Comodo Internet Security 2025 was obliterated by an exploit!
- Thread starter vitao
- Start date
Just thinking, if someone actually exploited this vulnerability to drop ransomware using DLL hijacking...
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
Anyway, the users should remember that:
- auto-containment cannot solve all protection problems,
- running malware with high privileges can destroy AV protection.
Last edited:
so what would be your suggestions for a better protection, independent of the av someone installs?
"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
- doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
- using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
- tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
- hardening the document viewer/editor.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
Last edited:
btw... a video showcasing the exploit downloading and running the Ransomware and CIS ignoring it:
Edit.: Im still going to work on subtitles for this video. Try the YT automatic subs for the moment...
Is the basis for these separate proofs of concept the same issue or design case in Comodo?
Check it out:
This video has description and subtitles in 10 languages.
The following video, which is already online, demonstrates this POC downloading and installing a Ransomware without the CIS even noticing, but it does not yet have subtitles (only the automatic ones from YT itself). As soon as I add the subtitles I will bring the video in a new publication.
BTW. Xcitium EDR was obliterated too. As soon as I make the subs Ill post it here.
This video has description and subtitles in 10 languages.
The following video, which is already online, demonstrates this POC downloading and installing a Ransomware without the CIS even noticing, but it does not yet have subtitles (only the automatic ones from YT itself). As soon as I add the subtitles I will bring the video in a new publication.
BTW. Xcitium EDR was obliterated too. As soon as I make the subs Ill post it here.
Thanks for sharing the video, it's very informative. Looking forward to the subtitled version and your upcoming post on Xcitium EDR. It's crucial to stay updated on these developments for optimal security.
If you still have an available VM to test this, please make the following Registry Change and re-run the test:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
and modify DWORD Value from 1 to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
and modify DWORD Value from 1 to 0
That would be awesome especially with Xcitium as it's more updated
We don't have good reputation based default deny so the software is useful and is lighter then actual av software
Indeed there is major bugs and everyone should push them to fix them and it seems enterprise system administrators are rightly avoiding this software but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )
If you think about not fixing the bypass from this thread, this will not be a problem. The bypass is Comodo-dependent, so it will not be used in widespread attacks.
Comodo has many hardening options that can make it a very attractive solution. The greater problem for Comodo and other AVs is DLL hijacking (also used in the bypass). Unfortunately, there are no tests on this attack vector, so I cannot say which AV can be most effective. On Windows 11, DLL hijacking is blocked by Smart App Control if the malicious DLL is unsigned or improperly signed. It can be also blocked by WDAC.
This sounds very much like you're accusing us of the new buzzword, "disinformation."
Comodo users: Who decides what is this 'disinformation?'
You: It's what we say it is.
Comodo users: Who is we?
You: Everybody who doesn't want Comodo being used.
already did that. when proper disabling uac the cis sandbox can manage to really block the exploit behavior. the video is online but im still working on proper subs
anyway, the uac thing is not to be donne by anyone. comodo (and now xcitium) must solve this problem. or do you think its not that of a problem?You may also like...
-
-
Three Unpatched Vulnerabilities Plague Comodo. Documented Online.- Started by Trident
- Replies: 348
-
Kaspersky Antivirus Free + Comodo Firewall Test Against 100 New Malwares (10/2024)
- Started by vitao
- Replies: 5
-
-
