Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

[Andy Ful]

Can comodo under user account with a separate admin stop all of your attacks , known ones and what recommendations you have for comodo users (I have a low end system where even defender and eset are too heavy )

The AV Challenge attack on the Standard User Account (SUA) will trigger the UAC Credential Prompt. If the user does not insert credentials, the attack will be blocked. When using SUA, most malware (including ransomware) are often less dangerous.
But, Comodo is still vulnerable to attacks via DLL hijacking. Examples of such attacks can be found in the wild against organizations, like PlugX RAT, AsyncRAT, or Kransom mentioned here:

Intruders in the Library: Exploring DLL Hijacking

Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more.

unit42.paloaltonetworks.com

Kransom Ransomware: Uses DLL-Sideloading to Abuse an RPG

Learn about Kransom, a new ransomware that uses the DLL-sideloading technique to hijack the popular game Honkai: Star Rail.

any.run

However such examples are rare. In most cases, the attacks also use scripting that can be mitigated via Comodo's Script Analysis (tweaked). If the non-enterprise user wants to increase Comodo's protection against such threats, tweaking Script Analysis settings could help.

 

[vitao]

It is not necessary. The POC mentioned by @vitao does not trigger containment (contrary to the first POC) and the Comodo fix is only related to the containment escape.

on my testings it seems containment continues to just ignore but there is something new: the dll (the ransom itself) shows at unrecognized list but not blocked not prompted for user decision, so it seems its the containment being evaded here, right? or am i getting it wrong?

ive already recorded the video with the test but i need to record the part with my talkings. ill try to do it by the weekend.

edit.: one thing that needs to be noted here. the dll is the ransomware itself and windwos defender block it by recognizing it as malicious but comodo antivirus just plays the dumb and ignores it. even kingsoft can recognize it as malware but cis... funny right?

edit2: the video testing it will have 2 parts. one showing the new cis with its default config. in the second one cis is with cruelsister config tweaked by me and with the part that loyisa said that had to be changed, the script analys that i checked every damn option there.

in both scenarios cis is r@ped by the poc in its v3. in both scenarios uac is turned off by windows settings (not by regedit, so its not fully off as many knows). i tried with uac on and the result was the same but as it was a short attempts it is not on the full video recorded before

 

[vitao]

The AV Challenge attack on the Standard User Account (SUA) will trigger the UAC Credential Prompt. If the user does not insert credentials, the attack will be blocked. When using SUA, most malware (including ransomware) are often less dangerous.
But, Comodo is still vulnerable to attacks via DLL hijacking. Examples of such attacks can be found in the wild against organizations, like PlugX RAT or AsyncRAT mentioned here:

Intruders in the Library: Exploring DLL Hijacking

Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more.

unit42.paloaltonetworks.com

However such examples are rare. In most cases, the attacks also use scripting that can be mitigated via Comodo's Script Analysis (tweaked). If the non-enterprise user wants to increase Comodo's protection against such threats, tweaking Script Analysis settings could help.

Maybe you can help me a little bit.

In an recent video showing cis 2025 (the previous one) with its default config against 200 new malwares i was surprised by one little fella who bypasses everything but its marked in virustotal by many as malware. Can you say something about this file? After I did the testings I was going to record another video so i decided to update the malwares used on the tests and i forgot to save this file. now i can not find it anywhere to download it for study.

the video:

the sha256 of the file: 75d96dfe70912f3f2c5b669ebac010a83904daea9a908c5352063f1508d8ed58

edit> nvm. i just found the file on tria ge... ill do some more testings on it but if anyone can talk a little about this one ill be vary glad

 

[Andy Ful]

on my testings it seems containment continues to just ignore but there is something new: the dll (the ransom itself) shows at unrecognized list but not blocked not prompted for user decision, so it seems its the containment being evaded here, right? or am i getting it wrong?

The containment was evaded because it was not triggered at all. The DLL is considered Unrecognized because it was scanned, and Comodo did not know it.
Comodo (by default) does not auto-contain trusted files and DLLs loaded by them, and the EXE used in the attack (StarRail.exe) is a well-known and trusted EXE from the original benign game. That is how DLL hijacking works: the EXE file must be well-known and benign.

