Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

[rashmi]

I tested that setup (Serious Discussion - Comodo Internet Security 2025 was obliterated by an exploit!) and it works on my machine (Cloud lookup enabled). I used the newly created files (compiled on my machine). Most files downloaded from the Internet are not new to Comodo (even if Unrecognized), so the 1-day limit will not block them. On the contrary, the 0-day malware will be contained in one day. Also, non-0-day malware can be contained in one day if it is unknown in the Comodo cloud (not submitted). However, such malware will be mainly detected by Microsoft Defender.

I'd appreciate a description of your testing methodology for the files with the setup before I comment. How did you arrive at the conclusion that Comodo's one-day limit won't block most downloaded files, even if unrecognized, as they are likely already known?

 

[vitao]

Hello everyone.

I hope everyone is well.

First of all, I wish you all (again) a great new year!

Now back to the topic at hand...

I saw some comments and it seems that some are going in other directions than the one that originated this topic (and several others).

Well, I realize that there are those who just want to see the circus burn, there are those who defend the company Comodo with justifications about investments, money, being a free software, etc.

But honestly, none of that matters that much.

Well, at least for me. What matters is that as long as there are flaws and I can demonstrate these flaws (being able to explain them in the best way possible), I will do so. Regardless of whether the company is interested in correcting this or that, or not. The fact is that I am a CIS user, very satisfied with the protection provided, however, the fact is also that I am unhappy with the lack of transparency and ignorance of its CEO (or former CEO) when he says things that recent videos demonstrate the opposite, but even so, this also ends up not mattering that much.

As long as I can, I will continue to bring videos about CIS and any other AV. Whether out of curiosity, to demonstrate something, or for entertainment.

Ps.: The POC demonstrated in the last videos (the one that executes ransomware) also affects Xcitium Client Security in its latest released version...

 

[Andy Ful]

I'd appreciate a description of your testing methodology for the files with the setup before I comment. How did you arrive at the conclusion that Comodo's one-day limit won't block most downloaded files, even if unrecognized, as they are likely already known?

I downloaded, installed, and updated 20 applications via UniGetUI and only 2 were blocked (Cloud lookup enabled). Did you encounter more blocks?
I also submitted a few executables to the Comodo cloud that were Unrecognized for more than 1 day.
If you look at the Auto-containment (default) rules for "Internet Security" configuration, there is a similar "Run virtually" rule, but for the applications less than 3 days old.
The rule used by me is borrowed from Microsoft Defender, and it is less restrictive than the default rule of Comodo.

@vitao,
I am unsure if the posts about CF (Cloud lookup enabled) + MD are on-topic here.

 

[rashmi]

I tested that setup (Serious Discussion - Comodo Internet Security 2025 was obliterated by an exploit!) and it works on my machine (Cloud lookup enabled). I used the newly created files (compiled on my machine). Most files downloaded from the Internet are not new to Comodo (even if Unrecognized), so the 1-day limit will not block them. On the contrary, the 0-day malware will be contained in one day. Also, non-0-day malware can be contained in one day if it is unknown in the Comodo cloud (not submitted). However, such malware will be mainly detected by Microsoft Defender.

I don't think the "Most files..." is true. Unrecognized-but known, do you mean the "submitted" files?

I tested with Ant Download Manager Beta, released on Dec 27, 2024. Unsigned, not in Comodo Cloud, but submitted.

https://antdownloadmanager.com/downloads/test/AntDM-x64.2.14.3.beta-setup.exe

From tests, the "All Applications" rule doesn't work with "File age" (days/hours). It appears "File age" means the file creation time on the system, not a Comodo file reputation system.

I tried a 1-hour limit criteria for the test. (Downloaded AntDM on Jan 02, 2025)
With the All Applications rule, Comodo contained AntDM even after one hour.
With the Executables rule, Comodo allowed AntDM after one hour.

I also tested with the "File creation date" criteria.
Comodo worked well with both "All Applications" and "Executables" rules.
Tested Before/After criteria. Downloaded AntDM on Jan 02, 2025. (Ant Download Manager Beta released on Dec 27, 2024)
(Block) Before Dec 03, 2024: Comodo correctly allowed it.
(Block) After Dec 03, 2024: Comodo correctly blocked it.
(Block) Before Jan 02, 2025: Comodo correctly blocked it.
(Block) After Jan 03, 2025: Comodo correctly allowed it.

