Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.

Check this out:

The video has subtitles in 10 languages, including english, so anybody can watch and understand.
 
  • Like
  • +Reputation
  • Wow
Reactions: brambedkar59, [correlate], Behold Eck and 5 others
Brahman

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
883
vitao said:
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.

Check this out:

The video has subtitles in 10 languages, including english, so anybody can watch and understand.
Click to expand...

This is nothing new. See this App Review - The Comodo's challenge.
 
  • Like
Reactions: [correlate], Behold Eck, Shadowra and 2 others
rashmi

rashmi

Level 11
Jan 15, 2024
538
vitao said:
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.
Click to expand...
My Comodo setup will obliterate this exploit, as I use "block" for unrecognized files and elevated prompts. 😛

We have malware files interacting with the actual system, a running process, and Comodo's cmdagent in quarantine, correct? I wonder if the current Comodo certificate issue plays some part in this, as cmdagent is in quarantine.

You tested on Windows 10. Possible for you to test again? You can test and just provide the outcome here; no need for video.
1. Use Comodo's previous version, not 2025. I guess it has a valid certificate, right?
2. If Comodo treats a VM file as unrecognized, mark it as "trusted" in file rating, not "ignore" in containment.
3. Also disable the containment setting: "Enable automatic startup for services installed in the container."
 
  • Like
Reactions: simmerskool
Brahman

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
883
Loyisa said:
In that thread, it was done through a lnk file, but this time it was done directly by running the exe file and get contained by Comodo , which is different.
Click to expand...
An LNK file is a Windows shortcut, which points to and is used to open another file, folder, or application. It contains information about the object to which it points, including the object's type, location, and filename. How do you know that the lnk file was not pointing to an exe file?. Andy would be the best person to explain this. But as far as I know, no av is immune to this kind of attack, even the big K is susceptible.
 
Last edited:
  • Like
Reactions: Behold Eck and simmerskool
L

Loyisa

Level 1
Aug 8, 2024
17
Brahman said:
An LNK file is a Windows shortcut, which points to and is used to open another file, folder, or application. It contains information about the object to which it points, including the object's type, location, and filename. How do you know that the lnk file was not pointing to an exe file?
Click to expand...
In that thread, the lnk file was used to execute cmd commands
Screenshot_20241022_142646.jpg
And Comodo's script analysis does not check lnk files. I have reported this problem.
forums.comodo.com

LNK Files Bypass All Protections in Comodo(default proactive config)

Hi, I have some sample LNK files, but CIS doesn’t automatically contain them, and HIPS isn’t effective either. In the Windows properties target, it appears to be just a .cmd command, but there are actually numerous spaces added to exceed the display limit, making it look deceptive. In the...
forums.comodo.com forums.comodo.com
QQ20240928-181944.png
 
  • Like
  • Sad
Reactions: kylprq and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,472
vitao said:
This video demonstrates how an exploit was able to obliterate Comodo Internet Security 2025's AutoContainment, completely rendering all layers of protection of this free security suite, which is well-known for its virtualization technology, useless.
Click to expand...

The attack method has been known in the wild for a few years:
cybersecuritynews.com

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

TDSSKiller is a free utility developed by Kaspersky Lab that is designed to detect and remove rootkits, a type of malware that can hide the
cybersecuritynews.com cybersecuritynews.com
www.threatdown.com

New RansomHub attack uses TDSSKiller and LaZagne, disables EDR - ThreatDown by Malwarebytes

The attack signals a new shift in RansomHub’s arsenal of tools.
www.threatdown.com www.threatdown.com

It is different from the Comodo Challenge:
malwaretips.com

App Review - The Comodo's challenge.

Can Comodo's Auto-Containment be bypassed?
malwaretips.com malwaretips.com
malwaretips.com

App Review - Comodo's challenge part 2.

Comodo HIPS can be a strong protection, but such strong protection layers are hardly tolerated by the OS in Windows 11 , and sometimes even in Windows 10.
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • Applause
  • Thanks
Reactions: Behold Eck, rashmi, vitao and 3 others
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
and so far no word from comodo, and no bugfix for it... hell. even the cert issue is taking so long to be solved (almost 2 months now) :p

regardless the exploit. according to the dev, if i test it with the setup i did on my video about cis + kav against 100 malwares, kav would block this attack from defeating cis. this will be tested and if its true a wild video will appears...
 
  • Like
Reactions: roger_m
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
rashmi said:
My Comodo setup will obliterate this exploit, as I use "block" for unrecognized files and elevated prompts. 😛

We have malware files interacting with the actual system, a running process, and Comodo's cmdagent in quarantine, correct? I wonder if the current Comodo certificate issue plays some part in this, as cmdagent is in quarantine.

