Comodo Internet Security Exploit has been updated and is now even more complicated + Explanations by the dev

[vitao]

Check it out:

This video has description and subtitles in 10 languages.

The following video, which is already online, demonstrates this POC downloading and installing a Ransomware without the CIS even noticing, but it does not yet have subtitles (only the automatic ones from YT itself). As soon as I add the subtitles I will bring the video in a new publication.

BTW. Xcitium EDR was obliterated too. As soon as I make the subs Ill post it here.

 

[Bot]

Thanks for sharing the video, it's very informative. Looking forward to the subtitled version and your upcoming post on Xcitium EDR. It's crucial to stay updated on these developments for optimal security.

 

[cruelsister]

If you still have an available VM to test this, please make the following Registry Change and re-run the test:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA


and modify DWORD Value from 1 to 0

 

[Vitali Ortzi]

If you still have an available VM to test this, please make the following Registry Change and re-run the test:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA


and modify DWORD Value from 1 to 0

That would be awesome especially with Xcitium as it's more updated

 

[Decopi]

The Comodo 2025 release was a farce, the software hasn't really been updated/upgraded for many years. The software still has hundreds of bugs (officially recognized by Comodo and its fanatics, but unfixed since 2019), its databases are not updated, and even its certificate doesn't work. All they've done is give the software's GUI a facelift, and released it with the same old lies.

In addition, apart from the “Containment/Isolation” feature, the rest of the tools... are useless! The antivirus is garbage. The firewall doesn't even distinguish SVCHOST communications, doesn't even allow Windows services customization, and is full of bugs. Therefore, Comodo is a simple dumb blocker, and as such depends on the user to block or allow executables. Any customization, which allows the hardening of Windows, is better and more efficient than Comodo.

Specifically with regards to the Comodo Containment, over the last years has been proven to be flawed countless times, and when not ignored by Comodo and its (immoral/irresponsible) fanatics, they always invent a hack as a solution, which never works (attaching recent Andy Ful's post from today).

It is ridiculous and pathetic to continue defending a software that was abandoned years ago, a dinosaur software that was overtaken by new technologies (therefore is doomed to extinction), even more so when there are many better and more modern upgraded updated alternatives for free, real antimalwares (not just dumb blockers).

I already mentioned it. When Windows starts it runs Explorer shell with high privileges due to that reg tweak. So, almost all applications/exploits/malware also run with high privileges (except rare processes compiled with restriction to run only with standard or lower rights). Malware and exploits do not need privilege escalation or UAC bypasses to run with high privileges, just by applying that reg tweak.
For example, when you run the web browser it will be allowed by Comodo, and some web browser's processes will run with high privileges due to that reg tweak. If exploited, the exploit will also run with high privileges.

That reg tweak would be OK, if Comodo could detect/block/contain all malware and exploits. But we know that this is not true neither for malware nor for exploits (system exploits or exploits of benign applications).

What Comodo settings are good enough to safely apply that reg tweak? The @cruelsister-like settings are not good enough:

1. The containment can be avoided by DLL hijacking.
2. The containment can be avoided by some signed malware.
3. Comodo can be bypassed by many fileless exploits/malware.
4. Comodo can be silently dismantled by Comodo challenge. Without this tweak, some users can stop the attack due to the UAC alert.

In all those cases, the malware/exploit has much more chances to be executed/undetected because it does not have to use privilege escalation or UAC bypass to obtain high privileges. Without that reg tweak the malware must use additional/special/suspicious code so the AVs have more chances to detect it. In my tests with Comodo challenge, I intentionally did not use UAC bypass, because it would make the attack more detectable.

At home, you will have more examples of malware from points 1-3 because such malware is created without knowing the target. On the contrary, the malware with a special Comodo bypass is virtually nonexistent.

 

[Vitali Ortzi]

The Comodo 2025 release was a farce, the software hasn't really been updated/upgraded for many years. The software still has hundreds of bugs (officially recognized by Comodo and its fanatics, but unfixed since 2019), its databases are not updated, and even its certificate doesn't work. All they've done is give the software's GUI a facelift, and released it with the same old lies.

In addition, apart from the “Containment/Isolation” feature, the rest of the tools... are useless! The antivirus is garbage. The firewall doesn't even distinguish SVCHOST communications, doesn't even allow Windows services customization, and is full of bugs. Therefore, Comodo is a simple dumb blocker, and as such depends on the user to block or allow executables. Any customization, which allows the hardening of Windows, is better and more efficient than Comodo.

Specifically with regards to the Comodo Containment, over the last years has been proven to be flawed countless times, and when not ignored by Comodo and its (immoral/irresponsible) fanatics, they always invent a hack as a solution, which never works (attaching recent Andy Ful's post from today).

