COMODO Internet Security 8.2.0.4508 is released!

[BuketB]

Hi viktik,

The database is the file list itself.

For your information

Kind Regards
Buket

after comdo cloud lookup , it says safe files have been moved to local Comodo certified files database.
there is file list.
Where is local Comodo certified files database?

 

[hjlbx]

Interesting- I thought both of these software had novel protection ideas, but it looked like with the right settings, Comodo was much more solid on protection. So, if I understand correctly, even if Comodo doesn't detect on scan or execution, it would still run sandboxed (on default settings as well). In Webroot, if it doesn't detect, you just have the rollback feature where you have allowed your real system to become infected, keystrokes recorded, etc. and then rely on rollback to undue changes (which doesn't work 100% in informal testing). It would be interesting to compare rollback to viruscope (sort of like rollback?)- which I think would be more apples to apples, but you would have to turn off HIPS and sandbox in Comodo to make this 'even' and just test viruscope (which kind of makes it seem like Comodo provides more security layers even with lower detection). Not sure though, they are both really interesting and I was wondering how they compared, so thanks for the test!

I'm also finding that Comodo is running really well on my PC (8.1). I hope they fixed the RAT bypasses that were posted on youtube (ex: , but there were others). My only other concern is how the trusted file system could be manipulated in Comodo...could a file be classified as trusted but turn out to be malicious? Maybe by not executing in Comodo's testing environment? Or by infecting a previously trusted file? But, I don't know if this is technically possible/feasible.

From my own testing, I cannot count 100 % on Webroot to protect the system. It has it weaknesses just like any other AV. I've seen malwares disable both UAC and Windows firewall. Plus, rollback didn't reverse a screenlock ransomware. Local, user defined rollback works if you realize that a file is malicious.

Comodo can do a fine job if the correct settings are used - you can always create default-deny. There is one case where Comodo's default-deny will not work - if the malicious file somehow is included in Comodo's Cloud and rated as "Safe."

Now before you get ready to ditch Comodo, this is the same problem faced by Emsisoft, ESET, Kaspersky, etc. So in this regard you will not get any better protection. In fact, Kaspersky is the only internet suite that can offer default-deny - but it can't offer absolute default-deny because Application Control settings are not working correctly on some systems.

If you want absolute default-deny then only an anti-executable such as AppGuard or NVT ERP, or VooDooShield will deliver. The cost for this level of protection is "perceived" inconvenience - with the safest settings ("Lock-Down Mode") executables and scripts introduced to your system will be blocked.

When you suspect you are dealing with dangerous malware, you can always turn on HIPS, then turn it off when you are done. However, I would bet that the infos in the HIPS alerts will mean nothing to you - despite the fact that Comodo's notifications messages are better than most.

The Comodo cloud and trusted files are just like Kaspersky Security Network, Emsisoft Anti-Malware, Webroot Intelligence Network, etc. PUAs\PUPs are bound to be included, but will eventually be rated as "Known_Bad." Kaspersky will, unfortunately, allow adware\riskware to be installed as it includes a lot of it in KSN - at least in its initial introduction and spread in user world.

Your suggested scenario is possible with any of the AVs, but unlikely. That's the weakness of file rating systems. There's always exposure risk.

 

[Nirv5668]

Now before you get ready to ditch Comodo

Lol, I actually read that and was thinking...uh-oh . But your explanation is perfect, thank you. I actually do have HIPS on in Comodo. So far it has been fine, but maybe I have made the wrong choices (although I hardly ever see it). Sometimes I deal with unknown (to Comodo) executables needing unlimited access, and it seems strange for the program. I am a scientist, so deal with some smaller, specialized, kind of non-professionally coded stuff. Those have been the only slightly unusual situations. But, if I am unsure, I use Sandboxie and Buster Sandbox Analyzer, which gives a break down of actions and a risk score (it seems helpful to me), or upload it to malwr.com.

 

[hjlbx]

Buster Sandbox Analyzer is a nice add-on for SBIE. Useful.

If you installed Comodo on a clean system, there will be some system control panel (.cpl) files that will be "Unrecognized" by Comodo.

HIPS should only alert when new, non-whitelisted and really arcane files are executed; your description confirms this. Comodo is working as described.