 

[vitao]

The containment was evaded because it was not triggered at all. The DLL is considered Unrecognized because it was scanned, and Comodo did not know it.
Comodo (by default) does not auto-contain trusted files and DLLs loaded by them, and the EXE used in the attack (StarRail.exe) is a well-known and trusted EXE from the original benign game. That is how DLL hijacking works: the EXE file must be well-known and benign.

hmmm.. so.. if this kind of thing goes live and people target cis users, just for fun, god help us... as comodo doesnt seems to care too much... right?

 

[Andy Ful]

Maybe you can help me a little bit.

The PowerShell script (detected by Kaspersky) was blocked by Comodo via Script Analysis. The PowerShell CmdLine was converted to PS1 script and copied to C:\ProgramData\Comodo\Cis\tempscript folder.

 

[Andy Ful]

hmmm.. so.. if this kind of thing goes live and people target cis users, just for fun, god help us... as comodo doesnt seems to care too much... right?

I do not know if they care, but a non-enterprise user should probably live a thousand years to be a victim of such malware.
I am unsure if Xcitium also has this issue (poor DLL detection).
Other AVs also do not care about some rare attack vectors.

 

[vitao]

The PowerShell script (detected by Kaspersky) was blocked by Comodo via Script Analysis. The PowerShell CmdLine was converted to PS1 script and copied to C:\ProgramData\Comodo\Cis\tempscript folder.

not the powershell. the exe that runs and cis do nothing about it. i posted the sha256 for the file

 

[vitao]

I do not know if they care, but a non-enterprise user should probably live a thousand years to be a victim of such malware.
I am unsure if Xcitium also has this issue (poor DLL detection).
Other AVs also do not care about some rare attack vectors.

ive posted a video showing xcitium getting r#ped by it too. the same problem persists as xcitium is cis but with edr on top.

 

[vaccineboy]

Can you just stop using the word rape? It is not what you want to describe and there are tens of other words that can perfectly convey what you want to say. Why do you have to keep using a word that invokes terror to women and mask it? So juvenile.

 

[vitao]

Can you just stop using the word rape? It is not what you want to describe and there are tens of other words that can perfectly convey what you want to say. Why do you have to keep using a word that invokes terror to women and mask it? So juvenile.

ow... sorry dude. not my intend dont get me wrong. english is not my primary language. some expressions this word have more sense of power and meaning in my language. this word can describes better some thing i want to say. as i dont have any problems with this word, i dont see any problem using it. if you have any problem with it, im sorry, ok? but some language costumes are hard to change. a better solution would be you marking my profile to be ignored, or hyde me, something like that. atleast until i can become able to pay more attention to your feelings.

 

[Andy Ful]

not the powershell. the exe that runs and cis do nothing about it. i posted the sha256 for the file

Understand. I mentioned this script because it is most probably not a false positive. Kaspersky correctly detected it as malicious. This script may also be an artifact after running the EXE (detected by Kaspersky). So, those two files can be related to one malware that was mitigated by Comodo Script Analysis.
You can check this possibility by deleting the content of "C:\ProgramData\Comodo\Cis\tempscript folder" and running only that EXE sample. If Comodo does not create the PS1 script, those files are unrelated.

Edit.
It seems that the EXE sample was a downloader, but the domain with the final payload did not respond (dead sample). The payload (exe.exe) would be most probably contained by Comodo.

Malware analysis SoftwareInstaller.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Online sandbox report for SoftwareInstaller.exe, verdict: Malicious activity

any.run

Analysis SoftwareInstaller.exe (MD5: 9CF40A8B46C9552148565D43C3D92465) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

 

[Andy Ful]

ive posted a video showing xcitium getting r#ped by it too. the same problem persists as xcitium is cis but with edr on top.

This is not good news for Enterprise users.

 

[Vitali Ortzi]

This is not good news for Enterprise users.

Non profits , schools and some enterprise use their enterprise product because they claim 100% bs and are cheaper then any alternative
I really like the idea of not full virtualization that comodo does because it uses less performance then virtualization but both their container can be escaped and trusted dlls ,exes ( trusted lolbins) are automatically run without containment while unlike Kaspersky , other av software it doesn't have good behavior detection to help against a bypass as viruscope is awful
I'm still using comodo on most my PCs (usually as a layer) so some bypasses might be stopped by either hitmanpro.alert or ESET on my system or checkpoint threat emulation that I have in the browser extension so I'm safe against 99.99%+ and I usually submit suspicious files to Broadcom before running them using Sample Submission | SymSubmission

But hopefully one day I could use only comodo comfortably if they do improve it as comodo has excellent performance usage and I have one low end 2gb ram with emmc laptop that can't run ESET on it without performance issues nor defender and comodo didn't seem to slow io , use much ram and it's a gift to low end machines making them mostly secure while not having to go chrome os route or any too restrictive policy config

So I definitely find comodo very useful and because it's not perfect if anyone uses comodo use it as a layer if possible with some free av (Kaspersky free, defender , bitdefender free ,avast free etc )

 

[bazang]

But hopefully one day I could use only comodo comfortably if they do improve it

Now wouldn't that be nice?

