If you are using a signed PoC, search the "Vendor List" for the vendor. Also, check "HIPS Events" in Logs for the Cloud verdict. Based on this, you can disable features and retest.
Comodo Internet Security 2025 was obliterated by an exploit!
- Thread starter vitao
- Start date
I'd assume the language we warned you about and how to talk to other members of the forum.
- Mar 12, 2024
- 148
i thought so but it was not anything related to forum users nor disrespect with anyone. it was just one person who, for whatever reason, was frustated about one word used in a setence wich had nothing to do with this user or his feelings, but he was in the need of some attention and tried to change the subject to make this personal. astleast that is what im feeling about it. as feelings are what people take in consideration, maybe my feelings would be taken into it too. no?
see the problem? (i think i manage to explain a little bit more this time).
oh, btw, i apologized for the word even if it was nothing wrong with it. anyway... we are offtopic again.
- Mar 12, 2024
- 148
"We" managed to "solve" the CIS problem with Exploit!!!
➔ Changing ONE configuration makes CIS BLOCK the Exploit:
Video with subtitles for more than 10 languages. If you need any subtitles, let me know and I will provide them.
➔ Changing ONE configuration makes CIS BLOCK the Exploit:
Video with subtitles for more than 10 languages. If you need any subtitles, let me know and I will provide them.
- Dec 23, 2014
- 8,681
Thanks. 
After disabling alerts (silent mode), such a restricted setup can protect children, happy clickers, etc. However, an advanced user (family administrator) must manage false positives. It will work best with signed applications because the signer can be added to the Trusted Vendors list.
Disabling cloud lookup can also prevent inexperienced users from installing new applications, so the family administrator has some control over what is installed on the computer.
After disabling alerts (silent mode), such a restricted setup can protect children, happy clickers, etc. However, an advanced user (family administrator) must manage false positives. It will work best with signed applications because the signer can be added to the Trusted Vendors list.
Disabling cloud lookup can also prevent inexperienced users from installing new applications, so the family administrator has some control over what is installed on the computer.
Last edited:
According to the Comodo alert, the PoC has a digital signature. It appears the Comodo cloud contains this signature, but the local whitelist does not. As a result, the PoC failed in this test. If you had checked the Comodo logs as I repeatedly suggested, you would have discovered this solution during the first test. The problem with your PoC tests is that you post the results without confirming them.
Nothing new here. What comes next? A PoC uses a certificate on the Comodo local whitelist, alongside a method to disable that whitelist!
Nothing new here. What comes next? A PoC uses a certificate on the Comodo local whitelist, alongside a method to disable that whitelist!
Last edited:
- Mar 12, 2024
- 148
sorry but youre wrong. the exe has certs but the dll hasnt (atleast is seems so). the dll continues to be ignore by cis, cloud lookup, valkyrie, etc. but even win defender can recognize it. so, no, the test is not wrong and there is nothing to check on logs as cis has no proper log for this dll. just that its not recognized but still its allowed to run on default config.According to the Comodo alert, the PoC has a digital signature. It appears the Comodo cloud contains this signature, but the local whitelist does not. As a result, the PoC failed in this test. If you had checked the Comodo logs as I repeatedly suggested, you would have discovered this solution during the first test. The problem with your PoC tests is that you post the results without confirming them.
Nothing new here. What comes next? A PoC uses a certificate on the Comodo local whitelist, alongside a method to disable that whitelist!
edit.: the confirmation is the file running, ruining personal files and cis doing nothing to prevent it. in this case, with the config changed, cis can prevent the exe to execute but not the dll, so if the exe was with an valid cert vendor (like, lets say, sectigo?), even with this configuration cis would not prevent the exe to run, so...
edit.: and the funny part is cruelsister saying that allowing an ransomware to run is a trivial issue...
- Dec 23, 2014
- 8,681
Disabling cloud lookup significantly reduces the possibility of using by the attackers the Trusted (but vulnerable) EXE files to avoid auto-containment. This approach is similar to WDAC or AppLocker policies (strict default-deny, no cloud app reputation). It can also prevent other attack vectors (different from DLL hijacking) when Trusted files are exploited. The shorter the Trusted Vendors list, the smaller the chances of infection.
I do not recommend disabling cloud lookup, except when a "family administrator" has the motivation to protect "computer illiterate" users or when Comodo is used in organizations.
I do not use such a setup, so I cannot exclude the possibility that it might be hardly usable in practice. I think that Comodo users can share some thoughts about it in this thread.
I do not recommend disabling cloud lookup, except when a "family administrator" has the motivation to protect "computer illiterate" users or when Comodo is used in organizations.
I do not use such a setup, so I cannot exclude the possibility that it might be hardly usable in practice. I think that Comodo users can share some thoughts about it in this thread.
Last edited:
- Dec 12, 2016
- 1,764
Defeats the purpose I use comodo as the comodo cloud has less false positives then wdac ,Smart App Control etc that are superior in terms of security
Anyway I came to the conclusion the best way to use comodo as a layer to add to av software (it's super light and stops nearly every malware)
And those that want something more restrictive should use built in protection or something like voodooshield
- Dec 23, 2014
- 8,681
- Dec 12, 2016
- 1,764
She disabled it specifically to show the containment blocks the samples in her videos as it was marked as malware
But she doesn't disable cloud lookup in her config
Yes disabling cloud is definitely far more restrictive but makes the product too unusable as it's always a balance between false positives and at that ratio of false positives you're better of using superior built in protections
Anyway really miss cruel sister in this fourm she's absolutely an expert on everything comodo and more
Last edited:
- Dec 23, 2014
- 8,681
It will be unusable for most MT members. But, it is more usable than Linux, Windows in S Mode, etc. I think that 1/3 (or more) of average users could use it with the help of family administrators. Many people use computers with already installed applications and do not change anything. The problem rather can be a lack of family administrators.
When using signed applications, this setup does not produce false positives while the system or applications are updated. In such a case it will be more usable than Smart App Control which can sometimes (partially) block signed updates due to unsigned DLLs.
Last edited:
- Mar 29, 2018
- 7,781
- Mar 12, 2024
- 148
well, after testing it for the video i continued to use this config on the same vm. i tried to make this vm almost the same as my main computer. after some time using it i understand that its a good way of using cis, but it has more popups and more user decisions to make, and its not a good place for many, but cis just works fine after some ours using it, marking files as trusted, etc. almost like if it was hips in learning mode. but more secure...
I also miss Cruel; she is THE Comodo expert.
- Oct 22, 2018
- 599
Well, she did have a point. The other vendors miss stuff or have bypasses and everybody shrugs. Comodo has one in a decade and you'd think the sky is falling at MT. Regardless, I will keep my Comodo firewall.
Most users shouldn't disable cloud lookup or whitelists. Instead, I suggest using Comodo Firewall Proactive Security with Microsoft Defender. If you don't use containment, replacing it with blocking unknowns will enhance protection. Experts can remove certain vendors from the trusted vendor list and disable cloud lookup. This will undoubtedly become bothersome, particularly when running unsigned applications without cloud lookup. If Comodo offered an "ask" option for auto-containment alerts, I'd definitely keep core vendors and disable cloud lookup.
My suggestion for most is this.
* Comodo Firewall Proactive Security with Microsoft Defender
(I've opted against antivirus software for my family; Comodo Cloud Signatures offer sufficient "supplemental" protection for practical purposes or real-world scenarios.)
* Auto-Containment blocking unknowns
* Uncheck the first and third options in containment settings
* HIPS disabled
* Firewall blocking incoming connections or stealth mode
* Firewall treating the location as public
* VirusScope disabled or uncheck the third option in VirusScope to monitor applications on the system
(I've turned off VirusScope on my family's systems.)
* Website Filtering disabled
Similar threads
