Kaspersky (paid) with @harlan4096 settings.
- Microsoft Defender + Comodo Firewall (@cruelsister settings) + Script Analysis tweaks (or Defender ASR rules).
I am not going to discuss other aspects like detection, usability, performance, etc. Some people like the protection model of CIS, and many probably do not. But all can live in peace.
- Mar 12, 2024
- 63
yes. with restricted level or with default, same results.
edit.: the same with xcitium too.
- Dec 23, 2014
- 8,513
I do not know.
One can additionally enable Embedded Code detection for: wscript, cscript, mshta, hh, cmd, autoit3_x64.
Some LOLBins should probably be added, like for example certutil, csc, curl, msbuild, reg, or wmic.
In ConfigureDefender the script hardening can include the options from Productivity apps, Script rules, and Email rules.
- Aug 19, 2019
- 1,171
You have to enable Embedded Code Detection for the LOLBin but your also likely to get false positives. Using SWH or H_C default
Alternatively (Correct me if I'm wrong @Andy Ful (Quote source
rashmi
Level 12
- Jan 15, 2024
- 553
Why not set containment to "block" unrecognized files and programs instead?
To be sure, "default" means you didn't select the "set restriction level" option, correct?
- Mar 12, 2024
- 63
