Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)

[Andy Ful]

@Andy Ful If I remember the test well, the option "Rate applications according to their vendor rating" under File Rating Settings is the reason for the POCs bypass or DLL hijacking, right?

In my test, DLL hijacking worked independently of this setting, because the vendor of signed EXE was not on the Trusted Vendors List. Both the EXE file and DLL were rated via Cloud Lookup. The same happened in the test done by @vitao.
The option "Rate applications according to their vendor rating" can matter if Cloud Lookup is disabled. But in such a case unticking this option would be dangerous without adding to "Ignored" the system files, Comodo executables, and already installed applications. If Cloud Lookup is disabled, it is highly recommended to keep this option ticked and optionally the Trusted Vendors List can be manually adjusted.

 

[rashmi]

It's already 2025 and Comodo Internet Security is still vulnerable and the same ransomware as before keeps destroying everything:



This video has subtitles in several languages.

Can you retest this with the following setup? Test the setup with both HIPS enabled and disabled.

File Rating - File Groups - Add "New Group" and name it "Personal Data". Select "Personal Data" in the list and add Documents and Pictures folders to it. Click OK.
HIPS - Protected Objects - under "Protected Files" - Add "File Groups" and select "Personal Data" from the list. Click OK.

 

[vitao]

Can you retest this with the following setup? Test the setup with both HIPS enabled and disabled.

File Rating - File Groups - Add "New Group" and name it "Personal Data". Select "Personal Data" in the list and add Documents and Pictures folders to it. Click OK.
HIPS - Protected Objects - under "Protected Files" - Add "File Groups" and select "Personal Data" from the list. Click OK.

i dont see the point as the ransomware will cript everything inside profile folders, like desktop, downloads, docs, etc. if the dll file is updated to gain access to anything on the hd (even a secondary or third partition), the result will be the same. the problem is not the ransomware not being detected by cis. the problem is that even if it defects it, its just a matter of updating the dll to cript somethin and change some ids there so cis will stop blocking it again. the problem is that cis can not identify thrads inside dlls invoked by signed exes. well, atleast its what im getting to understand. if im wrong, please, help me understand better.

ps.: the dll is not recognized by cis, nor by valkyrie, not anything else related to comodo products. why? i dont know (i have some guesses and they are not beauty)

@Andy Ful too... you are being summoned!

 

[rashmi]

i dont see the point as the ransomware will cript everything inside profile folders, like desktop, downloads, docs, etc. if the dll file is updated to gain access to anything on the hd (even a secondary or third partition), the result will be the same. the problem is not the ransomware not being detected by cis. the problem is that even if it defects it, its just a matter of updating the dll to cript somethin and change some ids there so cis will stop blocking it again. the problem is that cis can not identify thrads inside dlls invoked by signed exes. well, atleast its what im getting to understand. if im wrong, please, help me understand better.

The setup is not for detecting specific malware but for preventing files' modification from programs. You can also protect partitions with the stated setup. Ideally, the setup should prevent files' modification from trusted programs or malware.

 

[vitao]

The setup is not for detecting specific malware but for preventing files' modification from programs. You can also protect partitions with the stated setup. Ideally, the setup should prevent files' modification from trusted programs or malware.

but does cis works like this? if so, is it not better to create a file group and add to it partitions instead of folders? if cis can monitore this way you explained, this would be better for prevention, right?

 

[Andy Ful]

... the problem is that cis can not identify thrads inside dlls invoked by signed exes.

I would not use the word "identify". CIS can identify threats in the known malicious DLLs (usually by signatures).
For unknown DLLs (also when using Trusted EXEs), it can apply other features like HIPS, Script Analysis, and (probably) Viruscope.

But, Comodo's protection in the default settings seems to be less effective against DLL hijacking, than other popular AVs. This is because Unrecognized DLLs loaded by Trusted EXEs are not auto-contained and the signature detection of a few days-old DLLs is poor. Of course, we cannot be sure how serious is the problem without more tests.

 

[rashmi]

but does cis works like this? if so, is it not better to create a file group and add to it partitions instead of folders? if cis can monitore this way you explained, this would be better for prevention, right?

Let's see if the setup works.

 

[vitao]

Let's see if the setup works.

View attachment 287368

great. ill do the setup to record this test

 

[Nunzio_77]

great. ill do the setup to record this test

I'm curious to see the test result.

 

[New_Style_xd]

I'm waiting for this test.

 

[vitao]

Can you retest this with the following setup? Test the setup with both HIPS enabled and disabled.

File Rating - File Groups - Add "New Group" and name it "Personal Data". Select "Personal Data" in the list and add Documents and Pictures folders to it. Click OK.
HIPS - Protected Objects - under "Protected Files" - Add "File Groups" and select "Personal Data" from the list. Click OK.

Hello my friend. Sorry the delay. I received an strike and im not allowed to publish new videos for some days more. I did this test (plus one other config too) and the results didnt change. CIS continues do be obliterated by the exploit. Im working on the subs for the video and it will be on my channel (i hope) on friday.

