Serious Discussion Comodo Internet Security 2025 was obliterated by an exploit!

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
 
Last edited:

vitao

Level 2
Thread author
Mar 12, 2024
64
Although Comodo can be bypassed in targeted attacks even with auto-containment set to block, it is still an efficient additional protection against commodity malware that can affect home users. Similar issues (DLL hijacking) can be found for example in Avast's CyberCapture, some Microsoft ASR rules, and other 0-day malware protections focused on EXE files and monitoring child processes.
Anyway, the users should remember that:
  • auto-containment cannot solve all protection problems,
  • running malware with high privileges can destroy AV protection.
so what would be your suggestions for a better protection, independent of the av someone installs?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
so what would be your suggestions for a better protection, independent of the av someone installs?

"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
 
Last edited:

Loyisa

Level 1
Aug 8, 2024
17
"A better protection" can be understood in many ways. People have different preferences about usability and protection levels. Different safeguards are needed for children than for adults. Different protection can be managed by the "home administrator" rather than by the average user. A happy clicker needs more protection than a cautious user.
The user can consider (among others):
  • doing daily work on the Standard User Account (SUA) and avoiding process elevation from SUA,
  • using Windows 11 (vulnerable driver protection independent of other Core isolation settings),
  • tweaking slightly the AV and web browser features but without losing much of usability (this can vary among users),
  • hardening the document viewer/editor.
Of course, some safe habits are welcome too. Furthermore, learning how to avoid malware is much more effective than complicating protection.
Security-oriented users can apply additional security layers if needed.
The danger comes from believing that the protection applied can protect us against risky or stupid actions. Such a belief usually leads to overkill, so users tend to bypass the "perfect" security in the worst moments.
Introducing Comodo Sandbox Escape with Ransomware...
comodooaaa.gif
 

vitao

Level 2
Thread author
Mar 12, 2024
64
another update: Xcitium EDR Client Security was OBLITERATED too...

the full video will be published and the link will be here soon...
 

vitao

Level 2
Thread author
Mar 12, 2024
64
btw... a video showcasing the exploit downloading and running the Ransomware and CIS ignoring it:

Edit.: Im still going to work on subtitles for this video. Try the YT automatic subs for the moment...

added 10 subtitles..
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Just thinking, if someone actually exploited this vulnerability to drop ransomware using DLL hijacking...
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
 
Last edited:
  • Like
Reactions: Vitali Ortzi

Loyisa

Level 1
Aug 8, 2024
17
Does the simplified attack work?

archive with payloads ----> archive unpacked ---> the benign application executed as Administrator ---> DLL hijacking .....

It is possible as a ClickFix attack (method used recently in the wild). Such an attack is very simple (no exploit) and should not trigger containment. Furthermore, a similar method can be dangerous also for other AVs.(y)
Yes! In fact, LummaStealer(in the wild too) also does this
QQ20241030-210423.png

Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Yes! In fact, LummaStealer(in the wild too) also does this
View attachment 286040
Setup.exe - a trusted file with a valid digital signature
SdAppServices_x64.dll – Malicious DLL, Shellcode Loader
lmemets, yajfl - encrypted Shellcode

I had in mind if you tried to kill Comodo in that way instead of bypassing the sandbox.:)(y)
I assume that the benign application in your test does not ask for elevation so you used bypass to to elevate in the sandbox and create the service. Next, the service could run DLL hijacking with high privileges. I think that the same can be done without the containment bypass just by running the benign application with admin rights (via "Run as administrator") to apply DLL hijacking and run TDSSKiller. But I am not sure if anyone tried this against Comodo.
 
Last edited:

vitao

Level 2
Thread author
Mar 12, 2024
64
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
 

rashmi

Level 12
Jan 15, 2024
553
i saw some lumma being blocked by cis in some tests of mine. do you guys have any sample or any file of your own so i can test it against cis?

btw xcitium banned me from their forum and removed all topics about cis/xcitium exploit. :(
Can you test the POCs in Comodo Virtual Desktop?
 

rashmi

Level 12
Jan 15, 2024
553
did you mean virtual kiosk? if so, there is no need. vk uses the same structure of sandbox so the poc will bypass it.
I vaguely remember that virtual desktop or shopping protection came with added security measures. Regardless, I doubt it will affect the outcome of the test.
 
  • Like
Reactions: simmerskool

bazang

Level 7
Jul 3, 2024
306
They falsely market it
Comodo does not market CIS\CFW. Please do not provide a link to a URL because that is not marketing.

They avoid fixing issues
Because the software has $0 revenue and therefore nobody in their right mind would ever spend a lot on fixing issues. CIS\CFW is in perpetual maintenance or out-of-date. And that is fine because it generates $0 revenue. There are no dedicated Comodo staff to support, bug fix, or further develop it. Melih gets his programmers to look at it once every three or four years. This is fine.

It is freeware. You accept what Comodo gives you and if you cannot, Melih wants you to go use something else. He is so happy to see you go use something else. He does not want you using his product.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top