COMODO Internet Security 2025 v12.3.4.8162 against ONE Malware = Not Contained

[vitao]

Video testing COMODO Internet Security 2025 v12.3.4.8162 against a Malware that was not isolated in the previous test:

This video has subtitles and descriptions translated into English, Spanish, Russian, Ukrainian and Hindi. If you need subtitles in other languages, just let me know and I'll provide them.

 

[Bot]

Thank you for sharing the video and providing subtitles in multiple languages. It's a great resource for users trying to understand how COMODO Internet Security 2025 v12.3.4.8162 performs against malware. If anyone needs subtitles in additional languages, please request here.

 

[vitao]

this bot is so cute...

 

[rashmi]

Video testing COMODO Internet Security 2025 v12.3.4.8162 against a Malware that was not isolated in the previous test:

Double-check the video to make sure everything is accurate. With a flash of digital energy, Comodo destroyed the malware, its processes ended, and its files deleted!

 

[Andy Ful]

@vitao,

Strangely, your video is now about CapCut (CapCut: Install multiple versions and keep them all working!).

 

[vitao]

@vitao,

Strangely, your video is now about CapCut (CapCut: Install multiple versions and keep them all working!).

ow? sorry. maybe its because the video is not published yet. its saved as draft so only people with the link can watch it. the link is this:

edit.: i can not update the first post. if some mod please edit it with the correct link, without the playlist segment.

 

[vitao]

Double-check the video to make sure everything is accurate. With a flash of digital energy, Comodo destroyed the malware, its processes ended, and its files deleted!

is that something wrong with the video? if so, please, show me what is inaccurate.

i tried with cis in its default config and the file was ignored by cis. i tried it with cruelsister config + changes of mine + loyisa recomendations regardless the script check and the file was ignored by cis too. so what was wrong?

ps.: i dont know if it seemed irony. if so, its not. im really curious about it. if ive donne something wrong, please show me and explain me whats wrong so i can conduct another test to show the results and do an errata for the video already online.

 

[Behold Eck]

@vitao,

Strangely, your video is now about CapCut (CapCut: Install multiple versions and keep them all working!).

Yeah what is going on ?

Regards Eck

 

[vitao]

Yeah what is going on ?

Regards Eck

already answered that with the correct link

 

[n8chavez]

@vitao really seems to be turned on by anti-comodo content and be generally anti-comodo in general. Why? I wonder what the phycological reasons are for such a deep seeded hatred from some with nothing to say except that narrow scope.

 

[Andy Ful]

This sample was created to download/run a malicious payload (exe.exe) from the hardcoded URL. Six minutes after it was created, the payload was uploaded to VirusTotal.
The URL hosted the payload for less than 90 minutes. I suspect this sample + payload was a POC or an early version of the malware.

Edit.
The sample should not be detected as trusted. However, if the payload was still hosted at the time of Comodo's analysis, the sample would not be flagged as Trusted.

 

[vitao]

This sample was created to download/run a malicious payload (exe.exe) from the hardcoded URL. Six minutes after it was created, the payload was uploaded to VirusTotal.
The URL hosted the payload for less than 90 minutes. I suspect this sample + payload was a POC or an early version of the malware.

Edit.
The sample should not be detected as trusted. However, if the payload was still hosted at the time of Comodo's analysis, the sample would not be flagged as Trusted.

the problem is that if the payload was supose to connect to someones host and download things, than cis should block it or atleast show a popup indicating the connection attempt.

as cis just ignored it, than its an malware bypassing cis, right? remember that cis is a firewall too.

edit.: as it seems, the file was sent to valkyrie way before i conducted the test and sent it to val.

 

[Andy Ful]

the problem is that if the payload was supose to connect to someones host and download things, than cis should block it or atleast show a popup indicating the connection attempt.

We agree that the detection should not be Trusted but for different reasons. The sample was uploaded to Comodo several hours after it was already "dead" (no payload available). Comodo analyzed only the sample, and it contained no active & malicious code. Anyway, the analyst should also check if the sample downloaded/executed the malicious payload in the past. Such information was already available on VirusTotal.

as cis just ignored it, than its an malware bypassing cis, right? remember that cis firewall too.

