- Mar 12, 2024
- 181
hehehehehe
i agree with you.i dont care about comodo forums or those who are fighting against anything bad related to cis. the only thing i can do is... keeping these videos coming
all public, always.
Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)
- Thread starter vitao
- Start date
i agree with you.i dont care about comodo forums or those who are fighting against anything bad related to cis. the only thing i can do is... keeping these videos coming
all public, always.
- Mar 12, 2024
- 181
@Andy Ful
I tested with CIS by deactivating the options related to cloud scanning and with this CIS completely manages the Exploit/Ransomware, but this generates another type of problem which I will explain in the video that will be produced this week.
At least we know that with this configuration CIS can prevent this ransomware attack. Of course, this all comes at the expense of a very serious problem that will be generated as everything depends on the user deciding which files to execute or not (at least files that do not have a registered supplier in the cis local database). Well, better than nothing...
edit.: but then... this brings a good reflection and a good idea here. as everybody knows, comodo antivirus is horrible, so, maybe, comodo firewall with these new settings + windows defender will be the best protection out there win def is native and a mor or less av, with comodo fw with these settings, this could lead to a great solution for protection. maybe a new video with this setup would be a good idea (atleast for the channel)...
I tested with CIS by deactivating the options related to cloud scanning and with this CIS completely manages the Exploit/Ransomware, but this generates another type of problem which I will explain in the video that will be produced this week.
At least we know that with this configuration CIS can prevent this ransomware attack. Of course, this all comes at the expense of a very serious problem that will be generated as everything depends on the user deciding which files to execute or not (at least files that do not have a registered supplier in the cis local database). Well, better than nothing...
edit.: but then... this brings a good reflection and a good idea here. as everybody knows, comodo antivirus is horrible, so, maybe, comodo firewall with these new settings + windows defender will be the best protection out there
win def is native and a mor or less av, with comodo fw with these settings, this could lead to a great solution for protection. maybe a new video with this setup would be a good idea (atleast for the channel)...
- Apr 16, 2017
- 2,932
Let me check today's config: win10_VM with CF 12.3.4.8162 (w/cruelsister's suggested config) + MS Defender w/DefenderUI (aggressive profile) + WHHL (default). If you can improve CS's config may the force be with you...maybe, comodo firewall with these new settings + windows defender will be the best protection out there
- Mar 12, 2024
- 181
add the suggestion by andy and thats it!Let me check today's config: win10_VM with CF 12.3.4.8162 (w/cruelsister's suggested config) + MS Defender w/DefenderUI (aggressive profile) + WHHL (default). If you can improve CS's config may the force be with you...
- Apr 16, 2017
- 2,932
the one about the LOLBin rule? I looked the other day but NOT obvious (to me) where & how to do that...
- Dec 23, 2014
- 8,817
It is possible to use CIS + Auto-containment without cloud lookup but it requires attention and work (proper whitelisting, adding some trusted vendors, etc.). It is for advanced users. The setup works well with signed applications (the vendor added to the Trusted Vendors list). Unsigned applications require whitelisting when installing and updating. Whitelisting some unsigned applications (like UniGetUI) is a challenge.
While I haven't used UniGetUI, can't you simply "ignore" it in containment settings?
- Dec 23, 2014
- 8,817
Initially, I used silent mode as the primary setup. It prevented UniGetUI from running. So, I removed all blocks and enabled alerts but some silent HIPS blocks survived. After some trial-and-error actions, I disabled HIPS, removed all blocks, and executed UniGetUI. Next, I enabled HIPS in the Training mode and executed UniGetUI again. Finally, I enabled HIPS in the Safe mode.
It is possible that running UniGetUI in training mode from the beginning would be OK. A similar problem was with OBS.
Last edited:
Training mode is a temporary solution for the current UniGetUI version, but not for the next version. To permanently resolve the issue, add UniGetUI as an "installer and updater" in HIPS, "ignore" in containment, and "allow" in the firewall.
- Dec 23, 2014
- 8,817
I already did it. However, I doubt if this will solve the problem permanently. The new version may use a different executable, so it will also require an "installer and updater" in HIPS, etc.
Edit1.
For now, it updated with no problem.
Edit2.
Blocked after Windows restart.
Last edited:
I don't use HIPS right now, so I can't say for sure about it. In my containment settings, I have set Hasleo Backup, an unsigned program, to "ignore." Hasleo auto-update works with no alert, but Comodo alerts me for over-install.
I would like to test it. Where should I download UniGetUI?Edit1.
For now, it updated with no problem.
Edit2.
Blocked after Windows restart.
- Mar 12, 2024
- 181
hello guys. hello @Andy Ful sorry the delay. its near Christmas and my wife bothered me to go to the market, clean up the house, and a lot of other boring things, so I ended up running out of time. I got home a few minutes ago. The video is recorded but edits still need to be made. I will try to prepare everything as soon as possible (because I have 5 videos recorded, yet to be edited). So, I will probably publish the new test with the cis by Friday.
and that is it. hugs.
and that is it. hugs.
I downloaded UniGetUI from here: GitHub - marticliment/UniGetUI: UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managersI already did it. However, I doubt if this will solve the problem permanently. The new version may use a different executable, so it will also require an "installer and updater" in HIPS, etc.
Edit1.
For now, it updated with no problem.
Edit2.
Blocked after Windows restart.
Comodo Firewall 12.3.4.8162
Configuration: Proactive Security
HIPS: Enabled
Enable Cloud Lookup: Disabled
UniGetUI: 3.1.3
Added the UniGetUI installer as an "Allowed Application" in HIPS.
Added the UniGetUI installer as "ignore" in containment settings.
The UniGetUI installation was successful (received only a firewall alert). I unticked "Launch" in the UniGetUI installation window.
Added the following file as an "Allowed Application" in HIPS.
C:\Program Files\UniGetUI\UniGetUI.exe
C:\Program Files\UniGetUI\WingetUI.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\choco.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\helpers\chocolateyScriptRunner.ps1
Added UniGetUI folders as "ignore" in containment settings.
C:\Program Files\UniGetUI\*
C:\Users\rashmi\AppData\Local\UniGetUI\*
Restarted the system
Received two firewall alerts. Opened UniGetUI. It mentioned an update was available. Updated successfully.
Last edited:
- Dec 23, 2014
- 8,817
Those entries are necessary to avoid some blocks after the update.
- Oct 17, 2023
- 186
Why disable Cloud Lookup when Xcitiums cloud based analysis are so good?
- Oct 17, 2023
- 186
ZIP Archive
Details
Behaviour
Reputation
Malware Category
Kill Chain Report(The red circle right up)
Link: Valkyrie Verdict
- Dec 23, 2014
- 8,817
In Comodo, Trusted EXE files can load Unrecognized DLLs without triggering containment and many DLLs used in the attacks are Unrecognized by Comodo for several days (like the DLL used in the video). There is no such problem with EXE files because Unrecognized EXE files trigger auto-containment.
The whole thread is about this issue. Although it is probably a minor issue for non-enterprise users, it can be more important in targeted attacks on organizations.
Last edited:
I used the "Allowed Application" policy in HIPS. I'm unsure if the "Installer or Updater" policy has a bug, as it displays the "Action" of the previous highlighted policy.
For example, you highlight the "allowed application" policy, then highlight the "installer or updater" policy; the "action" under the "installer or updater" policy doesn't change.
Last edited:
