Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

[Andy Ful]

Most users shouldn't disable cloud lookup or whitelists. Instead, I suggest using Comodo Firewall Proactive Security with Microsoft Defender.

Any setup CF + MD will be OK. To avoid many CF false positives, one can set auto-containment for Unrecognized applications that are less than 1 day old.
Containment >> Auto-containment >> Criteria >> Edit >> File age

 

[vitao]

cf + wd are good but i think maybe kasper free + cf would be a better way to go for low system resources usage, better protection and better "cleanning" of dangerous files.

 

[vitao]

"We" managed to "solve" the CIS problem with Exploit!!!

➔ Changing ONE configuration makes CIS BLOCK the Exploit:



Video with subtitles for more than 10 languages. If you need any subtitles, let me know and I will provide them.

Hello guys. Im sorry for not remembering the dude who talked to me about it but almost all my videos about cis are merged on this same topic. Its better this way so anybody can find everything related to this in the same place. like this one i quoted. the video showing how can cis prevent the ransomware to be executed using @Andy Ful recomendations for config.

 

[rashmi]

Any setup CF + MD will be OK. To avoid many CF false positives, one can set auto-containment for Unrecognized applications that are less than 1 day old.
Containment >> Auto-containment >> Criteria >> Edit >> File age

Yes, it's possible to adjust protection or usability for users.
* For static or parents' systems, you can ignore unsigned installed apps or apps on Comodo's cloud whitelist in auto-containment and create firewall rules for apps' successful automatic updates. Subsequently, disable cloud lookup and set auto-containment to block. Likewise, you can update the trusted vendor list to include installed signed apps or vendors unknown to Comodo.
* For beginners or less experienced users, you can adjust the unrecognized apps rule to block and include file age parameters for improved usability and zero-day protection.

 

[vitao]

Yes, it's possible to adjust protection or usability for users.
* For static or parents' systems, you can ignore unsigned installed apps or apps on Comodo's cloud whitelist in auto-containment and create firewall rules for apps' successful automatic updates. Subsequently, disable cloud lookup and set auto-containment to block. Likewise, you can update the trusted vendor list to include installed signed apps or vendors unknown to Comodo.
* For beginners or less experienced users, you can adjust the unrecognized apps rule to block and include file age parameters for improved usability and zero-day protection.

im sorry to be so dumb or lazy but can you do this configurations, export and share? or take pictures of these changes to show here?

 

[rashmi]

im sorry to be so dumb or lazy but can you do this configurations, export and share? or take pictures of these changes to show here?

The configuration depends on "File age" parameters. It focuses more on usability than protection. It is not as secure as the Comodo configurations. One should use this configuration alongside an antivirus.

Remove the All Apps Unrecognized rule under Auto-Containment
Click Add
Set Action to Block
Click Edit
Click Browse and select Executables from File Groups
Set Unrecognized under File rating
Set Less Than 1 day(s) for File age
Click OK on all windows
Move the new rule to the bottom and click OK

Comodo will block any unrecognized executable less than a day old and allow it after a day. For details on executables or other file groups, check File Rating - File Groups.

 

[vitao]

The configuration depends on "File age" parameters. It focuses more on usability than protection. It is not as secure as the Comodo configurations. One should use this configuration alongside an antivirus.

Remove the All Apps Unrecognized rule under Auto-Containment
Click Add
Set Action to Block
Click Edit
Click Browse and select Executables from File Groups
Set Unrecognized under File rating
Set Less Than 1 day(s) for File age
Click OK on all windows
Move the new rule to the bottom and click OK

Comodo will block any unrecognized executable less than a day old and allow it after a day. For details on executables or other file groups, check File Rating - File Groups.

perfect. thank you bro.

 

[vitao]

guys, one question. does anybody knows if cis has any difference in detection by using the light or the full database signatures? i saw eric talking about it on comodo's forum and it got me curious.

maybe a new test with both databases with the same malwares pack?

 

[rashmi]

guys, one question. does anybody knows if cis has any difference in detection by using the light or the full database signatures? i saw eric talking about it on comodo's forum and it got me curious.

maybe a new test with both databases with the same malwares pack?

Using light or full databases shouldn't affect detection, as cloud lookup includes full database signatures.

 

[rashmi]

perfect. thank you bro.

To determine which file groups to include for effective protection, @Andy Ful's suggestions will be helpful.

 

[vitao]

Using light or full databases shouldn't affect detection, as cloud lookup includes full database signatures.

i just did an test with full and light database. cis against 400 newly released malwares. disabled firewall, cloud lookup, and everything related to cloud check. then i updated cis with default db wich is the light one. uncompress all the 400 malwares and did a manual scan (disabled cloud lookup at manual scan config too). then i did the same test but marking the option to grab the full database. the results were the same. no point of downloading the full db. untorfutanely as i was expecting to see a better result with the full db... the video wil be produced to explain that there is no point on changing it to the full database and after that ill upload it to my channel. it will be a video about curiosity so, no need to rush...