You can also pick apart a file by using KillSwitch and the Active process advanced features. If you really dig deep into it, it is thorough - but not too user-friendly without the requisite knowledge. Mutexes, strings, etc... Kinda like a mathematician reading a graduate-level bio text. Nothing registers.

Unfortunately, no risk score. Comodo is purely old-school analysis. The HIPS alert infos are the best - I know that for sure.

malwr.com is good. Saw your post regarding ShellCode in a document. I would bet it should not. Images can be used to obfuscate exploits. I would ditch it. As for a definitive answer... wrong forum. You need to post your query on malc0de or Contagio... or similar sites.

It's all undifferentiated sub-strata to me.

 

[yigido]

Comodo can do a fine job if the correct settings are used - you can always create default-deny. There is one case where Comodo's default-deny will not work - if the malicious file somehow is included in Comodo's Cloud and rated as "Safe."

This issue is very rare.. Can you show me an example of this? As I said rare..
But I can show you most of malwares that Comodo saves us from their infection
By the way, there is an option in Comodo. We have Viruscope. It is not powerful enough but if you disabled this option.
Viruscope analyze the all running processes even processes which marked as safe
Am I thinking wrong?

Spoiler: Screenshot

 

[hjlbx]

This issue is very rare.. Can you show me an example of this? As I said rare..
But I can show you most of malwares that Comodo saves us from their infection
By the way, there is an option in Comodo. We have Viruscope. It is not powerful enough but if you disabled this option.
Viruscope analyze the all running processes even processes which marked as safe
Am I thinking wrong?

Spoiler: Screenshot

Hello Yigido,

I don't have a case. I meant it as a "highly unlikely" possibility.

It's a potential problem for all of the vendors that use file rating systems.

* * * * *

With that setting it should be monitoring all processes in active memory.

I responded to some Viruscope alerts on my system. I think Viruscope is similar to Webroot's journaling and rollback feature. Viruscope reversed the malwares on my system... which is what Webroot's rollback does for certain malicious behaviors\actions.

EDIT: I think Comodo Viruscope = Kaspersky System Watcher in most respects.

Webroot can reverse CTB Locker, CryptoWall, TorrentLocker... I wonder if Viruscope can do the same?

We need more technical infos on Viruscope.

 

[Nirv5668]

Buster Sandbox Analyzer is a nice add-on for SBIE. Useful.

If you installed Comodo on a clean system, there will be some system control panel (.cpl) files that will be "Unrecognized" by Comodo.

HIPS should only alert when new, non-whitelisted and really arcane files are executed; your description confirms this. Comodo is working as described.

You can also pick apart a file by using KillSwitch and the Active process advanced features. If you really dig deep into it, it is thorough - but not too user-friendly without the requisite knowledge. Mutexes, strings, etc... Kinda like a mathematician reading a graduate-level bio text. Nothing registers.

Unfortunately, no risk score. Comodo is purely old-school analysis. The HIPS alert infos are the best - I know that for sure.

malwr.com is good. Saw your post regarding ShellCode in a document. I would bet it should not. Images can be used to obfuscate exploits. I would ditch it. As for a definitive answer... wrong forum. You need to post your query on malc0de or Contagio... or similar sites.

It's all undifferentiated sub-strata to me.

Yes, I had this experience with KillSwitch! BSA makes it a bit easier. I actually was trying to figure out what to look for in strings...I noticed same memory strings in every running process about remote access...but was then baffled as to whether this was normal or not. Googled some mutexes, the weird word document had a strange one in an xp virtual machine that was listed as definitely malicious- but from 2010 trojan. Seemed a bit old for malware...but maybe it sticks around that long. Its all really interesting actually, but a bit blurry without knowing any of the basics at all...Does feel like venturing into another fields graduate textbook!

Thanks for the advice, will try malc0de or Contagio, but will ditch file. Just need to satisfy my curiosity I guess

 

[hjlbx]

Trojan 2010 probably still works because millions of users are at work and play with outdated softs.

If you can immediately identify malicious patterns just upon a quick gander at mutexes, strings and memory allocations, then you are Neo and have no need of AV. The Neo part is a saying from Umbra Polaris... a long-time admin here at MT.

