App Review Comodo's killer.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
@Andy Ful
Vitali Ortzi

Vitali Ortzi

Level 28
Verified
Top Poster
Well-known
Dec 12, 2016
1,783
Nikola Milanovic said:
So are you ready to switch to Xcitium Client Security 13?
Click to expand...
if I were a business probably not fully
As a consumer it's too expansive for single licenses and is niche as it has too many false positives for many users but some can actually use it like my mom who doesn't install software frequently (using cruel sister comodo and configured defender there )

For myself only as a layer since there are wild malware with dll hijacking that can bypass It
Like the ransomware shown on this fourm

Virus scope is too weak even xcitium version looking at lab tests so you have to use it at default deny and even then it's not good enough for enterprises as there are possible bypasses that targeted malware can use and maybe some wild malware may have some bypass that will work on xcitium too
 
  • Like
Reactions: simmerskool
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
167
Vitali Ortzi said:
if I were a business probably not fully
As a consumer it's too expansive for single licenses and is niche as it has too many false positives for many users but some can actually use it like my mom who doesn't install software frequently (using cruel sister comodo and configured defender there )

For myself only as a layer since there are wild malware with dll hijacking that can bypass It
Like the ransomware shown on this fourm
Click to expand...
i alredy have machines with Xcitium Client Security and everything is fine
 
R

rashmi

Level 14
Jan 15, 2024
655
Andy Ful said:
The 7zFM is already included there via the rule *\7z*.exe . However, I want to fully virtualize only one archiver application set as the default archiver to open archives and disk images.
I do not know, maybe it is possible to fully virtualize all archives included in the File Archiver group and set one of them as the default archiver. Then, the Windows built-in archiver will be the only possibility to pack/open archives and disk images without containment.
Click to expand...
With the "all applications" policy, Comodo will run files present in the file groups as fully virtual. For example, I had to add AntDM.exe for Ant Download Manager in the "file downloaders" group; otherwise, Comodo couldn't detect the file origin for the files downloaded. The file details showed the file origin as "unknown" for the downloaded files.
Andy Ful said:
Did you export the test Comodo settings?
Click to expand...
I had a 1-day limit for unrecognized apps, a file origin for removable media/internet, and a whitelist policy for WinRAR. I was just using File Explorer when I got a Comodo Firewall message; it crashed. Everything was fine except the test policies vanished and the unrecognized apps policy was back to default.
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,689
rashmi said:
@Andy Ful Is it possible for you to test CyberLock? How would their AI/Whitelist Cloud rate or analyze your signed POC?
Click to expand...

I do not plan to test CyberLock.
In my POCs, I used only benign and trusted applications/LOLBins. So, AI/Whitelist Cloud will rate them as benign and trusted. I am not sure about TDSSKiller, but you can check it.

Download Kaspersky TDSSKiller 3.1.0.28 for Windows - Filehippo.com

Download Kaspersky TDSSKiller 3.1.0.28 for Windows. Fast downloads of the latest free software! Click now
filehippo.com filehippo.com
 
  • Like
  • +Reputation
Reactions: rashmi, simmerskool and Vitali Ortzi
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,689
rashmi said:
With the "all applications" policy, Comodo will run files present in the file groups as fully virtual. For example, I had to add AntDM.exe for Ant Download Manager in the "file downloaders" group; otherwise, Comodo couldn't detect the file origin for the files downloaded. The file details showed the file origin as "unknown" for the downloaded files.
Click to expand...

I am not sure how the above is related to containing 7ziFM? :unsure:
By "fully virtualize" 7zFM I meant that all files contained in the disk image or archive will be virtualized (not only "All Application" group).
For example, when opening a picture embedded in the ISO file or ZIP archive, the application that opens pictures will be auto-contained too.
When you open a document with a macro that creates/drops/runs payloads, the Word and all payloads will be auto-contained (also Trusted by Comodo).
The copy of the file is auto-contained.
The unpacked content is auto-contained.
 
Last edited:
  • +Reputation
  • Like
Reactions: rashmi and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,689
I realized the advantage of using the less than 1-day time limit + UniGetUI installer/updater.
First it is necessary to install UniGetUI from Microsoft Store. Next we should add the "Ignore" Actions to avoid Comodo's blocks.

