In my post, I meant I watched the tests, and this is what I understood or took. As for @Trident, I didn't reply to his point because I understood it. And from memory, I knew it was by design and not a bypass, which I mentioned in the topic, and the developer confirming it cleared it for me. For me, I'm okay with this issue, and if I were using Comodo, I would continue using it with HIPS disabled. Others would have their own take on this issue, and I understand and respect that too.
Good to know.Yes, such a combo can prevent all variants of the attack. But this combo would be unnecessary at home and hardly useful in businesses.
I can test Kaspersky. But, please ask first the MT staff if more tests can bring some benefit to our community.
My intention was not testing several AVs, but show on the example, that AV kernel drivers can be attacked from Userland without much effort and without using vulnerable drivers or abusing PPL.
Comodo trusts or allows the attack file. Is it also present in the File List - Non-executables?Normally, the Safe Mode + default Internet Security configuration should work well (although it is disabled by default). In my case, Comodo crashed in much more restricted configuration. If I correctly remember It was Proactive configuration with settings similar to @cruelsister + maxed Script Analysis. I noticed that this setup is unusable (blocked many things), so I tried to restore the default settings of Script Analysis. In this moment Comodo showed errors, the system behaved strangely, and I could not fix it.
The best way to install Comodo is to configure it after installation, i.e., don't restart the system. If you want to use a different configuration than the installation default, activating it should be the first step, otherwise your desired configuration won't have your custom settings. After configuring the settings, run the Rating Scan and take action on unrecognized files and malicious (if any). Restart the system. I never had problems using Comodo this way. You can tame Comodo or minimize alerts by adding signed vendors (not verified by Comodo) or excluding/ignoring your unsigned apps, etc.A few years ago when I used Comodo with the much more restrictive HIPS "Paranoid mode", the only way I could manage to make this mode usable without crippling Windows was to immediately put it in "Learning mode", then reboot several times, log out and back in, do most of the basic stuff I would normally do on a daily basis such as open the web browser, email client, any office apps, and most of the basic Windows actions such as open Explorer, check updates, settings, etc...This way rules would be automatically created on the fly.
It's not ideal, of course, but there was no other way otherwise it would bork Windows because the HIPS would block something critical that Windows needs to function properly. it seems the same issue, maybe to a lesser extent but an issue nonetheless, occurs with HIPS in Proactive mode. Obviously Learning mode must be done on a known, clean system, and the user must take care not to incur infection while doing so
EDIT
Perhaps Comodo devs could consider baking into the product, a minimum set of rules that allows Windows to function at a basic level whenever the user wants enable HIPS in any mode.
Thanks a lot Andy for your thorough testing!
In Script Analysis, one can add the missing ones.
Thanks. Didn't know the settings I pointed existed in the beta. Didn't try it yet. I am wondering if the "enhanced protection" was still available, would that change something. They removed it after 5.8 if I remember correctly since it interfered with Win 10 x64, probably because of the PatchGuard or other stuff introduced in Win 10. In fact, v3 had the strongest HIPS back in the days, but the pop-ups were way too many, and it was unusable
