Comodo Internet Security 2025 recognizes RANSOMWARE as a TRUSTED file (bypass, infection and lost of files)

Bot

Bot

AI-powered Bot
Apr 21, 2016
4,347
Thanks for sharing the video and adding subtitles in multiple languages. This will definitely help many users understand the issue better. And no worries about the delay, we all know life can get hectic at times.
 
  • Love
Reactions: Behold Eck
bazang

bazang

Level 6
Jul 3, 2024
276
Yeah? So what? It is not different than any other security software that misses ransomware. Those other security software miss it way more often than Comodo.

All the videos showing bypasses would be meaningful if 1) the Comodo products had revenue that paid for full-time dedicated development teams and 2) anybody was stating "Comodo is unbeatable" (which there is nobody saying that).

The only credible thing to do is show how Comodo performs against every other security software using many hundreds of samples. If it prevents infection at a greater rate, then it is protecting better than those that do worse. If it does not prevent infection at a greater rate, then it is protecting worse than those that do better.

"One-off" POC and similar videos of Comodo failing to do this or that apply only to the specific POC or malware used. They should not be used to extrapolate or generalize about Comodo - which I think there is a big push here by some that have an agenda against Comodo.

Comodo is software. Software has problems. Comodo software is further problematic because it has no revenue and therefore no dedicated development team.

A few POCs and an undetected ransomware are not very enlightening. Nobody ever expects any software to be 100% bullet proof. Nobody here at MT or elsewhere has ever said that Comodo is unbeatable or not free of weaknesses & vulnerabilities.

But the videos are great click-bait.
 
  • Like
  • Applause
Reactions: Loyisa, simmerskool, Andy Ful and 4 others
vitao

vitao

Level 2
Thread author
Mar 12, 2024
55
Sephirothnight said:
hello,

ah yes... Well who to turn to? it's getting complicated thanks for this video.
Click to expand...
Added a caption and description in French.

Good afternoon.

Listen, I don't know if it's about resorting to something different. It depends on each individual. I particularly continue to use CIS because it protects me as I need and these exploits are specific to it. So far, no malware using this type of technique to affect CIS has reached my computers, so I'm sticking with it. When that happens, we will always have options like Kaspersky Free or Panda Free.
:)
 
Last edited by a moderator:
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,633
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake. I wonder if denying System permissions would help?
 

Attachments

  • capture_11082024_161753.jpg
    capture_11082024_161753.jpg
    30.2 KB · Views: 33
  • Like
Reactions: simmerskool and Captain Awesome
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
TairikuOkami said:
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake. I wonder if denying System permissions would help?
Click to expand...

It is different. It uses DLL hijacking = benign application + malicious DLL.
The executed application is truly benign. The POC would work even if the benign application was unsigned, but sufficiently popular. (y)
 
  • Like
  • +Reputation
Reactions: Loyisa, simmerskool and Vitali Ortzi
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,633
Andy Ful said:
The POC would work even if the benign application was unsigned, but sufficiently popular.
Click to expand...
Well, unsigned apps are not allowed on my PC, by default. Not to mention that ramdisk fails to run signed admin apps in desktop/downloads folder as well. 😅
Code: 
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f
 

Attachments

  • capture_11082024_173653.jpg
    capture_11082024_173653.jpg
    94.9 KB · Views: 20
  • Like
Reactions: simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
TairikuOkami said:
Well, unsigned apps are not allowed on my PC, by default. Not to mention that ramdisk fails to run signed admin apps in desktop/downloads folder as well. 😅
Code: 
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f
Click to expand...

It is a good policy. (y)
However, it allows running unsigned applications (only elevation is blocked). It also can be bypassed via UAC bypass.
A stronger way is using SUA and ConsentPromptBehaviorUser = 0.
Do you use another tweak to disable running unsigned apps?
 
  • +Reputation
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
TairikuOkami said:
This proves that blindly relying on digital signatures (like SmartAppContol does), even the most trustworthy like DigiCert, can be a mistake.
Click to expand...

