- Dec 23, 2014
- 8,592
This setting alone will not prevent several fileless methods. Without Script Analysis settings several fileless attacks might not be contained, so the "Block" setting could not help.
Last edited:
Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)
- Thread starter vitao
- Start date
This setting alone will not prevent several fileless methods. Without Script Analysis settings several fileless attacks might not be contained, so the "Block" setting could not help.
- Dec 10, 2022
- 454
I still say sandboxie is the best defense when properly used when knowing a file could be malicious or you are savvy enough to use it.
- Dec 23, 2014
- 8,592
It is not for most people, but it can be the best defense for you or others. Almost all users apply Sandboxie on demand, so it cannot be compared to Comodo which uses auto-containment.
I used Sandboxie for a few years and still have several sandboxes with very different restrictions on my old disk images.
Also, the term "best defense" has a different meaning for many people.
Edit.
Most users who use Sandboxie are unprotected against the attacks mentioned in this thread.
It is possible to use auto-sandboxed Windows Explorer (explorer.exe) for more security, but I knew only one person who used Sandboxie that way.
Last edited:
- Mar 12, 2024
- 110
Latest Xcitium edition (Xcitium Client Security 13.2.0.9560) exploited by the same poc. RansomFest it seems...
Edit. Default Configs for endpoint. The recomended one from Xcitium EDR Dashboard.
Edit.: I see there is an 13.3.1 edition released (anounced on their forum) but i have no idea on how to upgrade to it or download it. Does anyone have any idea? Or is it something wrong with their edr dashboard/platform preventing clients to have the latest client released? or is it not released?
Edit. Default Configs for endpoint. The recomended one from Xcitium EDR Dashboard.
Edit.: I see there is an 13.3.1 edition released (anounced on their forum) but i have no idea on how to upgrade to it or download it. Does anyone have any idea? Or is it something wrong with their edr dashboard/platform preventing clients to have the latest client released? or is it not released?
Attachments
Last edited:
- Dec 23, 2014
- 8,592
I think that the attack can be blocked by using only Comodo Firewall (antivirus disabled) and disabling cloud backend:
The idea is to trust only the files whitelisted by the user or signed by Trusted Vendors. Other executables will be considered Unrecognized, even if they are trusted by signatures or in Comodo's cloud. This should block most attacks via DLL hijacking.
However, the setup without a cloud backend must be well tested - I am unsure if Comodo can properly recognize the catalog-signed system files (the certificate is not embedded in a system file).
Edit.
This setup can be strengthened with Microsoft Defender + ASR rule "Block use of copied or impersonated system tools (preview)". That rule will prevent using system LOLBins (copied/dropped to UserSpace) vulnerable to DLL hijacking.
Last edited:
- Mar 12, 2024
- 110
i was thinking on something a little easier. comodo internet security (av + fw), in proactive, reputation as restrict, disable cloud lookup and disable trust softwares installed by trusted installers, what do you think?
- Dec 23, 2014
- 8,592
- Mar 12, 2024
- 110
yep. ill try this but i suspect this would not bring any difference, but hey! why not!
- Dec 23, 2014
- 8,592
yep. ill try this but i suspect this would not bring any difference, but hey! why not!
It should also block your SoftwareInstaller sample when file cloud lookup has been disabled before downloading it.
- Apr 9, 2018
- 220
@vitao
If you'll share the sample, POC, I'll do my own investigation in detail on multiple settings for Xcitium and Comodo products, and results will be shared with everyone here.
If you'll share the sample, POC, I'll do my own investigation in detail on multiple settings for Xcitium and Comodo products, and results will be shared with everyone here.
- Mar 12, 2024
- 110
sorry. i cant. i made a promisse for the dev.
rashmi
Level 12
- Jan 15, 2024
- 578
It's possible that, with cloud, rating, and trust options disabled in file rating settings, all non-Windows/non-OS features or programs will run within Comodo containment.
rashmi
Level 12
- Jan 15, 2024
- 578
@vitao
You may test Comodo Cloud Antivirus (https://download.comodo.com/ccav/installers/ccav_installer.exe) if it's possible. Despite being a discontinued (2019) product, it still functions on Windows 11, as I just installed and tested it. From what I recall, CCAV has a limited vendor list, comparable containment to CIS proactive security, and a few built-in protection measures. It does not have HIPS. It would be refreshing to see how it performs against your POCs.
You may test Comodo Cloud Antivirus (https://download.comodo.com/ccav/installers/ccav_installer.exe) if it's possible. Despite being a discontinued (2019) product, it still functions on Windows 11, as I just installed and tested it. From what I recall, CCAV has a limited vendor list, comparable containment to CIS proactive security, and a few built-in protection measures. It does not have HIPS. It would be refreshing to see how it performs against your POCs.
Last edited by a moderator:
- Apr 16, 2017
- 2,784
interject question re Valkyrie (or does it have new name or URL) since it is a comodo service and Cloud AV was mentioned by @rashmi. I do have CF2025 on VM with cruelsister settings, and that VM is tight & light. I even have paid CIS license but don't use it (r&dfc) -- does comodo have cloud analysis platform? I went to valkyrie site (I have a login) and it asks for file upload and then it spins & spins and nothing ever happens beyond that. Occasionally here I see reference to comodo cloud analysis, but I'm not successful using now a days, but I used to use it in the past. Anyone know?
- Oct 22, 2018
- 591
Aahh, Comodo Cloud AV. Loved this program. I thought it better than CFW back then. I haven't used it since it was discontinued, and wasn't aware it still functioned on Win 11.
- Apr 9, 2018
- 220
rashmi
Level 12
- Jan 15, 2024
- 578
Comodo 2025 cloud lookup uses Valkyrie, according to staff. Comodo Cloud AV's Valkyrie component delivered verdicts on unknown files. I received Valkyrie verdicts for some unknown files. Valkyrie's effectiveness as protection would have improved with continued CCAV. I extensively tested the Valkyrie website previously, and its performance was impressive, with negligible false positives. Valkyrie, if successfully implemented, has the potential to improve Comodo's detection significantly. However, Comodo primarily focuses on application whitelisting and containment, and the other modules are secondary. Whitelisted malware can make these modules or Comodo ineffective. I can't remember if Comodo AV, Cloud AV, or VirusScope scans whitelisted or trusted files.
- Apr 16, 2017
- 2,784
good info thanks, but is the a web portal to upload a suspicious file from browser that works, there used to be, but I'm not finding it anymore...
- Dec 23, 2014
- 8,592
good info thanks, but is the a web portal to upload a suspicious file from browser that works, there used to be, but I'm not finding it anymore...
Valkyrie Verdict
KNow what is safe, and what is malware with Valkyrie Verdict - your free analysis service for files and websites.
verdict.valkyrie.comodo.com
- Aug 19, 2019
- 1,222
