App Review Comodo Internet Security vs targeted ransomware attack.

[Andy Ful]

Content source

https://www.youtube.com/watch?v=kdxEgt_V-fI

The most interesting part starts after 10 minutes and 40 seconds.
The attack vector is specific to the machines with Comodo. Although the techniques used here are well known, the attacker must avoid many popular LOLBins that the Comodo Script Analysis covers. Such highly targeted attacks mainly affect businesses.
The part related to the delivery method (ClickFix, phishing, SEO poisoning, network shares, etc.) was skipped to keep the video shorter.

 

[Parkinsond]

Even if Comodo has the ability to block hijacked dll, why to use the performance-taxing Comodo autocontainer while the job could be carried out be the light SAC/WDAC?

 

[Andy Ful]

Even if Comodo has the ability to block hijacked dll, why to use the performance-taxing Comodo autocontainer while the job could be carried out be the light SAC/WDAC?

Comodo Firewall (Auto-containment set to Block) can be compared to SAC/WDAC. However, I am not sure if the second is lighter.

 

[Parkinsond]

I am not sure if the second is lighter

It is; I even notice MD uses less RAM while SAC is On compared to being Off; could not find an explanation.

Installed Comodo one time; even without auto-containment enabled, it made my PC crawl.

 

[Andy Ful]

Installed Comodo one time; even without auto-containment enabled, it made my PC crawl.

It is uncommon behavior. Comodo's performance is pretty much standard.

 

[Parkinsond]

It is uncommon behavior. Comodo's performance is pretty much standard.

Comodo did not like my machine, unlike SAC.

 

[ForgottenSeer 114717]

The most interesting part starts after 10 minutes and 40 seconds.
The attack vector is specific to the machines with Comodo. Although the techniques used here are well known, the attacker must avoid many popular LOLBins that the Comodo Script Analysis covers. Such highly targeted attacks mainly affect businesses.
The part related to the delivery method (ClickFix, phishing, SEO poisoning, network shares, etc.) was skipped to keep the video shorter.

There are much more basic methods to prevent this type of attack from happening to anyone with built-in Windows native security - and it sure is ain't using SAC or WDAC. With those protections, the vector (pathway of the malicious code "onto they system") is not relevant one bit. Once exception are kernel exploits in which case every single bet is off.

 

[Jonny Quest]

It is; I even notice MD uses less RAM while SAC is On compared to being Off; could not find an explanation.

Installed Comodo one time; even without auto-containment enabled, it made my PC crawl.

Crawling with excitement and glee, maybe according to @rashmi Just kidding, rashmi

But, this tells me all I need to know, especially in how little I do and don't do on my laptops.

The attack vector is specific to the machines with Comodo. Such highly targeted attacks mainly affect businesses.

 

[ForgottenSeer 114717]

Installed Comodo one time; even without auto-containment enabled, it made my PC crawl.

Comodo working out well for a user is a roll of the dice. The explanations for this are multiple rabbit holes that have been covered ad nauseum on this forum and other forums since Comodo Day 1.

 

[Parkinsond]

Crawling with excitement and glee

Even Bitdefender in its worst performance did not give me such slowness.

That is why I much appreciate personal feedback and real-life experience more than Gimini and ChatGPT; you could not find such experiences in their answers.

 

[ForgottenSeer 114717]

Oh Lawd, Lawd, Lawd! How does it happen that people still use that, Comodo?

Lawd:

¯\_(ツ)_/¯

 

[Jonny Quest]

Even Bitdefender in its worst performance did not give me such slowness.

That is why I much appreciate personal feedback and real-life experience more than Gimini and ChatGPT; you could not find such experiences in their answers.

I agree, but they both have their plusses and minuses But, user experiences can have unknown variables, that's why it's nice to also confirm things on our ends as well, when we're truly interested. One may get multiple McAfee pop ups, while others don't. As for me, I'll leave it here, so I don't help to derail this thread

 

[Parkinsond]

I'll leave it here, as I don't want to derail this thread

Waiting for @rashmi to take care of the thread

 

[Andy Ful]

Oh Lawd, Lawd, Lawd! How does it happen that people still use that, Comodo?

Lawd:

¯\_(ツ)_/¯

Why should we ask? People should be allowed to do what they want, if they do not hurt others.

 

[annaegorov]

I don't understand. But of course, as you know I am a complete novice.

That being said, if I was Comodo, and Comodo was still my passion, and if I also had expendable resources. I would come to my senses and rescue my project.

Knowing I still had a large fanbase, even if it was lagging, also a fanbase that was on the fence, plus others who were no longer fans, but could be impressed, if I really put forth the effort, to win them back

Then with all that said I would take all the compromising factors, faults, defects, problems, and complaints, and compile them into a fix list to make my product top tier, and current.

 

[Andy Ful]

I don't understand. But of course, as you know I am a complete novice.

Most people who do not use Comodo do not understand either.
However, I have a strong feeling that those who use it can do it for a good reason. Of course, their good reason may not be so good for others.

 

[ForgottenSeer 114717]

Why should we ask? People should be allowed to do what they want, if they do not hurt others.

It was a rhetorical question.

 

[rashmi]

The attack vector is specific to the machines with Comodo.

Crawling with excitement and glee, maybe according to @rashmi

Waiting for @rashmi to take care of the thread

Just like every COMODO thread... This is what I call a highly motivated and targeted attack—crashing in style—and ending in a crash course on COMODO!

 

[Andy Ful]

Before making this video, I analyzed several attacks with DLL hijacking in the wild. Almost all of them also used scripts and LOLBins in the infection chain covered by Comodo's Script Analysis or Auto-containment. So, if the attacker does not know that defenders use Comodo, their attacks mainly fail, even if such attacks can be effective against popular AVs.
However, the attack presented in the video was easily detected by Microsoft Defender (I did not submit the DLL to analysis).

Event[1]:
Time Created : 22/02/2026 09:16:42
ProviderName : Microsoft-Windows-Windows Defender
Id : 1116
Message : Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Trojan:Win32/Bearfoos.B!ml threat description - Microsoft Security Intelligence
Name: Trojan:Win32/Bearfoos.B!ml
ID: 2147731849
Severity: Severe
Category: Trojan
Path: file:_E:\H_C\DLL\ComodoBypassAAABBB\version.dll
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: Unknown
Security intelligence Version: AV: 1.445.181.0, AS: 1.445.181.0, NIS: 1.445.181.0
Engine Version: AM: 1.1.26010.1, NIS: 1.1.26010.1

That is why the attackers avoid this method in the wild. They use other attack vectors optimized to bypass popular AVs.

 

[rashmi]

Comodo nails @cruelsister's tests but fails @Andy Ful's—leaving users with two well-wishers offering the exact same advice every time: "It's the perfect moment to pour a drink!"