CIS ignored it because it did not do anything special.
When the sample was 1-hour malware it could be contained because initially it would be Unrecognized. Next, the sample would be uploaded to Comodo, but the analyst could see that it was a trojan downloader by analyzing the downloaded payload. Furthermore, even if the analyst made a mistake, this concrete sample could not infect Comodo users, because the sample was already "dead" after 90 minutes, long before the analyst could finish the analysis.
The design of Comodo's Auto-containment + Cloud analysis protects non-enterprise users against most malware, even when wrongly flagged as Trusted. Simply, most new malware are short-living, so they are Unrecognized and auto-contained.

edit.: as it seems, the file was sent to valkyrie way before i conducted the test and sent it to val.

Yes, but several hours after the payload disappeared from the malicious domain.

Edit 1.
In theory, such false negatives might be used in targeted attacks by reusing the sample with another payload.
Edit2.
I think that such incomplete malware should be removed from testing (except for very special false negative tests). The AV detection (not only Comodo's) will depend on the fact that the sample is complete (with payload) or incomplete (payload not available).

 

[Andy Ful]

Here is how the sample is detected after changing the hardcoded URL to unknown for AVs:

It looks like Xcitium can detect the sample as trojan even when the sample hash is changed.

 

[vitao]

Here is how the sample is detected after changing the hardcoded URL to unknown for AVs:

View attachment 286637

It looks like Xcitium can detect the sample as trojan even when the sample hash is changed.

I see. So the file would probably download something that was really dangerous, but the remote server was down, and that's why CIS doesn't detect anything dangerous. Is that it?

If that's the case, then something doesn't make sense for two reasons:

1) If you look at VirusTotal now, you'll see that the number of engines detecting only this executable as a Trojan is increasing, and if the supposed remote server is down, it means that the engines are detecting the executable as dangerous and not what it would download from the remote server. Therefore, CIS failed to recognize this file as dangerous.

2) If the executable isn't dangerous, but rather some file that it would supposedly download, then CIS also failed to identify an attempt to connect to an unknown remote server. Even if the server is down, the executable hasn't been changed, so it would be trying to connect to this server, regardless of whether it's offline or not. At most, it would try to connect or check if the server is online and if it is not, it would not try to establish a connection. However, some network interaction would still be necessary for this verification and this interaction should be intercepted by the CIS and it should warn about it, which does not happen.

Considering what you explained, one could conclude that this could perhaps be classified as just an undesirable program and not as malware, but the identifications of more than 40 engines make it clear that it is a Trojan.

Considering everything you mentioned, a more detailed analysis that was being carried out until a few minutes ago and the results obtained by other engines, I will keep the video online because until proven otherwise, it is malware and Comodo Internet Security was not able to identify anything about it or its actions (or attempted actions), while many others identify it immediately. But I will add an update to the video description explaining this situation.

Or do you think I am wrong in this decision?

 

[vitao]

If anyone is interested. Here is the new topic about the new cis release against the loyisa exploit/poc.

 

[Andy Ful]

I see. So the file would probably download something that was really dangerous, but the remote server was down, and that's why CIS doesn't detect anything dangerous. Is that it?

Yes and No. CIS did not encounter the full sample (initial sample + payload) but only the "currently unharmful" part of it (no payload).
Most AVs would detect such a sample as not harmful as I presented in my previous post (sample with changed URL to non-existent payload):
https://malwaretips.com/threads/com...one-malware-not-contained.134116/post-1111332

If that's the case, then something doesn't make sense for two reasons:

1) If you look at VirusTotal now, you'll see that the number of engines detecting only this executable as a Trojan is increasing, and if the supposed remote server is down, it means that the engines are detecting the executable as dangerous and not what it would download from the remote server. Therefore, CIS failed to recognize this file as dangerous.

You are wrong. The increasing number of detections is caused by borrowing detections from other AVs. Look at the detections in my previous post. The submitted sample is as malicious as your sample (no difference for AVs).