Comodo is the best AV for malware analysis on Windows without using any advanced IT forensics tools... IMHO.

I know next to nothing compared to other MT members.

I learn-as-I-go.

There's no other way...

 

[yigido]

Hello Yigido,

I don't have a case. I meant it as a "highly unlikely" possibility.

It's a potential problem for all of the vendors that use file rating systems.

* * * * *

With that setting it should be monitoring all processes in active memory.

I responded to some Viruscope alerts on my system. I think Viruscope is similar to Webroot's journaling and rollback feature. Viruscope reversed the malwares on my system... which is what Webroot's rollback does for certain malicious behaviors\actions.

EDIT: I think Comodo Viruscope = Kaspersky System Watcher in most respects.

Webroot can reverse CTB Locker, CryptoWall, TorrentLocker... I wonder if Viruscope can do the same?

We need more technical infos on Viruscope.

I did not see any rollback action after running CTB, Cryptowall etc. All of them running in sandbox and afer system restart PC always clean.
Cryptolocker cannot beat sandbox so I never saw any test which shows viruscope detailed.

 

[hjlbx]

I did not see any rollback action after running CTB, Cryptowall etc. All of them running in sandbox and afer system restart PC always clean.
Cryptolocker cannot beat sandbox so I never saw any test which shows viruscope detailed.

Viruscope is more closely related to Kaspersky's System Watcher than Webroot's journaling and rollback.

Viruscope does not have all the features of KWS as it is still relatively new; it should improve as new recognizers are developed and released.

 

[Cch123]

Does anyone have any technical information on how does enchanced protected mode work? There is very little information on how does it work other than stating that CIS will run at the hypervisor level when EPM is activated.

 

[hjlbx]

Does anyone have any technical information on how does enchanced protected mode work? There is very little information on how does it work other than stating that CIS will run at the hypervisor level when EPM is activated.

I cannot find any additional infos.

Comodo never releases any white-papers explaining how the different CIS modules work\protect.

Only source of infos I can find is the online Help file.

 

[Nirv5668]

Trojan 2010 probably still works because millions of users are at work and play with outdated softs.

If you can immediately identify malicious patterns just upon a quick gander at mutexes, strings and memory allocations, then you are Neo and have no need of AV. The Neo part is a saying from Umbra Polaris... a long-time admin here at MT.

Comodo is the best AV for malware analysis on Windows without using any advanced IT forensics tools... IMHO.

I know next to nothing compared to other MT members.

I learn-as-I-go.

There's no other way...

That makes sense re: old trojan.

Definitely not Neo, I will stick with AV. But, yes, learning as you go is the only way and tools like Comodo that make things a bit transparent do help with this, I think- If only giving some data to google and think about. The bright side of being the recipient of some malware etc. has been that it is a really interesting topic to learn more about. I think back and although I am probably a better than average computer user, can use not so friendly scientific software and write some small programs- I really knew nothing about security or computers in general. Now I know a tiny bit more, but its fun to learn and people here are so helpful!

 

[JakeXPMan]

Comodo Internet Security 8.2 (Full Specifications)

Version 8.2.0.4508

• New File Rating list: Possibility to define custom file rating in parallel with Comodo rating
• New File Rating list: File Details dialog with Comodo information
• New File Group: Management and Productivity Applications
• Sandbox: File Age filter in Auto-Sandbox rules
• Sandbox: Active Processes List task in Tasks pane
• Sandbox: Option to switch off "Created By" and "Origin" sources tracking (ADS creation omitted)
• New Alert Sound: New Audio for alerts
• Managing Viruscope state from main UI and Widget
• Active Processes List task in Tasks pane
• Upgrade: New upgrade button option on UI
• Multi-Language support: Vietnamese language support
• Multi-Language support: Romanian language support
• Supported OS Windows10 Tech Preview Support
• Improved: Antivirus Engine: RAR 5 archives support
• Improved: Antivirus Engine: Unicode support to RAR5 module added
• Improved: Antivirus Engine: Make CIS AV update process lighter on system resources & optimization merging of AV-bases
• Improved: Antivirus Engine: Support new 7-zip version
• Several critical bugs fixes. Here are a selected few
• FIXED: Wrong AV alert appears for sandboxed malware on Modern Theme
• FIXED: During first update of AV database in Quick Scan, 'COMODO Internet Security has stopped working' message appears
• FIXED: File is launched out of Sandbox after copy from 'temp' folder to the Desktop
• FIXED: LNK-file can execute any program with trusted installer's privileges
• FIXED: Interpreters are not recognized by path

