Hot Take Comodo Internet Security 2025 was obliterated by an exploit!

[vitao]

Yes and No. CIS did not encounter the full sample (initial sample + payload) but only the "currently unharmful" part of it (no payload).
Most AVs would detect such a sample as not harmful as I presented in my previous post (sample with changed URL to non-existent payload):
https://malwaretips.com/threads/com...one-malware-not-contained.134116/post-1111332




You are wrong. The increasing number of detections is caused by borrowing detections from other AVs. Look at the detections in my previous post. The submitted sample is as malicious as your sample (no difference for AVs).



AVs do not fail while allowing silent connections to unknown servers. In this way, most AVs would also fail as can be seen in the detection example from my previous post.



Yes, the sample should be detected as a trojan when full information about its history is known. CIS failed in some way, just as most AVs would fail in similar situations.



It is your video. I would keep the sample and use it to show that such incomplete samples can be problematic in tests (for any AV). With such samples, the AV detection result can depend on the moment when the sample was analyzed and not entirely on the AV capabilities.

Edit.
Still, I do not fully understand why Xcitium can detect by signature the sample with a modified URL, but your sample (which behaves in the same way) was considered Trusted by the Comodo analyst. It is possible that initially, Comodo could detect your sample as malicious too, and that detection would change to Trusted after Valkyrie analysis.

i understand what youre saying but its hard to agree as the sample has this from others vendors: VirusTotal

for now its 45/72. its a big "wrong detection" by many names. my argument just gains force. if its an file that download something bad but its not downloading anything anymore, thus cis do not detect it, so why not detect the connection try out? the file is there. you say that its a file that tries to download something from some remote server, but can you provide the ip for it? or where did you get this information?

anyways, even if its right, what youre saying, still, cis should block it or atleast show some alert as the file is supose to try to connect to an unknow ip.

edit.: just for clarification. the test is to show a problem. a file that is a malware and cis do not block nor detect it. as in every video showing this kind of thing with cis. and to have a point i show the results from virustotal and valkyrie itself. it really doesnt matter that much what kind of malware it is or if the server is down or not. what matters the most for users is that cis (and others) fail to prevent execution of an malware classified by many as a trojan. and thats the point. but its nice to hear yous explanations as i learn many good things and learn somethings not so good about many.

 

[Andy Ful]

its the same poc but with changes on the dll and the exe.

It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

 

[Andy Ful]

@vitao,

I am sorry, I cannot explain it better. Be safe.

 

[vitao]

It is not at the initial phase. The first POC used Unrecognized EXE (ComodoPocV2.exe) as the initial executable which was contained and next escaped from the sandbox:
https://malwaretips.com/threads/com...obliterated-by-an-exploit.133341/post-1105469

The current POC used benign Trusted EXE as the initial executable which was not contained at all. Look at your video. Is there any sign of POC's containment?

But OK. I already explained this a few times without any success. Maybe @Loyisa can explain it better.

no. i understand that. its just nothing new as its the same problem. its a flaw. get it?

 

[vitao]

@vitao,

I am sorry, I cannot explain it better. Be safe.

just for info: Kaspersky Threat Intelligence Portal

take a look at "extracted files"...

 

[Nikola Milanovic]

no, its not and the conversation is not done. comodo can try to avoid this subject but we, users, will not. talk to loyisa and ask him for the latest poc. that is the one im running and latest cis did nothing about it. with default config and with recomended configs by cruelsistes/melih and loyisa himself/herself.

now i would like to ask: why the need of "ending the conversation" when the problem was not solved? what are you afraid of?

The POC is fixed for the previous exploit i said so it means Xcitium fixed the exploit and thats it
the conversation is ended here right?

 

[Andy Ful]

@vitao,

You are trying to overcomplicate simple things:

1. You made a test that resulted in 1 incorrect Comodo detection.
2. None of the tested samples infected the computer (100% protection).

So you proved that for Comodo:
Protection > Detection
It is nothing new (Melih has insisted on it for years).

