Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

vitao

Level 2
Thread author
Mar 12, 2024
64
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.

Check this out:

The video has subtitles in 10 languages, including english, so anybody can watch and understand.
 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
891
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.

Check this out:

The video has subtitles in 10 languages, including english, so anybody can watch and understand.

This is nothing new. See this App Review - The Comodo's challenge.
 

rashmi

Level 12
Jan 15, 2024
562
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.
My Comodo setup will obliterate this exploit, as I use "block" for unrecognized files and elevated prompts. 😛

We have malware files interacting with the actual system, a running process, and Comodo's cmdagent in quarantine, correct? I wonder if the current Comodo certificate issue plays some part in this, as cmdagent is in quarantine.

You tested on Windows 10. Possible for you to test again? You can test and just provide the outcome here; no need for video.
1. Use Comodo's previous version, not 2025. I guess it has a valid certificate, right?
2. If Comodo treats a VM file as unrecognized, mark it as "trusted" in file rating, not "ignore" in containment.
3. Also disable the containment setting: "Enable automatic startup for services installed in the container."
 
  • Like
Reactions: simmerskool

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
891
In that thread, it was done through a lnk file, but this time it was done directly by running the exe file and get contained by Comodo , which is different.
An LNK file is a Windows shortcut, which points to and is used to open another file, folder, or application. It contains information about the object to which it points, including the object's type, location, and filename. How do you know that the lnk file was not pointing to an exe file?. Andy would be the best person to explain this. But as far as I know, no av is immune to this kind of attack, even the big K is susceptible.
 
Last edited:

Loyisa

Level 1
Aug 8, 2024
20
An LNK file is a Windows shortcut, which points to and is used to open another file, folder, or application. It contains information about the object to which it points, including the object's type, location, and filename. How do you know that the lnk file was not pointing to an exe file?
In that thread, the lnk file was used to execute cmd commands
Screenshot_20241022_142646.jpg
And Comodo's script analysis does not check lnk files. I have reported this problem.
QQ20240928-181944.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,549
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.

The attack method has been known in the wild for a few years:

It is different from the Comodo Challenge:
 
Last edited:

vitao

Level 2
Thread author
Mar 12, 2024
64
and so far no word from comodo, and no bugfix for it... hell. even the cert issue is taking so long to be solved (almost 2 months now) :p

regardless the exploit. according to the dev, if i test it with the setup i did on my video about cis + kav against 100 malwares, kav would block this attack from defeating cis. this will be tested and if its true a wild video will appears...
 
  • Like
Reactions: roger_m

vitao

Level 2
Thread author
Mar 12, 2024
64
My Comodo setup will obliterate this exploit, as I use "block" for unrecognized files and elevated prompts. 😛

We have malware files interacting with the actual system, a running process, and Comodo's cmdagent in quarantine, correct? I wonder if the current Comodo certificate issue plays some part in this, as cmdagent is in quarantine.

You tested on Windows 10. Possible for you to test again? You can test and just provide the outcome here; no need for video.
1. Use Comodo's previous version, not 2025. I guess it has a valid certificate, right?
2. If Comodo treats a VM file as unrecognized, mark it as "trusted" in file rating, not "ignore" in containment.
3. Also disable the containment setting: "Enable automatic startup for services installed in the container."
@Loyisa do you know any config in cis that could possibly "block" the exploit? Im no having any luck (and im trying)
 

vitao

Level 2
Thread author
Mar 12, 2024
64
Yes, the block setting should stop the execution/continuation (elevated prompt) of the sample.
but the idea is not to force block as comodo blocks by user interation when it comes to unknow files, so the file must be allowed by hips, por example, so the containment can act. im trying to find a way (if there is) to make the containment deal with this kind of situation for any kind of file. is that possible?
 
  • Wow
Reactions: kylprq

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,727
but the idea is not to force block as comodo blocks by user interation when it comes to unknow files, so the file must be allowed by hips, por example, so the containment can act. im trying to find a way (if there is) to make the containment deal with this kind of situation for any kind of file. is that possible?
cruelsister config has HIPS disabled IIRC...
 

vitao

Level 2
Thread author
Mar 12, 2024
64
did some more testings and there is no way cis can block it by auto-containment. its an exploit and comodo is aware of it for atleast a year or 2. now the problem with revoked certificate. i saw cruelsister taking the attention to other matters instead of this exploitation, some other trying to ignore the fact its a problem and comodo just dont care to solve (or doesnt has the man power to do so or the knowledge maybe?).

i really dont know what more to think of it.

not that this can make me stop using cis or whatever, but still.. right? or am i getting a little crazy here?
 

rashmi

Level 12
Jan 15, 2024
562
did some more testings and there is no way cis can block it by auto-containment. its an exploit and comodo is aware of it for atleast a year or 2. now the problem with revoked certificate. i saw cruelsister taking the attention to other matters instead of this exploitation, some other trying to ignore the fact its a problem and comodo just dont care to solve (or doesnt has the man power to do so or the knowledge maybe?).

i really dont know what more to think of it.

not that this can make me stop using cis or whatever, but still.. right? or am i getting a little crazy here?
It's most likely a containment bug, so it's pointless to continue testing. Consider posting your test on Comodo forums for feedback.

I share your opinion that "Comodo is not suitable for everyone." Here's mine: "Containment serves for evaluation, not protection."

Comodo initially offered "Partially Limited" and "Limited" containment/restriction levels as protection features. The levels would restrict the rights of unknown applications on the system. Comodo's introduction of additional levels brought about changes in its functioning. They implemented "full virtualization" for running unknown applications. Containment is more of an evaluation feature now since users can't use or save their work with contained/restricted applications as they could previously. With the capability to run most applications, "Run Virtually" enables knowledgeable users to evaluate unknown apps. "Block" prevents unknown applications from running or causing harm. "Restriction Level" is nothing more than a "security display."

From my point of view, any setup that suggests "Restriction Level" for protection is merely a display of security. Why? Most users do not evaluate contained applications, so tightening the feature suggestion is unnecessary. When users encounter a containment alert or a green-bordered application, they typically close it and resume their work. "Block" is the ideal solution for these users, providing both protection and usability.
 
  • +Reputation
Reactions: ErzCrz

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
870
@Loyisa do you know any config in cis that could possibly "block" the exploit? Im no having any luck (and im trying)
Why not try a pure HIPS test with the different settings, "safe mode" to "paranoid mode" to see if there are any alerts to block the exploit?

Regards Eck:)
 
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top