It is ridiculous and pathetic to continue defending a software that was abandoned years ago, a dinosaur software that was overtaken by new technologies (therefore is doomed to extinction), even more so when there are many better and more modern upgraded updated alternatives for free, real antimalwares (not just dumb blockers).

We don't have good reputation based default deny so the software is useful and is lighter then actual av software
Indeed there is major bugs and everyone should push them to fix them and it seems enterprise system administrators are rightly avoiding this software but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )

 

[Andy Ful]

... but us home users have less choices and it seems to work well against most malware for now but if these issues keep getting unfixed ik removing comodo from all of my machines (certificate, container allowing privilege escalation with a not rare method of dll injection etc and is a huge risk )

If you think about not fixing the bypass from this thread, this will not be a problem. The bypass is Comodo-dependent, so it will not be used in widespread attacks.
Comodo has many hardening options that can make it a very attractive solution. The greater problem for Comodo and other AVs is DLL hijacking (also used in the bypass). Unfortunately, there are no tests on this attack vector, so I cannot say which AV can be most effective. On Windows 11, DLL hijacking is blocked by Smart App Control if the malicious DLL is unsigned or improperly signed. It can be also blocked by WDAC.

 

[Decopi]

Comodo has many hardening options that can make it a very attractive solution.

Please, allow me to disagree.

Comodo is unable to detect digital threats, so Comodo is not an antivirus nor an antimalware. Comodo is only a dumb blocker, and as such, it depends on the user. That fact "per se", already implies that Comodo may be useful only for a microscopic minority of users.

Even so, in order to Comodo be capable to block threats, it has to become a blocker of everything, of good and bad files. That fact per se, disqualifies Comodo as a modern protection system (I repeat, because Comodo is unable to distinguish between a good file and a bad one). And worse, time passes and Comodo becomes even worse, because it accumulates hundreds of unfixed bugs, and because new digital threats appear, which force more and more to harden Comodo in a way that it will reach a point where Comodo's hardening will be based on "disconnecting the device from the internet and electricity". Right now the Comodo data base is so outdated, that 80% of the safe files are blocked or Contained. In a short time, Comodo is going to block 99% of safe software (because is incapable to recognize safe files).

On the other hand, by customizing Windows, either manually or through software, it is possible to achieve better or equal hardening Windows settings than Comodo.

And last but not least, there are excellent antivirus/antimalwares on the market, totally free. Therefore, there is no logical explanation for using Comodo, a dumb blocker, which depends on the user, a dangerous, abandoned software, without updates/upgrades in years, and with dangerous flaws in Containment.

It is immoral and irresponsible to continue promoting software like Comodo (I'm not talking about you, I'm talking about Comodo and its fanatics).

 

[Andy Ful]

Please, allow me to disagree.

You are allowed.

 

[Chuck57]

It is immoral and irresponsible to continue promoting software like Comodo (I'm not talking about you, I'm talking about Comodo and its fanatics).

This sounds very much like you're accusing us of the new buzzword, "disinformation."

Comodo users: Who decides what is this 'disinformation?'

You: It's what we say it is.

Comodo users: Who is we?

You: Everybody who doesn't want Comodo being used.

 

[vitao]

That would be awesome especially with Xcitium as it's more updated

already did that. when proper disabling uac the cis sandbox can manage to really block the exploit behavior. the video is online but im still working on proper subs anyway, the uac thing is not to be donne by anyone. comodo (and now xcitium) must solve this problem. or do you think its not that of a problem?

 

[vitao]

If you think about not fixing the bypass from this thread, this will not be a problem. The bypass is Comodo-dependent, so it will not be used in widespread attacks.
Comodo has many hardening options that can make it a very attractive solution. The greater problem for Comodo and other AVs is DLL hijacking (also used in the bypass). Unfortunately, there are no tests on this attack vector, so I cannot say which AV can be most effective. On Windows 11, DLL hijacking is blocked by Smart App Control if the malicious DLL is unsigned or improperly signed. It can be also blocked by WDAC.

actualy its already poping out as "paid services" at some "other" places... so its a matter of time (little if i may) untill we have fileless malwares and oher malwares running this kind of measure against cis and xcitium...

 

[rashmi]

This sounds very much like you're accusing us

Comodo2025 Oomphs Make Our "D" Odious

 

[Andy Ful]

actualy its already poping out as "paid services" at some "other" places... so its a matter of time (little if i may) untill we have fileless malwares and oher malwares running this kind of measure against cis and xcitium...

Yes, it is probable in targeted attacks against businesses.
Improbable in widespread attacks against home users (Comodo is not a popular solution).