Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,680
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
 
Last edited:

vitao

Level 3
Thread author
Mar 12, 2024
147
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
so what would be your suggestions for a better protection, independent of the av someone installs?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,680
so what would be your suggestions for a better protection, independent of the av someone installs?

"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
 
Last edited:

Loyisa

Level 1
Aug 8, 2024
20
"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
Introducing Comodo Sandbox Escape with Ransomware...
comodooaaa.gif
 

vitao

Level 3
Thread author
Mar 12, 2024
147
another update: Xcitium EDR Client Security was OBLITERATED too...

the full video will be published and the link will be here soon...
 

vitao

Level 3
Thread author
Mar 12, 2024
147
Check it out:

This video has description and subtitles in 10 languages.

The following video, which is already online, demonstrates this POC downloading and installing a Ransomware without the CIS even noticing, but it does not yet have subtitles (only the automatic ones from YT itself). As soon as I add the subtitles I will bring the video in a new publication.

BTW. Xcitium EDR was obliterated too. As soon as I make the subs Ill post it here.
 

Bot

AI-powered Bot
Apr 21, 2016
4,594
Thanks for sharing the video, it's very informative. Looking forward to the subtitled version and your upcoming post on Xcitium EDR. It's crucial to stay updated on these developments for optimal security.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
If you still have an available VM to test this, please make the following Registry Change and re-run the test:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA


and modify DWORD Value from 1 to 0
 

Vitali Ortzi

Level 28
Verified
Top Poster
Well-known
Dec 12, 2016
1,753
If you still have an available VM to test this, please make the following Registry Change and re-run the test:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA


and modify DWORD Value from 1 to 0
That would be awesome especially with Xcitium as it's more updated
 
  • Like
Reactions: simmerskool

Decopi

Level 8
Verified
Oct 29, 2017
360
The Comodo 2025 release was a farce, the software hasn't really been updated/upgraded for many years. The software still has hundreds of bugs (officially recognized by Comodo and its fanatics, but unfixed since 2019), its databases are not updated, and even its certificate doesn't work. All they've done is give the software's GUI a facelift, and released it with the same old lies.

In addition, apart from the “Containment/Isolation” feature, the rest of the tools... are useless! The antivirus is garbage. The firewall doesn't even distinguish SVCHOST communications, doesn't even allow Windows services customization, and is full of bugs. Therefore, Comodo is a simple dumb blocker, and as such depends on the user to block or allow executables. Any customization, which allows the hardening of Windows, is better and more efficient than Comodo.

Specifically with regards to the Comodo Containment, over the last years has been proven to be flawed countless times, and when not ignored by Comodo and its (immoral/irresponsible) fanatics, they always invent a hack as a solution, which never works (attaching recent Andy Ful's post from today).

It is ridiculous and pathetic to continue defending a software that was abandoned years ago, a dinosaur software that was overtaken by new technologies (therefore is doomed to extinction), even more so when there are many better and more modern upgraded updated alternatives for free, real antimalwares (not just dumb blockers).

I already mentioned it. When Windows starts it runs Explorer shell with high privileges due to that reg tweak. So, almost all applications/exploits/malware also run with high privileges (except rare processes compiled with restriction to run only with standard or lower rights). Malware and exploits do not need privilege escalation or UAC bypasses to run with high privileges, just by applying that reg tweak.
For example, when you run the web browser it will be allowed by Comodo, and some web browser's processes will run with high privileges due to that reg tweak. If exploited, the exploit will also run with high privileges.

That reg tweak would be OK, if Comodo could detect/block/contain all malware and exploits. But we know that this is not true neither for malware nor for exploits (system exploits or exploits of benign applications).

What Comodo settings are good enough to safely apply that reg tweak? The @cruelsister-like settings are not good enough:
  1. The containment can be avoided by DLL hijacking.
  2. The containment can be avoided by some signed malware.
  3. Comodo can be bypassed by many fileless exploits/malware.
  4. Comodo can be silently dismantled by Comodo challenge. Without this tweak, some users can stop the attack due to the UAC alert.
In all those cases, the malware/exploit has much more chances to be executed/undetected because it does not have to use privilege escalation or UAC bypass to obtain high privileges. Without that reg tweak the malware must use additional/special/suspicious code so the AVs have more chances to detect it. In my tests with Comodo challenge, I intentionally did not use UAC bypass, because it would make the attack more detectable.