You tested on Windows 10. Possible for you to test again? You can test and just provide the outcome here; no need for video.
1. Use Comodo's previous version, not 2025. I guess it has a valid certificate, right?
2. If Comodo treats a VM file as unrecognized, mark it as "trusted" in file rating, not "ignore" in containment.
3. Also disable the containment setting: "Enable automatic startup for services installed in the container."
Click to expand...
@Loyisa do you know any config in cis that could possibly "block" the exploit? Im no having any luck (and im trying)
 
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
rashmi said:
Yes, the block setting should stop the execution/continuation (elevated prompt) of the sample.
Click to expand...
but the idea is not to force block as comodo blocks by user interation when it comes to unknow files, so the file must be allowed by hips, por example, so the containment can act. im trying to find a way (if there is) to make the containment deal with this kind of situation for any kind of file. is that possible?
 
  • Wow
Reactions: kylprq
simmerskool

simmerskool

Level 36
Verified
Top Poster
Well-known
Apr 16, 2017
2,572
vitao said:
but the idea is not to force block as comodo blocks by user interation when it comes to unknow files, so the file must be allowed by hips, por example, so the containment can act. im trying to find a way (if there is) to make the containment deal with this kind of situation for any kind of file. is that possible?
Click to expand...
cruelsister config has HIPS disabled IIRC...
 
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
did some more testings and there is no way cis can block it by auto-containment. its an exploit and comodo is aware of it for atleast a year or 2. now the problem with revoked certificate. i saw cruelsister taking the attention to other matters instead of this exploitation, some other trying to ignore the fact its a problem and comodo just dont care to solve (or doesnt has the man power to do so or the knowledge maybe?).

i really dont know what more to think of it.

not that this can make me stop using cis or whatever, but still.. right? or am i getting a little crazy here?
 
rashmi

rashmi

Level 11
Jan 15, 2024
538
vitao said:
did some more testings and there is no way cis can block it by auto-containment. its an exploit and comodo is aware of it for atleast a year or 2. now the problem with revoked certificate. i saw cruelsister taking the attention to other matters instead of this exploitation, some other trying to ignore the fact its a problem and comodo just dont care to solve (or doesnt has the man power to do so or the knowledge maybe?).

i really dont know what more to think of it.

not that this can make me stop using cis or whatever, but still.. right? or am i getting a little crazy here?
Click to expand...
It's most likely a containment bug, so it's pointless to continue testing. Consider posting your test on Comodo forums for feedback.

I share your opinion that "Comodo is not suitable for everyone." Here's mine: "Containment serves for evaluation, not protection."

Comodo initially offered "Partially Limited" and "Limited" containment/restriction levels as protection features. The levels would restrict the rights of unknown applications on the system. Comodo's introduction of additional levels brought about changes in its functioning. They implemented "full virtualization" for running unknown applications. Containment is more of an evaluation feature now since users can't use or save their work with contained/restricted applications as they could previously. With the capability to run most applications, "Run Virtually" enables knowledgeable users to evaluate unknown apps. "Block" prevents unknown applications from running or causing harm. "Restriction Level" is nothing more than a "security display."

From my point of view, any setup that suggests "Restriction Level" for protection is merely a display of security. Why? Most users do not evaluate contained applications, so tightening the feature suggestion is unnecessary. When users encounter a containment alert or a green-bordered application, they typically close it and resume their work. "Block" is the ideal solution for these users, providing both protection and usability.
 
  • +Reputation
Reactions: ErzCrz
Behold Eck

Behold Eck

Level 18
Verified
Top Poster
Well-known
Jun 22, 2014
864
vitao said:
@Loyisa do you know any config in cis that could possibly "block" the exploit? Im no having any luck (and im trying)
Click to expand...
Why not try a pure HIPS test with the different settings, "safe mode" to "paranoid mode" to see if there are any alerts to block the exploit?

Regards Eck:)
 
  • Like
Reactions: simmerskool

Similar threads

vitao
    • Like
    • Applause
    • +Reputation
Comodo Internet Security Exploit has been updated and is now even more complicated + Explanations by the dev
Replies
13
Views
498
Comodo
Andy Ful
Andy Ful
vitao
    • Like
    • Wow
Kaspersky Antivirus PROTECTED Comodo from an EXPLOIT!
Replies
9
Views
558
Comodo
Andy Ful
Andy Ful
rashmi
    • Like
New Update New Version 12.3.3.8152 Available for Comodo Internet Security 2025
Replies
4
Views
287
Comodo
cartaphilus
cartaphilus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top