Comodo Internet Security 2025 does not contain RANSOMWARE (bypass, infection and lost of files)

[vitao]

@Andy Ful

I tested with CIS by deactivating the options related to cloud scanning and with this CIS completely manages the Exploit/Ransomware, but this generates another type of problem which I will explain in the video that will be produced this week.

At least we know that with this configuration CIS can prevent this ransomware attack. Of course, this all comes at the expense of a very serious problem that will be generated as everything depends on the user deciding which files to execute or not (at least files that do not have a registered supplier in the cis local database). Well, better than nothing...

edit.: but then... this brings a good reflection and a good idea here. as everybody knows, comodo antivirus is horrible, so, maybe, comodo firewall with these new settings + windows defender will be the best protection out there win def is native and a mor or less av, with comodo fw with these settings, this could lead to a great solution for protection. maybe a new video with this setup would be a good idea (atleast for the channel)...

 

[simmerskool]

maybe, comodo firewall with these new settings + windows defender will be the best protection out there win def is native and a mor or less av, with comodo fw with these settings, this could lead to a great solution for protection. maybe a new video with this setup would be a good idea (atleast for the channel)...

Let me check today's config: win10_VM with CF 12.3.4.8162 (w/cruelsister's suggested config) + MS Defender w/DefenderUI (aggressive profile) + WHHL (default). If you can improve CS's config may the force be with you...

 

[vitao]

Let me check today's config: win10_VM with CF 12.3.4.8162 (w/cruelsister's suggested config) + MS Defender w/DefenderUI (aggressive profile) + WHHL (default). If you can improve CS's config may the force be with you...

add the suggestion by andy and thats it!

 

[simmerskool]

add the suggestion by andy and thats it!

the one about the LOLBin rule? I looked the other day but NOT obvious (to me) where & how to do that...

 

[vitao]

the last reply he did for me with a print

 

[Andy Ful]

@Andy Ful

I tested with CIS by deactivating the options related to cloud scanning and with this CIS completely manages the Exploit/Ransomware, but this generates another type of problem which I will explain in the video that will be produced this week.

It is possible to use CIS + Auto-containment without cloud lookup but it requires attention and work (proper whitelisting, adding some trusted vendors, etc.). It is for advanced users. The setup works well with signed applications (the vendor added to the Trusted Vendors list). Unsigned applications require whitelisting when installing and updating. Whitelisting some unsigned applications (like UniGetUI) is a challenge.

 

[rashmi]

Whitelisting some unsigned applications (like UniGetUI) is a challenge.

While I haven't used UniGetUI, can't you simply "ignore" it in containment settings?

 

[Andy Ful]

While I haven't used UniGetUI, can't you simply "ignore" it in containment settings?

Initially, I used silent mode as the primary setup. It prevented UniGetUI from running. So, I removed all blocks and enabled alerts but some silent HIPS blocks survived. After some trial-and-error actions, I disabled HIPS, removed all blocks, and executed UniGetUI. Next, I enabled HIPS in the Training mode and executed UniGetUI again. Finally, I enabled HIPS in the Safe mode.
It is possible that running UniGetUI in training mode from the beginning would be OK. A similar problem was with OBS.

 

[rashmi]

Initially, I used silent mode as the primary setup. It prevented UniGetUI from running. So, I removed all blocks and enabled alerts but some silent HIPS blocks survived. After some trial-and-error actions, I disabled HIPS, removed all blocks, and executed UniGetUI. Next, I enabled HIPS in the Training mode and executed UniGetUI again. Finally, I enabled HIPS in the Safe mode.
It is possible that running UniGetUI in training mode from the beginning would be OK. A similar problem was with OBS.

Training mode is a temporary solution for the current UniGetUI version, but not for the next version. To permanently resolve the issue, add UniGetUI as an "installer and updater" in HIPS, "ignore" in containment, and "allow" in the firewall.

 

[Andy Ful]

Training mode is a temporary solution for the current UniGetUI version, but not for the next version. To permanently resolve the issue, add UniGetUI as an "installer and updater" in HIPS, "ignore" in containment, and "allow" in the firewall.

I already did it. However, I doubt if this will solve the problem permanently. The new version may use a different executable, so it will also require an "installer and updater" in HIPS, etc.

Edit1.
For now, it updated with no problem.

Edit2.
Blocked after Windows restart.

 

[rashmi]

I already did it. However, I doubt if this will solve the problem permanently. The new version will use a different executable, so it will also require an "installer and updater" in HIPS, etc.

I don't use HIPS right now, so I can't say for sure about it. In my containment settings, I have set Hasleo Backup, an unsigned program, to "ignore." Hasleo auto-update works with no alert, but Comodo alerts me for over-install.

 

[rashmi]

Edit1.
For now, it updated with no problem.

Edit2.
Blocked after Windows restart.

I would like to test it. Where should I download UniGetUI?