Smart App Control (SAC) can block the attack from the video. The benign application will be allowed, but the malicious DLL will be blocked.
The advantage of SAC (and WDAC) is that it can block DLL hijacking.
Of course, in targeted attacks the attacker can use valid certificate to sign the DLL and then the attack can pass by SAC.
 
  • Like
  • +Reputation
Reactions: simmerskool, TairikuOkami and Gandalf_The_Grey
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,633
Andy Ful said:
Do you use another tweak to disable running unsigned apps?
Click to expand...
Several, still this is under the assumption that the user would run a random exe, I would never. I just wonder whether the ransomware works without system rights, wannacry sure fails.
As far as I know ransomware uses SeDebugPrivilege/SeTcbPrivilege, basically system permissions, so without it, it is can not do anything. It is easy to change permissions, but it does not, thus far.
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
TairikuOkami said:
Several, still this is under the assumption that the user would run a random exe, I would never. I just wonder whether the ransomware works without system rights, wannacry sure fails.
As far as I know ransomware uses SeDebugPrivilege/SeTcbPrivilege, basically system permissions, so without it, it is can not do anything. It is easy to change permissions, but it does not, thus far.
Click to expand...
It is more complicated. Using SeDebugPrivilege/SeTcbPrivilege is necessary for high privileged operations, but most ransomware attacks will continue without privilege escallation. Simply, the ransomware will skip hight privileged actions and encrypt the files in UserSpace.
 
  • +Reputation
Reactions: simmerskool
vitao

vitao

Level 2
Thread author
Mar 12, 2024
55
Andy Ful said:
It is a good policy. (y)
However, it allows running unsigned applications (only elevation is blocked). It also can be bypassed via UAC bypass.
A stronger way is using SUA and ConsentPromptBehaviorUser = 0.
Do you use another tweak to disable running unsigned apps?
Click to expand...
does cis has any sort of compatibility with it, via config files etc? or am i dreaming?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
vitao said:
does cis has any sort of compatibility with it, via config files etc? or am i dreaming?
Click to expand...
Those tweaks cannot be done from CIS.
The tweak posted by TairikuOkam is well known, but it will prevent many installations of unsigned applications.

Code: 
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

That tweak can block the original Comodo bypass in your first video. The malware was unsigned, so it will fail to run instead of elevate. If it would be a ransomware, the execution could be continued in the sandbox with standard rights (no escape).
 
  • Like
  • +Reputation
Reactions: Vitali Ortzi, [correlate], Loyisa and 1 other person
vitao

vitao

Level 2
Thread author
Mar 12, 2024
55
thanks for the tip bt
Andy Ful said:
Those tweaks cannot be done from CIS.
The tweak posted by TairikuOkam is well known, but it will prevent many installations of unsigned applications.

Code: 
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f

That tweak can block the original Comodo bypass in your first video. The malware was unsigned, so it will fail to run instead of elevate. If it would be a ransomware, the execution could be continued in the sandbox with standard rights (no escape).
Click to expand...
thanks for the tip but i am not going to mess with reg when cis should solve its problems. but its a nice trick. i wonder if one day microsoft will turn on defender sandbox by default and improve it...
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,500
vitao said:
i wonder if one day microsoft will turn on defender sandbox by default and improve it...
Click to expand...

Defender sandbox is not auto-containment of unrecognized applications. It is used only to protect some Microsoft Defender processes against exploitation/tampering.
learn.microsoft.com

Run Microsoft Defender Antivirus in a sandbox environment - Microsoft Defender for Endpoint

This article describes how to run Microsoft Defender Antivirus in a sandbox to further strengthen against tampering.
learn.microsoft.com
 
  • +Reputation
Reactions: simmerskool and ErzCrz

Similar threads

Bot
    • Like
  • Locked
Find out what’s new in Windows and Office in October
Replies
1
Views
2,148
OS Archive
Vasudev
V
R
    • Like
  • Locked
Norton Security Review 2017
Replies
0
Views
4,019
Norton
ras74
R
Logethica
    • Like
A Guide to IoT (the Internet of Things)
Replies
2
Views
3,060
Malware Analysis Archive
DardiM
DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top