2) If the executable isn't dangerous, but rather some file that it would supposedly download, then CIS also failed to identify an attempt to connect to an unknown remote server.
Even if the server is down, the executable hasn't been changed, so it would be trying to connect to this server, regardless of whether it's offline or not. At most, it would try to connect or check if the server is online and if it is not, it would not try to establish a connection. However, some network interaction would still be necessary for this verification and this interaction should be intercepted by the CIS and it should warn about it, which does not happen.

AVs do not fail while allowing silent connections to unknown servers. In this way, most AVs would also fail as can be seen in the detection example from my previous post.

Considering what you explained, one could conclude that this could perhaps be classified as just an undesirable program and not as malware, but the identifications of more than 40 engines make it clear that it is a Trojan.

Yes, the sample should be detected as a trojan when full information about its history is known. CIS failed in some way, just as most AVs would fail in similar situations.

Considering everything you mentioned, a more detailed analysis that was being carried out until a few minutes ago and the results obtained by other engines, I will keep the video online because until proven otherwise, it is malware and Comodo Internet Security was not able to identify anything about it or its actions (or attempted actions), while many others identify it immediately. But I will add an update to the video description explaining this situation.

Or do you think I am wrong in this decision?

It is your video. I would keep the sample and use it to show that such incomplete samples can be problematic in tests (for any AV). With such samples, the AV detection result can depend on the moment when the sample was analyzed and not entirely on the AV capabilities.

Edit.
Still, I do not fully understand why Xcitium can detect by signature the sample with a modified URL, but your sample (which behaves in the same way) was considered Trusted by the Comodo analyst. It is possible that initially, Comodo could detect your sample as malicious too, and that detection would change to Trusted after Valkyrie analysis.

 

[Rosealbert]

Can you share the video link? It helps to be easy to understand.

 

[vitao]

Yes and No. CIS did not encounter the full sample (initial sample + payload) but only the "currently unharmful" part of it (no payload).
Most AVs would detect such a sample as not harmful as I presented in my previous post (sample with changed URL to non-existent payload):
https://malwaretips.com/threads/com...one-malware-not-contained.134116/post-1111332




You are wrong. The increasing number of detections is caused by borrowing detections from other AVs. Look at the detections in my previous post. The submitted sample is as malicious as your sample (no difference for AVs).



AVs do not fail while allowing silent connections to unknown servers. In this way, most AVs would also fail as can be seen in the detection example from my previous post.



Yes, the sample should be detected as a trojan when full information about its history is known. CIS failed in some way, just as most AVs would fail in similar situations.



It is your video. I would keep the sample and use it to show that such incomplete samples can be problematic in tests (for any AV). With such samples, the AV detection result can depend on the moment when the sample was analyzed and not entirely on the AV capabilities.

Edit.
Still, I do not fully understand why Xcitium can detect by signature the sample with a modified URL, but your sample (which behaves in the same way) was considered Trusted by the Comodo analyst. It is possible that initially, Comodo could detect your sample as malicious too, and that detection would change to Trusted after Valkyrie analysis.

i understand what youre saying but its hard to agree as the sample has this from others vendors: VirusTotal

for now its 45/72. its a big "wrong detection" by many names. my argument just gains force. if its an file that download something bad but its not downloading anything anymore, thus cis do not detect it, so why not detect the connection try out? the file is there. you say that its a file that tries to download something from some remote server, but can you provide the ip for it? or where did you get this information?

anyways, even if its right, what youre saying, still, cis should block it or atleast show some alert as the file is supose to try to connect to an unknow ip.

edit.: just for clarification. the test is to show a problem. a file that is a malware and cis do not block nor detect it. as in every video showing this kind of thing with cis. and to have a point i show the results from virustotal and valkyrie itself. it really doesnt matter that much what kind of malware it is or if the server is down or not. what matters the most for users is that cis (and others) fail to prevent execution of an malware classified by many as a trojan. and thats the point. but its nice to hear yous explanations as i learn many good things and learn somethings not so good about many.

 

[Andy Ful]

@vitao,

I am sorry, I cannot explain it better. Be safe.