You also did not contradict the (untrue) statement that Comodo provides perfect protection.
We can continue the discussion when you present another test.

 

[vitao]

The POC is fixed for the previous exploit i said so it means Xcitium fixed the exploit and thats it
the conversation is ended here right?

ah. sorry. agree. maybe my english was between understanding anyway, the subject regardless the poc v2, the one who evades sandbox, is really ended. now we need to talk about the poc v3, the one who execute an ransomware and cis do nothing...

 

[vitao]

@vitao,

You are trying to overcomplicate simple things:

1. You made a test that resulted in 1 incorrect Comodo detection.
2. None of the tested samples infected the computer (100% protection).

So you proved that for Comodo:
Protection > Detection
It is nothing new (Melih has insisted on it for years).

You also did not contradict the (untrue) statement that Comodo provides perfect protection.
We can continue the discussion when you present another test.

not overcomplicating. just showing that everyone mark this file as trojan, even without the "second part of it". you can check the video showing cis against the poc, the v3, where everyone can see the file executing an ransomware and obliterating cis. so, is this 100% protection? for me it seems not... but just to be clear. im doing these testings to show things that are not right but still continue to use cis on my main machine as i prefer the containment aproach than any other av with signatures.

edit.:
this ransomware:

 

[vitao]

one question and i dont know where to ask this: why am i being moderated? all my coments needs aproval now.

 

[Andy Ful]

@vitao,

Could you repeat your test with the below two settings unticked:

The attack in your video is based on Trusted files that can load Unrecognized DLLs. It would be interesting to check if those settings can force Comodo to Contain Unrecognized DLLs.

 

[vitao]

@vitao,

Could you repeat your test with the below two settings unticked:

View attachment 286656

The attack in your video is based on Trusted files that can load Unrecognized DLLs. It would be interesting to check if those settings can force Comodo to Contain Unrecognized DLLs.

sure. ill do it as soon as possible (i guess in about 40 to 50 minutes) and bring here the result.

 

[vitao]

sure. ill do it as soon as possible (i guess in about 40 to 50 minutes) and bring here the result.

wait. what video? the one with the malware or the other with the poc v4? and with default config changing only these you mentioned or with proactive mode with restructed in sandbox?

nvm. as my coments are moderated, it takes time to be aproved and i dont have that much time, so i installed cis with its default config and changed only the options you asked.

here is the video testing cis with this changes against the malware and against the poc v4 (the one with the ransomware):

after watching advise me so i can delet the video from my drive. if anyone wants you can download and share it anywhere.

 

[Andy Ful]

wait. what video?

Sorry. I had in mind your last video with ransomware.

 

[vitao]

the link was removed... ?

here it is:

 

[Andy Ful]

here is the video testing cis with this changes against the malware and against the poc v4 (the one with the ransomware):

Thanks.
By the way, you also confirmed the CIS bug I posted about some time ago. After unticking the option "Trust applications signed by trusted vendors" the CIS GUI is not available.

 

[vitao]

Thanks.
By the way, you also confirmed the CIS bug I posted about some time ago. After unticking the option "Trust applications signed by trusted vendors" the CIS GUI is not available.

yep. i saw this but never had a chance to test it (never had interest ). and its a strange bug. anyway, the tests conducted will do it? as cis gui was not loading i dont know if it was really protecting the system (i guess it was but... who knows, its comodo, right?)

 

[Andy Ful]

yep. i saw this but never had a chance to test it (never had interest ). and its a strange bug. anyway, the tests conducted will do it? as cis gui was not loading i dont know if it was really protecting the system (i guess it was but... who knows, its comodo, right?)

I am not sure if anyone reported it to Comodo.

 

[rashmi]

If you are using a signed PoC, search the "Vendor List" for the vendor. Also, check "HIPS Events" in Logs for the Cloud verdict. Based on this, you can disable features and retest.

 

[vitao]

ok. ill try it later. need to sleep. see ya.