At home, you will have more examples of malware from points 1-3 because such malware is created without knowing the target. On the contrary, the malware with a special Comodo bypass is virtually nonexistent.
 

Vitali Ortzi

Level 28
Verified
Top Poster
Well-known
Dec 12, 2016
1,753
The Comodo 2025 release was a farce, the software hasn't really been updated/upgraded for many years. The software still has hundreds of bugs (officially recognized by Comodo and its fanatics, but unfixed since 2019), its databases are not updated, and even its certificate doesn't work. All they've done is give the software's GUI a facelift, and released it with the same old lies.

In addition, apart from the “Containment/Isolation” feature, the rest of the tools... are useless! The antivirus is garbage. The firewall doesn't even distinguish SVCHOST communications, doesn't even allow Windows services customization, and is full of bugs. Therefore, Comodo is a simple dumb blocker, and as such depends on the user to block or allow executables. Any customization, which allows the hardening of Windows, is better and more efficient than Comodo.

Specifically with regards to the Comodo Containment, over the last years has been proven to be flawed countless times, and when not ignored by Comodo and its (immoral/irresponsible) fanatics, they always invent a hack as a solution, which never works (attaching recent Andy Ful's post from today).

It is ridiculous and pathetic to continue defending a software that was abandoned years ago, a dinosaur software that was overtaken by new technologies (therefore is doomed to extinction), even more so when there are many better and more modern upgraded updated alternatives for free, real antimalwares (not just dumb blockers).
We don't have good reputation based default deny so the software is useful and is lighter then actual av software
Indeed there is major bugs and everyone should push them to fix them and it seems enterprise system administrators are rightly avoiding this software but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,680
... but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )

If you think about not fixing the bypass from this thread, this will not be a problem. The bypass is Comodo-dependent, so it will not be used in widespread attacks.
Comodo has many hardening options that can make it a very attractive solution. The greater problem for Comodo and other AVs is DLL hijacking (also used in the bypass). Unfortunately, there are no tests on this attack vector, so I cannot say which AV can be most effective. On Windows 11, DLL hijacking is blocked by Smart App Control if the malicious DLL is unsigned or improperly signed. It can be also blocked by WDAC.
 

Decopi

Level 8
Verified
Oct 29, 2017
360
Comodo has many hardening options that can make it a very attractive solution.

Please, allow me to disagree.

Comodo is unable to detect digital threats, so Comodo is not an antivirus nor an antimalware. Comodo is only a dumb blocker, and as such, it depends on the user. That fact "per se", already implies that Comodo may be useful only for a microscopic minority of users.

Even so, in order to Comodo be capable to block threats, it has to become a blocker of everything, of good and bad files. That fact per se, disqualifies Comodo as a modern protection system (I repeat, because Comodo is unable to distinguish between a good file and a bad one). And worse, time passes and Comodo becomes even worse, because it accumulates hundreds of unfixed bugs, and because new digital threats appear, which force more and more to harden Comodo in a way that it will reach a point where Comodo's hardening will be based on "disconnecting the device from the internet and electricity". Right now the Comodo data base is so outdated, that 80% of the safe files are blocked or Contained. In a short time, Comodo is going to block 99% of safe software (because is incapable to recognize safe files).

On the other hand, by customizing Windows, either manually or through software, it is possible to achieve better or equal hardening Windows settings than Comodo.

And last but not least, there are excellent antivirus/antimalwares on the market, totally free. Therefore, there is no logical explanation for using Comodo, a dumb blocker, which depends on the user, a dangerous, abandoned software, without updates/upgrades in years, and with dangerous flaws in Containment.

It is immoral and irresponsible to continue promoting software like Comodo (I'm not talking about you, I'm talking about Comodo and its fanatics).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top