Comodo Internet Security 7 (REVIEW)

[illumination]

I can understand what you are saying but couldn't a user just as easy allow a newly downloaded file on CIS by either allowing it or disabling CIS to allow it to execute? For example you just downloaded this new exciting file and CIS blocks it, so you think this is a false alert since CIS has blocked harmless files before and you decide to allow it anyway.

Since most CIS users are supposedly advanced users, they should also know how to utilize UAC properly.

I have had novice customers that would disable their security software to allow a file that keep getting blocked or quarantined thinking it was a false alert because of previous harmless files were block in the past. Some social engineering infected sites will even instruct users on how to disable their security software for a successful infection. For example; "In order to run this program you must right click on your antivirus software icon in your taskbar and select exit or shutdown". I wonder how many users get fooled by this?

Thanks.

I just cleaned a system a couple weeks ago, that had CIS, and this exact problem, their teenager was on it, and downloading things, and clicking allow on all alerts, system was so badly corrupted from all this, took hours to straighten out..

 

[Littlebits]

I just cleaned a system a couple weeks ago, that had CIS, and this exact problem, their teenager was on it, and downloading things, and clicking allow on all alerts, system was so badly corrupted from all this, took hours to straighten out..

Which proves my point, CIS doesn't offer any better protection than what UAC can offer to users since malicious processes can be allowed by user's own ignorance. If users don't know how to utilize UAC then they won't know how to use CIS properly either. Of coarse it is much easier to learn how to utilize UAC than trying to to learn how to use and configure CIS properly.

Thanks.

 

[Cats-4_Owners-2]

So, in response to cruel sister's comments,
"After all the files were run I rebooted, thus flushing the sandbox. The system was analyzed.
No System Changes on reboot.",
and in the words of the film version of Mary Shelly's creature: "Mmm!...sandbox GOOOOD!!"

 

[nissimezra]

Which proves my point, CIS doesn't offer any better protection than what UAC can offer to users since malicious processes can be allowed by user's own ignorance. If users don't know how to utilize UAC then they won't know how to use CIS properly either. Of coarse it is much easier to learn how to utilize UAC than trying to to learn how to use and configure CIS properly.

Thanks.

sorry to disappoint you but UAC can be bypassed.
I was browsing on well known news site by just clicking a link UAC and mse were disabled and I had fake antivirus running on my system even on safe mode, couldn't do anything, system restore worked for me from boot cd.
So UAC is not a shield and can be bypassed

since that day I never used it's just annoying when you need it can be easy bypassed by viruses.

regards

 

[VladDracul]

sorry to disappoint you but UAC can be bypassed.
I was browsing on well known news site by just clicking a link UAC and mse were disabled and I had fake antivirus running on my system

So...UAC WAS disabled...??or not...??

 

[ifacedown]

I would like to know the answer for this, if UAC really can be bypassed. If UAC can be bypassed, then use other measures.

 

[VladDracul]

I would like to know the answer for this, if UAC really can be bypassed. If UAC can be bypassed, then use other measures.

Be cool,i see you are using Privatefirewall like myself.We are covered,even and IF UAC can be bypassed...although i really and highly doubt it.

 

[Littlebits]

sorry to disappoint you but UAC can be bypassed.
I was browsing on well known news site by just clicking a link UAC and mse were disabled and I had fake antivirus running on my system even on safe mode, couldn't do anything, system restore worked for me from boot cd.
So UAC is not a shield and can be bypassed

since that day I never used it's just annoying when you need it can be easy bypassed by viruses.

regards

Do you mean really bypassed or did you approve something on UAC prompt and get infected?
As you may not know, I have been looking for just one single malware sample that can bypass UAC since the release of Windows Vista and nobody can provide that one single sample, I have posted requests on just about all of the malware samples sites and still nothing. UAC requires a system reboot in order to get disabled, so it had to be manually disabled by you or another user on that system. So I simply don't believe UAC was enabled to begin with or you approved something that was malicious that disabled it, either way it was not a bypass. You had to manually download an infected file or script and manually run it in order for any of this to happen. Pay better attention to what you download and where you get it from. Malware just don't magically download itself and then execute itself, even vulnerabilities require user action to be successful.