1736983493270.png


The TmpFiles is the containment group for ignored file extensions. I added only the *.tmp file extension to this group.
With these settings, both the application installations/updates via UniGetUI and the execution of those applications are not blocked by Comodo. This follows from:
  1. The installed UniGetUI preserves the original file creation time (always beyond the 1-day limit).
  2. Most applications installed via UniGetUI also preserve the original creation time (always beyond the 1-day limit).
  3. UniGetUI executes the application installers in two folders (see the screenshot above) that are 'Ignored' so Comodo does not contain the installation.
  4. If the application uses *.tmp executables (which have a fresh creation time), they are also "Ignored."
 
Last edited:
  • +Reputation
  • Like
Reactions: rashmi and simmerskool
vitao

vitao

Level 4
Mar 12, 2024
150
Nikola Milanovic said:
Comodo/Xcitium has improved its signatures you can ask @vitao
Click to expand...
no. they didnt. as far as i can tell, they improved only for a couple of days when someone from comodo was signing files from malwarebazaar but after a few days all was back to normal as cis continued to be the worst in detecting malwares in manual scans. but it continues to be the best when prevention is the goal.
 
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
167
vitao said:
no. they didnt. as far as i can tell, they improved only for a couple of days when someone from comodo was signing files from malwarebazaar but after a few days all was back to normal as cis continued to be the worst in detecting malwares in manual scans. but it continues to be the best when prevention is the goal.
Click to expand...
The guy is still feeding the Malware database
 
R

rashmi

Level 14
Jan 15, 2024
655
Andy Ful said:
I realized the advantage of using the less than 1-day time limit + UniGetUI installer/updater.
First it is necessary to install UniGetUI from Microsoft Store. Next we should add the "Ignore" Actions to avoid Comodo's blocks.

View attachment 287182

The TmpFiles is the containment group for ignored file extensions. I added only the *.tmp file extension to this group.
With these settings, both the application installations/updates via UniGetUI and the execution of those applications are not blocked by Comodo. This follows from:
  1. The installed UniGetUI preserves the original file creation time (always beyond the 1-day limit).
  2. Most applications installed via UniGetUI also preserve the original creation time (always beyond the 1-day limit).
  3. UniGetUI executes the application installers in two folders (see the screenshot above) that are 'Ignored' so Comodo does not contain the installation.
  4. If the application uses *.tmp executables (which have a fresh creation time), they are also "Ignored."
Click to expand...
For UniGetUI installer/updater users, simply adding "ignore" rules for the WindowsApps and UniGetUI folders should work with the default containment rules. A *.tmp file rule set to "ignore" in containment might also not be necessary.
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,689
rashmi said:
For UniGetUI installer/updater users, simply adding "ignore" rules for the WindowsApps and UniGetUI folders should work with the default containment rules. A *.tmp file rule set to "ignore" in containment might also not be necessary.
Click to expand...

The "Ignore" feature works for installation via UniGetUI but not for the installed Unrecognized files in "Program Files", and other locations. So, after installation with UniGetUI the Unrecognized applications will be still contained. When using the 1-day time limit those Unrecognized applications will be mainly allowed, because most installations preserve the original file creation time (created by the vendor). Of course, another solution would be adding the application folders to the "Ignored" folders.
Some installed applications create the *.tmp files each time on execution - they are created with the fresh dates. They are mainly unsigned and often blocked even with the 1-day time limit, except when using "Ignore" rule for *.tmp. One could add the folder %LocalAppdata%\temp to "Ignored" folders, but this would be unsafe.
 
Last edited:
  • Like
Reactions: [correlate]

Similar threads

Andy Ful
    • Like
    • +Reputation
App Review AV/EDR challenge
Replies
18
Views
847
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Shadowra's Big Comparative - Episode 1 : Free Antivirus
Replies
163
Views
7,425
Video Reviews - Security and Privacy
Artificial intelligence
A
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
4,073
Video Reviews - Security and Privacy
lokamoka820
lokamoka820

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top