I downloaded, installed, and updated 20 applications via UniGetUI and only 2 were blocked (Cloud lookup enabled). Did you encounter more blocks?
I also submitted a few executables to the Comodo cloud that were Unrecognized for more than 1 day.
If you look at the Auto-containment (default) rules for "Internet Security" configuration, there is a similar "Run virtually" rule, but for the applications less than 3 days old.
The rule used by me is borrowed from Microsoft Defender, and it is less restrictive than the default rule of Comodo.

If I'm not mistaken, UniGetUI is a downloader. Comodo's handling of app downloads, installs, and updates might depend on UniGetUI's "trusted" status or any custom rules; I'm uncertain. Testing directly with the apps' installers would provide a clearer picture.

 

[Andy Ful]

I tested with Ant Download Manager Beta, released on Dec 27, 2024. Unsigned, not in Comodo Cloud, but submitted.

https://antdownloadmanager.com/downloads/test/AntDM-x64.2.14.3.beta-setup.exe

I downloaded it and it was blocked.

I will try to submit it as a false positive via "Submit Files" in Comodo. We will see what will happen in one hour (I changed 1-day to 1-hour).

Edit 1.
The file "AntDM-x64.2.14.3.beta-setup.exe" is also blocked when using the File Group "Executables" instead of "All applications".

Edit 2.
I tried twice to submit the file "AntDM-x64.2.14.3.beta-setup.exe". After 20 minutes each upload failed (Error 0x80004005 Unspecified error).

 

[Andy Ful]

@rashmi,

Comodo set with "All applications" 1-hour limit.

Results (fresh compiled file):
1-hour after the first execution the file is still Unrecognized and auto-contained.
1-hour after file submission to Comodo the file is still Unrecognized but not contained.

Next:
File renamed ---> not contained
File moved ---> not contained
File copied ---> auto-contained

Strange results.
When the "All applications" setting is used the time is counted from the submission moment.

 

[rashmi]

Edit 1.
The file "AntDM-x64.2.14.3.beta-setup.exe" is also blocked when using the File Group "Executables" instead of "All applications".

Edit 2.
I tried twice to submit the file "AntDM-x64.2.14.3.beta-setup.exe". After 20 minutes each upload failed (Error 0x80004005 Unspecified error).

Did the "Executables" rule block AntDM after one hour? It works correctly here.

The file lookup for AntDM will return "unrecognized" if it exists (already submitted) and "unknown" if not.

 

[rashmi]

@rashmi,

Comodo set with "All applications" 1-hour limit.

Results (fresh compiled file):
1-hour after file submission to Comodo the file is still Unrecognized but not contained.

AntDM exists (already submitted), but Comodo still contains it after an hour, with the "All Applications" 1-hour limit rule.

 

[Andy Ful]

Did the "Executables" rule block AntDM after one hour? It works correctly here.

The file lookup for AntDM will return "unrecognized" if it exists (already submitted) and "unknown" if not.

"Executables" rule blocks files (including AntDM) for 1 hour from the file creation time. Currently, it is not auto-contained.
"All files" rule still blocks AntDM. Currently, it is auto-contained.
Strange results.

I must make another test. My previous test did not exclude that "All files" can depend on file creation time.

 

[rashmi]

"Executables" rule blocks files (including AntDM) for 1 hour from the file creation time. Currently, it is not auto-contained.
"All files" rule still blocks AntDM. Currently, it is auto-contained.
Strange results.

The file lookup identifies submitted files as "unrecognized," unsubmitted files as "unknown," and requests submission of "unknown" files. Based on this, I'm stating that AntDM has already been submitted.

The "All Applications" 1-hour limit rule requiring submission of unknown files seems strange. I wonder, is it a bug or a design?

 

[Andy Ful]

The "All Applications" 1-hour limit rule requiring submission of unknown files seems strange. I wonder, is it a bug or a design?

I repeated the test on two freshly compiled files with "All applications" setting.
Both files were allowed precisely after 1-hour after the creation without submitting to Comodo (both are Unrecognized).
AntiDM still auto-contained.

It seems that the problem can be more complex.

 

[Andy Ful]

AntDM exists (already submitted), but Comodo still contains it after an hour, with the "All Applications" 1-hour limit rule.