 

[rashmi]

i just did an test with full and light database. cis against 400 newly released malwares. disabled firewall, cloud lookup, and everything related to cloud check. then i updated cis with default db wich is the light one. uncompress all the 400 malwares and did a manual scan (disabled cloud lookup at manual scan config too). then i did the same test but marking the option to grab the full database. the results were the same. no point of downloading the full db. untorfutanely as i was expecting to see a better result with the full db... the video wil be produced to explain that there is no point on changing it to the full database and after that ill upload it to my channel. it will be a video about curiosity so, no need to rush...

With cloud lookup disabled, the full database would outperform the light database against old malware packs.

 

[bazang]

@cruelsister

I've posted videos about various AM applications (MB, eset, esmisoft, Symantec, etc) being bypassed by malware (and these could be confirmed as the malware was in the Wild) all of which raised barely a peep.

For someone as intelligent and perceptive as @cruelsister, I am surprised that they would think that people here really care about serious, illustrative bypass videos. People are, but only those that entertain them or ones that affirm their beliefs or agendas.

If there is a large anti-Comodo agenda on MT, anything @cruelsister posts will be attacked or they will be targeted for harassment.

@cruelsister

when something trivial is found against Comodo it's like the World is ending

Because there is anti-Comodo haters and those that just want to troll @cruelsister in particular.

I would have expected @cruelsister to troll the trolls (reverse trolling) by posting more videos.

@cruelsister

I've given up on MT recently as it seems to be overrun by Trolls for only God knows why.

This is exactly what the Comodo haters and trolls wanted - for @cruelsister to leave MT.

I thought @cruelsister was a big girl that could handle the trolls. Apparently not.

So the trolls succeeded in silencing @cruelsister by ridding MT of her perspective and voice. That benefits no one.

 

[Sorrento]

A shame @cruelsister was trolled, just because her valid opinion & input was different to some others - Maybe she still lurks? If CS does it would be nice if you return to MT - I'm not a Comodo user but that is totally irrelevant. One here voting for your return

 

[Andy Ful]

It would be good to see her on MT. She is an authority in Comodo matters and malware testing. She is also very kind, which is why she might feel hurt.
I was involved in the discussion and it seems that most people here (including me) think that Comodo can provide very strong protection for non-enterprise users, especially with @cruelsister's settings. I also do not agree with some rather harsh posts about Comodo, but such posts were a minority. Most posts (also harsh) had some point even if I did not agree.

 

[Fel Grossi]

#gobackcruel

 

[Vitali Ortzi]

It would be good to see her on MT. She is an authority in Comodo matters and malware testing. She is also very kind, which is why she might feel hurt.
I was involved in the discussion and it seems that most people here (including me) think that Comodo can provide very strong protection for non-enterprise users, especially with @cruelsister's settings. I also do not agree with some rather harsh posts about Comodo, but such posts were a minority. Most posts (also harsh) had some point even if I did not agree.

Cruel sister showed countless state sponsored and ATP attacks blocked by comodo and all the top venders failing
The product has really low ram , CPU , Io usage and the container is lighter then a hypervisor based solution
Yes obviously it's not perfect but at least CIA gave it a praise in vault 7 as shown below

Comodo, as you may know, is a colossal pain in the posterior. It literally catches everything until you tell it not to, including standard windows services (say what?!?).

...at least, that's what happens on Comodo 5.X. In 6.X, Comodo apparently decided that catching things that were part of windows was a Bad Thing(tm). Their "fix" was... kinda lame

Anything running as SYSTEM is automatically legit under 6.X. ANYTHING. Let that sink in. Got a kernel level exploit? Good, because you can drop the kitchen sink and the contents of your garage and as long as you continue to run as SYSTEM you are golden. Yeah.

Needless to say, Comodo 6.X doesn't catch nearly as much stuff. Comodo's user base, paranoid bastards that they are, has apparently caught wind of this and lots of them haven't upgraded to 6.X. Kind of a shame, cuz this is a hole you could drive a very large wheeled freight carrying vehicle through. However, if you're lucky enough to be going against a target running 6.X, have fun!

Personally I recommend using it with some other solution can be built in defender or a third party av but even alone it can block nearly everything

Definitely an interesting product to have for free and nice that they are keeping improving the container



Anyway i really loved cruelsister her music was awesome and the videos were really useful and always had targeted attacks to check hie different av software deal with worms , ransomware etc
Showed both the strength and weaknesses of different products in a a fashion no other tester does

 

[pantalaimon]

This PoC is making headlines.

Just curiously, @Loyisa is an APT hacker from China?

 

[vitao]

With cloud lookup disabled, the full database would outperform the light database against old malware packs.

well, i dont know about old packs but with 400 malwares tested the results are the same in both scenarios

 

[vitao]

well, in some aspects i disagree with cruelsister when she/he talks about comodo/cis problems/faults/exploits/delayonfixingbugs etc., but its just me. she/he has good ideas on testing avs and has skills. i dont think that the explanations she said on the other forum was the true. i dont want to bleave she got so mad with trolls on the internet. i though she/he was older... anyway... come back to mt! here is your house