The only other way that I know that UAC can be disabled is using a boot device which still requires system reboot to be effective.

Enjoy!!

 

[Ink]

sorry to disappoint you but UAC can be bypassed.
I was browsing on well known news site by just clicking a link UAC and mse were disabled and I had fake antivirus running on my system even on safe mode, couldn't do anything, system restore worked for me from boot cd.
So UAC is not a shield and can be bypassed

since that day I never used it's just annoying when you need it can be easy bypassed by viruses.

regards

There are many other factors you haven't accounted for, so unless you have proof or a working demo, with a sample. I call BS.

 

[nissimezra]

Do you mean really bypassed or did you approve something on UAC prompt and get infected?
As you may not know, I have been looking for just one single malware sample that can bypass UAC since the release of Windows Vista and nobody can provide that one single sample, I have posted requests on just about all of the malware samples sites and still nothing. UAC requires a system reboot in order to get disabled, so it had to be manually disabled by you or another user on that system. So I simply don't believe UAC was enabled to begin with or you approved something that was malicious that disabled it, either way it was not a bypass. You had to manually download an infected file or script and manually run it in order for any of this to happen. Pay better attention to what you download and where you get it from. Malware just don't magically download itself and then execute itself, even vulnerabilities require user action to be successful.

The only other way that I know that UAC can be disabled is using a boot device which still requires system reboot to be effective.

Enjoy!!

one thing that I hate doing is lying.

I was on this site well know news, I've done nothing but pressing a link to watch a video article about speed camera, UAC was enabled on default setting since I bought the pc I never disable it, pressed the link and I had a fake Av runing on my sys even in safe mode. MSE was gone.
OS win 7 home premium, I never used any other protection and never played with viruses or cracks. I didn't even have utorrent instal. I used at the time for photo editing and web.

I'm not an average user and I do have a lot of experience, I don't downloads things without verifying.
I worked 9 months on IT I held 150 pc's

And yes thats what happen I,m just sharing it.

one thing I didn't mention, my system was not up to date since I don't like automatic update running on my system I update the system once a month or so

one thing I didn't mention, my system was not up to date since I don't like automatic update running on my system I update the system once a month or so

Regards

 

[nissimezra]

So...UAC WAS disabled...??or not...??

Was enable and after the virus say hi disabled

 

[cruelsister]

LB- Here is a file that you requested:

http://www.adrive.com/public/kM2xQf/Server.7z

Password is infected

Please note that I grabbed this file from the malware pack kindly supplied today by friend Yigido here:

http://malwaretips.com/threads/2014-04-13-20.25413/#post-183484

This is something that has been around for quite a while. It's a Backdoor that when running the parent file (server.exe) will spawn a payload daughter as well as a few registry entries, one of which will start the daughter (trojan.exe) on reboot. It will connect to Control over the Internet to send/receive data. For this particular trojan Command is located in Baghdad, Iraq (specifically IP 37.236.31.34).

I tested this file in 2 scenarios- One was a Win7 in a VM, the other was Win8.1 non-virtualized. In both cases:

1). Security Center Enabled
2). Windows Defender Enabled
3). Windows Firewall Enabled
4). UAC set to Maximum (Always Notify)

When these settings were made Windows was rebooted. Upon startup UAC was verified to be operational by running Malwarebytes and Killswitch (UAC notifies for each).

In both the Win7 and Win8.1 systems when the malware sample was run there were NO UAC alerts; there was also no Firewall alert when the daughter connected to Iraq.

On reboot trojan.exe was resident in memory and it had established an outbound connection to Command in Iraq.

I also ran this trojan on a system protected by Comodo Firewall. Even at the default Partially Limited setting the malware was contained in the sandbox and the autostart registry entries were suppressed, with no resultant system infection occurring.

 

[Littlebits]

LB- Here is a file that you requested:

http://www.adrive.com/public/kM2xQf/Server.7z

Password is infected

Please note that I grabbed this file from the malware pack kindly supplied today by friend Yigido here:

http://malwaretips.com/threads/2014-04-13-20.25413/#post-183484

This is something that has been around for quite a while. It's a Backdoor that when running the parent file (server.exe) will spawn a payload daughter as well as a few registry entries, one of which will start the daughter (trojan.exe) on reboot. It will connect to Control over the Internet to send/receive data. For this particular trojan Command is located in Baghdad, Iraq (specifically IP 37.236.31.34).

