Just thinking, if someone actually exploited this vulnerability to drop ransomware using DLL hijacking...so the thing gets even worse...
so what would be your suggestions for a better protection, independent of the av someone installs?Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
- auto-containment cannot solve all protection problems,
- running malware with high privileges can destroy AV protection.
so what would be your suggestions for a better protection, independent of the av someone installs?
Introducing Comodo Sandbox Escape with Ransomware..."A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
- doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
- using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
- tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
- hardening the document viewer/editor.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
Introducing Comodo Sandbox Escape with Ransomware...
btw... a video showcasing the exploit downloading and running the Ransomware and CIS ignoring it:Introducing Comodo Sandbox Escape with Ransomware...
View attachment 285951
They falsely market it and avoid fixing issuesanother update: Xcitium EDR Client Security was OBLITERATED too...
the full video will be published and the link will be here soon...
That would be awesome especially with Xcitium as it's more updatedIf you still have an available VM to test this, please make the following Registry Change and re-run the test:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
and modify DWORD Value from 1 to 0
I already mentioned it. When Windows starts it runs Explorer shell with high privileges due to that reg tweak. So, almost all applications/exploits/malware also run with high privileges (except rare processes compiled with restriction to run only with standard or lower rights). Malware and exploits do not need privilege escalation or UAC bypasses to run with high privileges, just by applying that reg tweak.
For example, when you run the web browser it will be allowed by Comodo, and some web browser's processes will run with high privileges due to that reg tweak. If exploited, the exploit will also run with high privileges.
That reg tweak would be OK, if Comodo could detect/block/contain all malware and exploits. But we know that this is not true neither for malware nor for exploits (system exploits or exploits of benign applications).
What Comodo settings are good enough to safely apply that reg tweak? The @cruelsister-like settings are not good enough:
In all those cases, the malware/exploit has much more chances to be executed/undetected because it does not have to use privilege escalation or UAC bypass to obtain high privileges. Without that reg tweak the malware must use additional/special/suspicious code so the AVs have more chances to detect it. In my tests with Comodo challenge, I intentionally did not use UAC bypass, because it would make the attack more detectable.
- The containment can be avoided by DLL hijacking.
- The containment can be avoided by some signed malware.
- Comodo can be bypassed by many fileless exploits/malware.
- Comodo can be silently dismantled by Comodo challenge. Without this tweak, some users can stop the attack due to the UAC alert.
At home, you will have more examples of malware from points 1-3 because such malware is created without knowing the target. On the contrary, the malware with a special Comodo bypass is virtually nonexistent.
We don't have good reputation based default deny so the software is useful and is lighter then actual av softwareThe Comodo 2025 release was a farce, the software hasn't really been updated/upgraded for many years. The software still has hundreds of bugs (officially recognized by Comodo and its fanatics, but unfixed since 2019), its databases are not updated, and even its certificate doesn't work. All they've done is give the software's GUI a facelift, and released it with the same old lies.
In addition, apart from the “Containment/Isolation” feature, the rest of the tools... are useless! The antivirus is garbage. The firewall doesn't even distinguish SVCHOST communications, doesn't even allow Windows services customization, and is full of bugs. Therefore, Comodo is a simple dumb blocker, and as such depends on the user to block or allow executables. Any customization, which allows the hardening of Windows, is better and more efficient than Comodo.
Specifically with regards to the Comodo Containment, over the last years has been proven to be flawed countless times, and when not ignored by Comodo and its (immoral/irresponsible) fanatics, they always invent a hack as a solution, which never works (attaching recent Andy Ful's post from today).
It is ridiculous and pathetic to continue defending a software that was abandoned years ago, a dinosaur software that was overtaken by new technologies (therefore is doomed to extinction), even more so when there are many better and more modern upgraded updated alternatives for free, real antimalwares (not just dumb blockers).
... but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )
Comodo has many hardening options that can make it a very attractive solution.
You are allowed.Please, allow me to disagree.