 

[vitao]

The video is ready with subtitles in us, es and pt-br. all set. just waiting the yt restrictions to end so i can publish the video.

 

[bazang]

I received an strike and im not allowed to publish new videos for some days more.

There is an active campaign against you. Comodo fanbois are filing complaints about your videos on Youtube. Actually, one is doing it by a Youtube complaint bot that automates the complaint process. The aim is to get you deplatformed from Youtube.

 

[vitao]

There is an active campaign against you. Comodo fanbois are filing complaints about your videos on Youtube. Actually, one is doing it by a Youtube complaint bot that automates the complaint process. The aim is to get you deplatformed from Youtube.

for real? can you send me any proof of it?

 

[Chuck57]

I don't get the complaining. As a long, long Comodo FW user, I appreciate any remarks, good or bad, about Comodo, since I haven't the skill to do testing. There are anti comodo whiners here, and it looks like there are pro comodo whiners who can't handle criticism. Both are pathetic.

 

[vitao]

I don't get the complaining. As a long, long Comodo FW user, I appreciate any remarks, good or bad, about Comodo, since I haven't the skill to do testing. There are anti comodo whiners here, and it looks like there are pro comodo whiners who can't handle criticism. Both are pathetic.

well, i dont know where i fit in as i produce videos showing cis weakness but im the same guy who continues to use and recommend it for more tech people... and yet people seems to hate me? well... this is life...

 

[Chuck57]

well, i dont know where i fit in as i produce videos showing cis weakness but im the same guy who continues to use and recommend it for more tech people... and yet people seems to hate me? well... this is life...

I appreciate yours and all viewpoints here and have been following this thread. I haven't posted because most are far beyond my skill level and knowledge. I'm just a loyal user. Keep them coming, whether positive or negative towards Comodo. In my opinion, your posts are very positive, even if they expose weaknesses. I want to know about my favorite software

 

[bazang]

for real? can you send me any proof of it?

When you are banned from Youtube that will be the evidence.

The same thing happens to people who show weaknesses in Kaspersky, Bitdefender, Norton, etc. Fanbois get outraged and they brigade complaints and report videos to have the video removed or, better yet, get the video creator perma-banned.

All that is needed is for one person to report a video as misinformation. Then Youtube policy is that the video must then be reviewed. The people that review videos are not subject matter experts. Do you think they have IT Pros, security researchers, and antivirus pentesters reviewing Youtube tester videos? Nah. It is some 24 year old recent college graduate with a degree in pottery making sitting in a center in the Philippines reviewing all the videos with complaints. They have to decide whether or not to take down the video or ban the video creator.

Bitdefender is a software publisher that constantly complains to Youtube about Youtube testers. They hired a few people whose full-time occupations are to complain to Youtube or anyone else that hosts videos about Bitdefender that Bitdefender disagrees with. I would not be surprised if Comodo is not doing the same thing to you. Comodo's official policy is "No public test videos that show problems. Such problems must be reported privately directly to Comodo otherwise you are violating Comodo's EULA and Terms of Service."

But nobody bothers to read EULAs and Terms of Service, and then they get banhammered or sued.

 

[Sephirothnight]

Good morning,
It is not a novelty at Comodo, it's been several years that they categorically refuse to publish or even in private, the "faults", bugs and others on their forum, they banned a former administrator of their own forum to have "Disclosed" the closure of CIS with a line of code, it did not please Melih: it was banished. It was done privately at the start. In short, too bad it is clearly not a positive path, it is essential to evolve and advance security, but at this stage ... Comodo remains good, I use it too but I admit that I do not understand all these Stories that can only improve their product and that they censor without looking further. I wonder if a possible replacement of Comodo that I have been using since this beginning will not take place because even if I use it, I do not appreciate their methods and way to make for the feedback that users make. Too bad for me and too bad for them.

 

[vitao]

When you are banned from Youtube that will be the evidence.

The same thing happens to people who show weaknesses in Kaspersky, Bitdefender, Norton, etc. Fanbois get outraged and they brigade complaints and report videos to have the video removed or, better yet, get the video creator perma-banned.

All that is needed is for one person to report a video as misinformation. Then Youtube policy is that the video must then be reviewed. The people that review videos are not subject matter experts. Do you think they have IT Pros, security researchers, and antivirus pentesters reviewing Youtube tester videos? Nah. It is some 24 year old recent college graduate with a degree in pottery making sitting in a center in the Philippines reviewing all the videos with complaints. They have to decide whether or not to take down the video or ban the video creator.

Bitdefender is a software publisher that constantly complains to Youtube about Youtube testers. They hired a few people whose full-time occupations are to complain to Youtube or anyone else that hosts videos about Bitdefender that Bitdefender disagrees with. I would not be surprised if Comodo is not doing the same thing to you. Comodo's official policy is "No public test videos that show problems. Such problems must be reported privately directly to Comodo otherwise you are violating Comodo's EULA and Terms of Service."

But nobody bothers to read EULAs and Terms of Service, and then they get banhammered or sued.

well, about comodo, for that i really sit to watch the end of it... the others, i dont think theyre related to my case, but who knows...