I tested this file in 2 scenarios- One was a Win7 in a VM, the other was Win8.1 non-virtualized. In both cases:

1). Security Center Enabled
2). Windows Defender Enabled
3). Windows Firewall Enabled
4). UAC set to Maximum (Always Notify)

When these settings were made Windows was rebooted. Upon startup UAC was verified to be operational by running Malwarebytes and Killswitch (UAC notifies for each).

In both the Win7 and Win8.1 systems when the malware sample was run there were NO UAC alerts; there was also no Firewall alert when the daughter connected to Iraq.

On reboot trojan.exe was resident in memory and it had established an outbound connection to Command in Iraq.

I also ran this trojan on a system protected by Comodo Firewall. Even at the default Partially Limited setting the malware was contained in the sandbox and the autostart registry entries were suppressed, with no resultant system infection occurring.

Thanks for the sample, however I will have to move to another system to test it, it was blocked by Avast on one system and Windows Defender on my Windows 8.1 laptop. It is also doesn't have a digital certificate so I'm pretty sure UAC will detect the main process "Server.exe", child processes should not be detected because once you allow the main process on UAC all other child processes are allowed. But if the main process "Server.exe" triggers UAC prompt then it is not a bypass.
UAC never usually detects child processes because it would be extremely annoying to users, just one main process can have over 20 child processes. It is a simple trick some malware writers do to get around UAC but it is not a bypass if the main process triggers UAC prompt. That is why you make sure when you approve a UAC prompt that it is safe because once it is approved then it has permission to do anything it wants to.

I will test this on a newly installed Windows 8.1 system fully updated (not virtualized) and see if it triggers UAC.

Enjoy!!

 

[ifacedown]

Oh man, this UAC-bypassing thing really hooks me in!

I'll wait for the testing!

 

[Littlebits]

one thing that I hate doing is lying.

I was on this site well know news, I've done nothing but pressing a link to watch a video article about speed camera, UAC was enabled on default setting since I bought the pc I never disable it, pressed the link and I had a fake Av runing on my sys even in safe mode. MSE was gone.
OS win 7 home premium, I never used any other protection and never played with viruses or cracks. I didn't even have utorrent instal. I used at the time for photo editing and web.

I'm not an average user and I do have a lot of experience, I don't downloads things without verifying.
I worked 9 months on IT I held 150 pc's

And yes thats what happen I,m just sharing it.

one thing I didn't mention, my system was not up to date since I don't like automatic update running on my system I update the system once a month or so

one thing I didn't mention, my system was not up to date since I don't like automatic update running on my system I update the system once a month or so

Regards

I don't want to make any accusations, but your story sounds very suspicious. Which browser was you using and was it updated? not keeping Windows Updates allows security holes for exploits, but I have never heard of one that just automatically infects a users system without downloading a malicious file. So this malware had some kind of super remote ability to disabled UAC without a system reboot and without downloading a single file? You more than likely did download a malicious file when you click on the link to play the video, executed it to play the video and ignored UAC prompt thinking it was just a video. Without any proof, nobody is going to believe this.

Enjoy!!

 

[nissimezra]

I don't want to make any accusations, but your story sounds very suspicious. Which browser was you using and was it updated? not keeping Windows Updates allows security holes for exploits, but I have never heard of one that just automatically infects a users system without downloading a malicious file. So this malware had some kind of super remote ability to disabled UAC without a system reboot and without downloading a single file? You more than likely did download a malicious file when you click on the link to play the video, executed it to play the video and ignored UAC prompt thinking it was just a video. Without any proof, nobody is going to believe this.

Enjoy!!

IE 8

I never seen anything like this as well.

Well, believe it or not, up to you, thats what happend, maybe I wouldn't believe either but thats what happend on my pc.