I know what is happening.

With the "All Applications" setting the downloaded AntDM executable ("AntDM...exe") is allowed after one hour, but it creates/executes the "AntDM...tmp" file (temporary file) which is still blocked. The temporary file is blocked because it is newly created, so the creation time is always less than one hour. This block will continue until the AntDM executable is Unrecognized.

With the "Executables" setting the downloaded AntDM executable ("AntDM...exe") is allowed after one hour, it creates/executes the "AntDM...tmp" file (temporary file) which is allowed because there is no *.tmp executable type included in the "Executables" group. If you add *.tmp to the "Executables" group, AntDM installation will be blocked just like for "All Applications".

From my tests (and yours) it follows that the 1-hour limit works slightly differently for "Executables" and "All Applications" groups because these groups include slightly different executable types (the second group includes the first). However, the time is always counted from the file creation time (manual submission is not required).
If the Unrecognized executable is allowed after one hour, its newly created copy will be still blocked for one hour.

I noticed that the "Executables" group also does not include MSI files, which are included in the "All Applications" group.

 

[rashmi]

I know what is happening.

With the "All Applications" setting the downloaded AntDM executable ("AntDM...exe") is allowed after one hour, but it creates/executes the "AntDM...tmp" file (temporary file) which is still blocked. The temporary file is blocked because it is newly created, so the creation time is always less than one hour. This block will continue until the AntDM executable is Unrecognized.

With the "Executables" setting the downloaded AntDM executable ("AntDM...exe") is allowed after one hour, it creates/executes the "AntDM...tmp" file (temporary file) which is allowed because there is no *.tmp executable type included in the "Executables" group. If you add *.tmp to the "Executables" group, AntDM installation will be blocked just like for "All Applications".

From my tests (and yours) it follows that the 1-hour limit works slightly differently for "Executables" and "All Applications" groups because these groups include slightly different executable types (the second group includes the first). However, the time is always counted from the file creation time (manual submission is not required).
If the Unrecognized executable is allowed after one hour, its newly created copy will be still blocked for one hour.

I noticed that the "Executables" group also does not include MSI files, which are included in the "All Applications" group.

We overlooked the tmp detail in the alert; how did that happen?

To experiment, I created a custom file group and added *.exe. It worked well with the file age criteria. From my view, creating your own file group and including selective files would be the best approach for effective protection. This will also prevent users from editing a file group or messing with the default file groups.

 

[rashmi]

@Andy Ful For optimal protection, what files should a user select from the various file groups?

 

[vitao]

In a thread on the official Comodo forum, I saw a comment that made me curious, so I decided to do a test to find out if it makes any difference to use the default Comodo Antivirus virus signature database and the complete database.

This is the result:



Video with subtitles and description translated into English and Spanish. If you want more subtitles, just let me know.

As its not an test about av x malwares, i figured that this should be in an separate topic. If mods donts agree, move it to some other topic. Np at all.

 

[Bot]

Thanks for sharing your test results with the community. It's always interesting to see real-world comparisons of Comodo's default and complete databases. Your efforts to provide subtitles in different languages are also appreciated. This will definitely help users better understand the differences and make an informed decision.

 

[vitao]

ah sorry.. i rushed it. the video will be made public today at 12:00pm (br)

 

[Andy Ful]

@Andy Ful For optimal protection, what files should a user select from the various file groups?

The default files seem to be OK for most users. Using the "All applications" group includes all possible executable types blocked by Comodo, but increases the number of alerts.

 

[Nikola Milanovic]

The default files seem to be OK for most users. Using the "All applications" group includes all possible executable types blocked by Comodo, but increases the number of alerts.

Why not submit the file to CAMAS(Valkyrie) ?

 

[Nikola Milanovic]

In a thread on the official Comodo forum, I saw a comment that made me curious, so I decided to do a test to find out if it makes any difference to use the default Comodo Antivirus virus signature database and the complete database.

This is the result:



Video with subtitles and description translated into English and Spanish. If you want more subtitles, just let me know.

As its not an test about av x malwares, i figured that this should be in an separate topic. If mods donts agree, move it to some other topic. Np at all.

YES Xcitium has finally improved signatures i told the guy to improve the signatures on comodo forums the FlorinG guy and he actually listened to me and improved it