 

[vitao]

hello guys. hello @Andy Ful sorry the delay. its near Christmas and my wife bothered me to go to the market, clean up the house, and a lot of other boring things, so I ended up running out of time. I got home a few minutes ago. The video is recorded but edits still need to be made. I will try to prepare everything as soon as possible (because I have 5 videos recorded, yet to be edited). So, I will probably publish the new test with the cis by Friday.

and that is it. hugs.

 

[rashmi]

I already did it. However, I doubt if this will solve the problem permanently. The new version may use a different executable, so it will also require an "installer and updater" in HIPS, etc.

Edit1.
For now, it updated with no problem.

Edit2.
Blocked after Windows restart.

I downloaded UniGetUI from here: GitHub - marticliment/UniGetUI: UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers

Comodo Firewall 12.3.4.8162
Configuration: Proactive Security
HIPS: Enabled
Enable Cloud Lookup: Disabled

UniGetUI: 3.1.3

Added the UniGetUI installer as an "Allowed Application" in HIPS.
Added the UniGetUI installer as "ignore" in containment settings.

The UniGetUI installation was successful (received only a firewall alert). I unticked "Launch" in the UniGetUI installation window.

Added the following file as an "Allowed Application" in HIPS.
C:\Program Files\UniGetUI\UniGetUI.exe
C:\Program Files\UniGetUI\WingetUI.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\choco.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\helpers\chocolateyScriptRunner.ps1

Added UniGetUI folders as "ignore" in containment settings.
C:\Program Files\UniGetUI\*
C:\Users\rashmi\AppData\Local\UniGetUI\*

Restarted the system

Received two firewall alerts. Opened UniGetUI. It mentioned an update was available. Updated successfully.

 

[Andy Ful]

I downloaded UniGetUI from here: GitHub - marticliment/UniGetUI: UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers

Added UniGetUI folders as "ignore" in containment settings.
C:\Program Files\UniGetUI\*
C:\Users\rashmi\AppData\Local\UniGetUI\*

Those entries are necessary to avoid some blocks after the update.

 

[Nikola Milanovic]

I downloaded UniGetUI from here: GitHub - marticliment/UniGetUI: UniGetUI: The Graphical Interface for your package managers. Could be terribly described as a package manager manager to manage your package managers

Comodo Firewall 12.3.4.8162
Configuration: Proactive Security
HIPS: Enabled
Enable Cloud Lookup: Disabled

UniGetUI: 3.1.3

Added the UniGetUI installer as an "Allowed Application" in HIPS.
Added the UniGetUI installer as "ignore" in containment settings.

The UniGetUI installation was successful (received only a firewall alert). I unticked "Launch" in the UniGetUI installation window.

Added the following file as an "Allowed Application" in HIPS.
C:\Program Files\UniGetUI\UniGetUI.exe
C:\Program Files\UniGetUI\WingetUI.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\choco.exe
C:\Users\rashmi\AppData\Local\UniGetUI\Chocolatey\helpers\chocolateyScriptRunner.ps1

Added UniGetUI folders as "ignore" in containment settings.
C:\Program Files\UniGetUI\*
C:\Users\rashmi\AppData\Local\UniGetUI\*

Restarted the system

Received two firewall alerts. Opened UniGetUI. It mentioned an update was available. Updated successfully.

Why disable Cloud Lookup when Xcitiums cloud based analysis are so good?

 

[Nikola Milanovic]

ZIP Archive
Details
Behaviour
Reputation
Malware Category
Kill Chain Report(The red circle right up)
Link: Valkyrie Verdict

 

[Andy Ful]

Why disable Cloud Lookup when Xcitiums cloud based analysis are so good?

In Comodo, Trusted EXE files can load Unrecognized DLLs without triggering containment and many DLLs used in the attacks are Unrecognized by Comodo for several days (like the DLL used in the video). There is no such problem with EXE files because Unrecognized EXE files trigger auto-containment.
The whole thread is about this issue. Although it is probably a minor issue for non-enterprise users, it can be more important in targeted attacks on organizations.

 

[rashmi]

Those entries are necessary to avoid some blocks after the update.

I used the "Allowed Application" policy in HIPS. I'm unsure if the "Installer or Updater" policy has a bug, as it displays the "Action" of the previous highlighted policy.
For example, you highlight the "allowed application" policy, then highlight the "installer or updater" policy; the "action" under the "installer or updater" policy doesn't change.

 

[rashmi]

I used the "Allowed Application" policy in HIPS. I'm unsure if the "Installer or Updater" policy has a bug, as it displays the "Action" of the previous highlighted policy.
For example, you highlight the "allowed application" policy, then highlight the "installer or updater" policy; the "action" under the "installer or updater" policy doesn't change.

For example, you highlight the "allowed application" policy, then highlight the "installer or updater" policy; the "action" under the "installer or updater" policy doesn't change. Review again after applying this installer or updater policy; all actions switched to the "ask" option.