After all these years, with its track record, Comodo now is as good as it will ever be as a product owned by Melih. A lot of people do not know this, but he once said "I don't care about bugs" on the old Comodo forum.

I think it is clear by now that the owner is never going to commit the resources to the product required to develop, refine and maintain it to a user experience quality at the same level any of the "big name" security software.

I really do wonder why people just do not acknowledge and accept this fact? Why do they keep thinking that they can get Comodo to fix the product by complaining and demonstrations? Neither of those two things have ever helped improve the product. Rather, they have had the exact opposite effect because Melih views them as "ungratefulness." Just another freeloader as Melih stated it.

If people want a better Comodo, then they have to convince Melih to make it paid and then they must be willing to spend their cash to pay for it.

¯\_ (ツ)_/¯

 

[Vitali Ortzi]

Now wouldn't that be nice?

After all these years, with its track record, Comodo now is as good as it will ever be as a product owned by Melih. A lot of people do not know this, but he once said "I don't care about bugs" on the old Comodo forum.

I think it is clear by now that the owner is never going to commit the resources to the product required to develop, refine and maintain it to a user experience quality at the same level any of the "big name" security software.

I really do wonder why people just do not acknowledge and accept this fact? Why do they keep thinking that they can get Comodo to fix the product by complaining and demonstrations? Neither of those two things have ever helped improve the product. Rather, they have had the exact opposite effect because Melih views them as "ungratefulness." Just another freeloader as Melih stated it.

If people want a better Comodo, then they have to convince Melih to make it paid and then they must be willing to spend their cash to pay for it.

¯\_ (ツ)_/¯

It's a paid product sold to enterprise and the consumer comodo is based on the same client they sell to enterprises
So although the cut down client is free for personal use
The main product is an enterprise one sold with claims that zerodwell(container ) can stop 100% etc

Yet there are a few ways to bypass it that other av software have ways to mitigate either by behavior blockers , hips , other defenses

 

[Andy Ful]

Yet there are a few ways to bypass it that other av software have ways to mitigate either by behavior blockers , hips , other defenses

The research reports suggest that other AV/EDR solutions cannot protect Enterprises much better, although they have some other weak points.
https://malwaretips.com/threads/how...rs-protection-now-in-2024.133301/post-1105300

Nowadays, the recommended solution is the Zero Trust Model, where AV/EDR is only a part of the solution.

 

[Vitali Ortzi]

The research reports suggest that other AV/EDR solutions cannot protect Enterprises much better, although they have some other weak points.
https://malwaretips.com/threads/how...rs-protection-now-in-2024.133301/post-1105300

Nowadays, the recommended solution is the Zero Trust Model, where AV/EDR is only a part of the solution.

Thing is that zerodwell container is marketed as a zero trust solution yet automatically allows trusted lolbins and yeah av software have a hard time as well because they allow trusted lolbins too to bypass and run privileged and many av vendors claim to have an ability to be zero trust and usually fail as well too when you configure them at zero trust and use something they automatically trust in a targeted attack
So how many solutions are actually zero trust

 

[Andy Ful]

Thing is that zerodwell container is marketed as a zero trust solution yet automatically allows trusted lolbins and yeah av software have a hard time as well because they allow trusted lolbins too to bypass and run privileged and many av vendors claim to have an ability to be zero trust and usually fail as well too when you configure them at zero trust and use something they automatically trust in a targeted attack
So how many solutions are actually zero trust

You know that you can use commas and periods?

 

[Vitali Ortzi]

You know that you can use commas and periods?

Sorry for making reading very inconvenient.
As I'm not really the most intelligent guy , and unsure when to use commas and periods , and haven't really forced myself ever to try and improve my grammar.
(Hopefully this is correct usage ,but uncertain if what I'm currently writing is even correct usage of comma and period.)


(if anyone has some good site to practice , and learn you can send me a private message, and or anything to improve grammar , writing skills.)