Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

[vitao]

Your conclusion is invalid because your video has nothing to do with "some containment issue" solved by Comodo. To see that "some containment" issue was solved, you should run the @Loyisa exploit from the first video.
The Comodo staff did not announce that they solved all of Comodo's issues. The "some containment issue" was related to escape from inside the sandbox. In the current video, nothing escaped from inside the sandbox because nothing was sandboxed. The attack vector presented in the current video is another kind and should not be messed with sandbox escape.

Except for the above, it is a nice video.
You are also right that Comodo could improve protection by auto-containing Unrecognized DLLs loaded by Trusted EXE files (like in Windows Smart App Control). However, this would require many additional resources. The bigger vendors like Microsoft, Avast, etc. did not do it too.

its the same poc but with changes on the dll and the exe. cis containment did not contain it, nor detect anything. if its the same poc, same problem. so, they didnt solve anything. in fact, the new edition has some regressions, but its not my subject of testing so, i dont care.

edit.: for what loyisa explained its the same technic but with changes in the dll and the exe so there is no need for downloading anything and there is no need for the files to be in some specific place. lets wait for the guy to talk a little more about it.

 

[vitao]

from official comodo forum, in the official topic, from member of comodo team. not me saying nonsense.

 

[vitao]

Yes and No. CIS did not encounter the full sample (initial sample + payload) but only the "currently unharmful" part of it (no payload).
Most AVs would detect such a sample as not harmful as I presented in my previous post (sample with changed URL to non-existent payload):
https://malwaretips.com/threads/com...one-malware-not-contained.134116/post-1111332




You are wrong. The increasing number of detections is caused by borrowing detections from other AVs. Look at the detections in my previous post. The submitted sample is as malicious as your sample (no difference for AVs).



AVs do not fail while allowing silent connections to unknown servers. In this way, most AVs would also fail as can be seen in the detection example from my previous post.



Yes, the sample should be detected as a trojan when full information about its history is known. CIS failed in some way, just as most AVs would fail in similar situations.



It is your video. I would keep the sample and use it to show that such incomplete samples can be problematic in tests (for any AV). With such samples, the AV detection result can depend on the moment when the sample was analyzed and not entirely on the AV capabilities.

Edit.
Still, I do not fully understand why Xcitium can detect by signature the sample with a modified URL, but your sample (which behaves in the same way) was considered Trusted by the Comodo analyst. It is possible that initially, Comodo could detect your sample as malicious too, and that detection would change to Trusted after Valkyrie analysis.

i understand what youre saying but its hard to agree as the sample has this from others vendors: VirusTotal

for now its 45/72. its a big "wrong detection" by many names. my argument just gains force. if its an file that download something bad but its not downloading anything anymore, thus cis do not detect it, so why not detect the connection try out? the file is there. you say that its a file that tries to download something from some remote server, but can you provide the ip for it? or where did you get this information?

anyways, even if its right, what youre saying, still, cis should block it or atleast show some alert as the file is supose to try to connect to an unknow ip.

edit.: just for clarification. the test is to show a problem. a file that is a malware and cis do not block nor detect it. as in every video showing this kind of thing with cis. and to have a point i show the results from virustotal and valkyrie itself. it really doesnt matter that much what kind of malware it is or if the server is down or not. what matters the most for users is that cis (and others) fail to prevent execution of an malware classified by many as a trojan. and thats the point. but its nice to hear yous explanations as i learn many good things and learn somethings not so good about many.

 

[Andy Ful]

its the same poc but with changes on the dll and the exe.

It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

 

[Andy Ful]

@vitao,

I am sorry, I cannot explain it better. Be safe.

 

[vitao]

It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

no. i understand that. its just nothing new as its the same problem. its a flaw. get it?

 

[vitao]

@vitao,

I am sorry, I cannot explain it better. Be safe.

just for info: Kaspersky Threat Intelligence Portal

take a look at "extracted files"...

 

[Nikola Milanovic]

no, its not and the conversation is not done. comodo can try to avoid this subject but we, users, will not. talk to loyisa and ask him for the latest poc. that is the one im running and latest cis did nothing about it. with default config and with recomended configs by cruelsistes/melih and loyisa himself/herself.

now i would like to ask: why the need of "ending the conversation" when the problem was not solved? what are you afraid of?

