Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,471
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Behold Eck, ErzCrz and 2 others
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
Andy Ful said:
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
Click to expand...
so what would be your suggestions for a better protection, independent of the av someone installs?
 
  • Like
Reactions: Andy Ful and Gandalf_The_Grey
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,471
vitao said:
so what would be your suggestions for a better protection, independent of the av someone installs?
Click to expand...

"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
 
Last edited:
  • Like
  • +Reputation
Reactions: gonza, brambedkar59, micasayyo and 4 others
L

Loyisa

Level 1
Aug 8, 2024
17
Andy Ful said:
"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
Click to expand...
Introducing Comodo Sandbox Escape with Ransomware...
comodooaaa.gif
 
  • Like
Reactions: brambedkar59, harlan4096, roger_m and 1 other person
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
another update: Xcitium EDR Client Security was OBLITERATED too...

the full video will be published and the link will be here soon...
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,471
Loyisa said:
Just thinking, if someone actually exploited this vulnerability to drop ransomware using DLL hijacking...
Click to expand...
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
 
Last edited:
  • Like
Reactions: Vitali Ortzi
L

Loyisa

Level 1
Aug 8, 2024
17
Andy Ful said:
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
Click to expand...
Yes! In fact, LummaStealer(in the wild too) also does this
QQ20241030-210423.png

Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,471
Loyisa said:
Yes! In fact, LummaStealer(in the wild too) also does this
View attachment 286040
Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode
Click to expand...

I had in mind if you tried to kill Comodo in that way instead of bypassing the sandbox.:)(y)
I assume that the benign application in your test does not ask for elevation so you used bypass to to elevate in the sandbox and create the service. Next, the service could run DLL hijacking with high privileges. I think that the same can be done without the containment bypass just by running the benign application with admin rights (via "Run as administrator") to apply DLL hijacking and run TDSSKiller. But I am not sure if anyone tried this against Comodo.
 
Last edited:
  • Like
Reactions: Loyisa and Vitali Ortzi
vitao

vitao

Level 1
Thread author
Mar 12, 2024
32
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
 
  • Wow
Reactions: Jonny Quest
rashmi

rashmi

Level 11
Jan 15, 2024
538
vitao said:
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
Click to expand...
Can you test the POCs in Comodo Virtual Desktop?
 
bazang

bazang

Level 6
Jul 3, 2024
270
Vitali Ortzi said:
They falsely market it
Click to expand...
Comodo does not market CIS\CFW. Please do not provide a link to a URL because that is not marketing.

Vitali Ortzi said:
They avoid fixing issues
Click to expand...
Because the software has $0 revenue and therefore nobody in their right mind would ever spend a lot on fixing issues. CIS\CFW is in perpetual maintenance or out-of-date. And that is fine because it generates $0 revenue. There are no dedicated Comodo staff to support, bug fix, or further develop it. Melih gets his programmers to look at it once every three or four years. This is fine.

It is freeware. You accept what Comodo gives you and if you cannot, Melih wants you to go use something else. He is so happy to see you go use something else. He does not want you using his product.
 

Similar threads

vitao
    • Like
    • Applause
    • +Reputation
Comodo Internet Security Exploit has been updated and is now even more complicated + Explanations by the dev
Replies
13
Views
494
Comodo
Andy Ful
Andy Ful
vitao
    • Like
    • Wow
Kaspersky Antivirus PROTECTED Comodo from an EXPLOIT!
Replies
9
Views
557
Comodo
Andy Ful
Andy Ful
rashmi
    • Like
New Update New Version 12.3.3.8152 Available for Comodo Internet Security 2025
Replies
4
Views
285
Comodo
cartaphilus
cartaphilus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top