General
Publisher Comodo
Publisher web site http://www.comodo.com
Release Date April 06, 2015
Version 8.2.0.4508
Operating Systems
Windows 8, Windows 2000, Windows 7, Windows 98, Windows Server 2008, Windows Me, Windows Vista, Windows NT, Windows 2003, Windows XP, Windows
Additional Requirements None


I think yigido posted this info already and better, but here's a compact list anyway

 

[StriderHunterX]

Hey,@yigido....

Which documentation do you recommend to become Comodo Expert?

 

[yigido]

Hey,@yigido....

Which documentation do you recommend to become Comodo Expert?

There is no such a documentation. Use Comodo in long period and you will see you won't be infected anymore.
There are good videos in our forum place. These are posted by @cruelsister . She showed most of times how CFW powerful against malwares.
Create a VM and install CIS or CFW. Then test it in every config & in every tweaks. You will find your own config which you will be more comfortable in it. It might be annoying first times, because Comodo uses different kind of system called Default Deny.
You will get experience with it and you will feel the confidence against malwares. Most of times, you won't need a VM to run malwares in your system.

 

[hjlbx]

This is what I did to learn Comodo:

• Clean install Windows OS
• Clean install Comodo
• Install Shadow Defender
• Enter Shadow Mode and play with Comodo configurations and settings.
• I test malwares against Comodo in Shadow Mode.
• When I exit Shadow Mode the system reverts to the clean install of Comodo.

The user manual is fine as it gave me a lot of infos to increase my understanding. However, I only learned how Comodo works by playing with it and testing malwares against it.

Comodo is all about managing settings - and understanding how its behavior changes using different settings. I only learned those details by practicing with it - sometimes over and over again until I understood.

@yigido 's suggestion to review Comodo tutorials here on MT is a great idea... they will save you a lot of time and effort.

Comodo package is ideal for studying basic malware behaviors on Windows platform.

 

[Nirv5668]

Has anyone had issues with CCE crashing? I was able to run a complete scan when I first installed comodo v8.1 on a new windows 8.1 system. Now, CCE crashes (either the complete or quick scan). I honestly am not sure if this started later with v8.1, or with 8.2 beta, but it is still happening with current 8.2 release. I e-mailed support with logs, they passed it on to developers, but I haven't heard anything. I was searching a bit and don't see any other complaints with this...maybe no one has tried to scan with CCE?

I am slightly concerned b/c I had this exact same problem on a different, infected PC using the standalone CCE, about 4 months ago. Totally different windows 7 PC with different security set-up, so I can't think of any obvious common conflicts. I have been fairly careful and am pretty sure this PC is clean...but for some reason I am having this issue again Anyone else?

 

[hjlbx]

When you say crash do you mean CCE itself crashes or a system crash - i.e. BSOD ?

CCE in my experience is pretty stable - and it hasn't changed very much over time.

 

[Nirv5668]

When you say crash do you mean CCE itself crashes or a system crash - i.e. BSOD ?

CCE in my experience is pretty stable - and it hasn't changed very much over time.

No BSOD or system crash, CCE just closes. I checked event viewer after one of the crashes:

Spoiler: Event Viewer log

Log Name: Application
Source: Application Error
Date: 4/12/2015 4:22:25 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: My-pc
Description:
Faulting application name: cce.exe, version: 8.2.0.4508, time stamp: 0x551c2a05
Faulting module name: ntdll.dll, version: 6.3.9600.17668, time stamp: 0x54c850f5
Exception code: 0xc0000005
Fault offset: 0x00000000000912d0
Faulting process id: 0xe64
Faulting application start time: 0x01d0752b377cb095
Faulting application path: C:\Program Files\COMODO\COMODO Internet Security\cce.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 56b6b25d-e11f-11e4-827a-5c969d957fb2
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />

Yeah, from everything I read, it seems to be pretty stable for everyone. I am not sure why I am having these issues with it.