The POC is fixed for the previous exploit i said so it means Xcitium fixed the exploit and thats it
the conversation is ended here right?

 

[Andy Ful]

@vitao,

You are trying to overcomplicate simple things:

1. You made a test that resulted in 1 incorrect Comodo detection.
2. None of the tested samples infected the computer (100% protection).

So you proved that for Comodo:
Protection > Detection
It is nothing new (Melih has insisted on it for years).

You also did not contradict the (untrue) statement that Comodo provides perfect protection.
We can continue the discussion when you present another test.

 

[vitao]

The POC is fixed for the previous exploit i said so it means Xcitium fixed the exploit and thats it
the conversation is ended here right?

ah. sorry. agree. maybe my english was between understanding anyway, the subject regardless the poc v2, the one who evades sandbox, is really ended. now we need to talk about the poc v3, the one who execute an ransomware and cis do nothing...

 

[vitao]

@vitao,

You are trying to overcomplicate simple things:

1. You made a test that resulted in 1 incorrect Comodo detection.
2. None of the tested samples infected the computer (100% protection).

So you proved that for Comodo:
Protection > Detection
It is nothing new (Melih has insisted on it for years).

You also did not contradict the (untrue) statement that Comodo provides perfect protection.
We can continue the discussion when you present another test.

not overcomplicating. just showing that everyone mark this file as trojan, even without the "second part of it". you can check the video showing cis against the poc, the v3, where everyone can see the file executing an ransomware and obliterating cis. so, is this 100% protection? for me it seems not... but just to be clear. im doing these testings to show things that are not right but still continue to use cis on my main machine as i prefer the containment aproach than any other av with signatures.

edit.:
this ransomware:

 

[vitao]

one question and i dont know where to ask this: why am i being moderated? all my coments needs aproval now.

 

[Andy Ful]

@vitao,

Could you repeat your test with the below two settings unticked:

The attack in your video is based on Trusted files that can load Unrecognized DLLs. It would be interesting to check if those settings can force Comodo to Contain Unrecognized DLLs.

 

[vitao]

@vitao,

Could you repeat your test with the below two settings unticked:

View attachment 286656

The attack in your video is based on Trusted files that can load Unrecognized DLLs. It would be interesting to check if those settings can force Comodo to Contain Unrecognized DLLs.

sure. ill do it as soon as possible (i guess in about 40 to 50 minutes) and bring here the result.

 

[vitao]

sure. ill do it as soon as possible (i guess in about 40 to 50 minutes) and bring here the result.

wait. what video? the one with the malware or the other with the poc v4? and with default config changing only these you mentioned or with proactive mode with restructed in sandbox?

nvm. as my coments are moderated, it takes time to be aproved and i dont have that much time, so i installed cis with its default config and changed only the options you asked.

here is the video testing cis with this changes against the malware and against the poc v4 (the one with the ransomware):

after watching advise me so i can delet the video from my drive. if anyone wants you can download and share it anywhere.

 

[Andy Ful]

wait. what video?

Sorry. I had in mind your last video with ransomware.

 

[vitao]

the link was removed... ?

here it is:

 

[Andy Ful]

here is the video testing cis with this changes against the malware and against the poc v4 (the one with the ransomware):

Thanks.
By the way, you also confirmed the CIS bug I posted about some time ago. After unticking the option "Trust applications signed by trusted vendors" the CIS GUI is not available.

 

[vitao]

Thanks.
By the way, you also confirmed the CIS bug I posted about some time ago. After unticking the option "Trust applications signed by trusted vendors" the CIS GUI is not available.

yep. i saw this but never had a chance to test it (never had interest ). and its a strange bug. anyway, the tests conducted will do it? as cis gui was not loading i dont know if it was really protecting the system (i guess it was but... who knows, its comodo, right?)

 

[Andy Ful]

yep. i saw this but never had a chance to test it (never had interest ). and its a strange bug. anyway, the tests conducted will do it? as cis gui was not loading i dont know if it was really protecting the system (i guess it was but... who knows, its comodo, right?)

I am not sure if anyone reported it to Comodo.