My system never up to date, in any pc. only MSE. since that day never used UAC (around 2 years)never got infected on any of (well maybe once) my familys pcs
http://nakedsecurity.sophos.com/2009/11/03/windows-7-vulnerable-8-10-viruses/
Regards

 

[Ink]

Your PC is a ticking time-bomb, not surprised you were infected. What did you expect, an AV to save you..

 

[Nico@FMA]

I don't want to make any accusations, but your story sounds very suspicious. Which browser was you using and was it updated? not keeping Windows Updates allows security holes for exploits, but I have never heard of one that just automatically infects a users system without downloading a malicious file. So this malware had some kind of super remote ability to disabled UAC without a system reboot and without downloading a single file? You more than likely did download a malicious file when you click on the link to play the video, executed it to play the video and ignored UAC prompt thinking it was just a video. Without any proof, nobody is going to believe this.

Enjoy!!

To add to your story, UAC CANNOT be turned of by todays malware as windows sees this is a critical process and they are by default read/write & execute protected, the windows internal policy setting will avoid UAC being turned of by a malware code & request.
Check in your policy settings and you will see that UAC priv is not granted to all users. Specificly the program installer as hypothetical user cannot trigger UAC settings.
So direct infections are virtually impossible.
However there are some rootkits and trojan droppers that can inject a harmfull code in the UAC dependencies system files which will force the PC to reboot and then UAC can be shut down, while your action center reports that everything is running fine.
So the story is not entirely BS as indirect infections CAN shutdown UAC.

In regards to CIS being able to do all the things it does, is great however you already know what i think about CIS. Besides that i do not need a program that does something worse then windows already does it...lmao.
The review did gave CIS a positive fibe, but for me to get HYPER i would like to see CIS perform and do its stuff as for example KIS, NIS, N32 just to name a few. Since this is not the case and probably never will i strongly suggest the so called C-fanboys and technical advanced users who are running CIS to try something real, go wild go mad try something like? ANY other internet security suit it certainly will save you time.
Normally you are tweaking CIS every day atleast twice, you will notice that this problem does not occure with any other program lmao.
So it saves time, trouble and it gives you a TRUE feeling of protection and security.
O boy... ZIP IT NVT (yes sir lmao...) i was about to say something bad...

Just kidding

Nice review.

 

[Littlebits]

IE 8

I never seen anything like this as well.

Well, believe it or not, up to you, thats what happend, maybe I wouldn't believe either but thats what happend on my pc.

My system never up to date, in any pc. only MSE. since that day never used UAC (around 2 years)never got infected on any of (well maybe once) my familys pcs
http://nakedsecurity.sophos.com/2009/11/03/windows-7-vulnerable-8-10-viruses/
Regards

So you want to blame UAC for not protecting you when you failed to keep Windows updated? You were using out-dated version of Internet Explorer and since you don't have Windows Updates on automatic MSE was probably not updated either. What did you expect to happen? CIS would not have protected you either because it can not block exploits in Windows OS kernel, only Windows Updates can.

Keeping Windows up to date is most important thing you should do for security, no AV or any other type of security software products can protect you from Windows vulnerabilities. There is a reason Microsoft puts so much work into Windows Updates, new vulnerabilities are found all the time. Your story sounds much more believable now since you admit that you were running everything out-dated, probably flash player and Java as well. If you leave your doors open then the flies will come in, that is your fault.

That link you posted means nothing now, you you realize how many vulnerably patches have been applied since Nov. 2009?

Keep Windows and your software updated if you don't want this to happen again. Move to a more secure browser like Firefox or Google Chrome and add security extensions. You can create a thread with your config here and members will help you.

Enjoy!!

 

[nissimezra]

Your PC is a ticking time-bomb, not surprised you were infected. What did you expect, an AV to save you..

why?
I have no problem getting infected, it will take 20 minutes to recover my system back. I always have an image ready. I have 2 partitions one for the OS and one for data, i have scheduled backup on a network pc that back up my data partition to another pc.
in 95% of the time the only partition that get infected is the OS so any virus is welcome

why to be bother with UAC and automatic update?

in the last five years on 10 family computers i had around 2 infection, one mention here and the other one was 5 months ago, i'm not sure it was infection but lets assume so.
does it really worth all the bugging?