App Review Comodo's killer.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
@Andy Ful
R

rashmi

Level 15
Jan 15, 2024
732
Andy Ful said:
She probably had in mind the contained/blocked applications.

If an Unrecognized application is not contained (like DLL), this restriction does not work.
Click to expand...
I didn't mean it was CruelSister's claim, as she's already addressed it in this thread.
malwaretips.com

Serious Discussion - Comodo Containment "Restricted" Restriction Level

For Containment, some Comodo users opt for @cruelsister's configuration, which primarily includes Proactive Configuration + Restricted (Restriction Level). According to @cruelsister, the "restricted" level prevents network connections from contained programs. Comodo users who use CruelConfig...
malwaretips.com malwaretips.com
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
I did not name my "conclusion" post the conclusion, so I do it now more clearly. :)

Suggestions for MT members who want to use CIS on their computers.
  1. It is OK to use the @cruelsister settings but be cautious when opening documents with macros or files from disk images, flash drives, and archives. Those files are common attack vectors for abusing Trusted applications and bypassing CIS protection.
  2. One can maximize the protection against abusing Trusted applications by:
    - using the 7-Zip trick for disk images and archives,
    - disabling execution from flash drives,
    - disabling macros in office applications,
    - tweaking Comodo's Script Analysis settings.

Administrators in organizations (small businesses) can consider
  • using SUA,
  • disabling macros in office documents,
  • tweaking Comodo's Script Analysis settings,
  • applying the @cruelsister settings (silent setup) with disabled cloud lookup and reduced Trusted Vendors list.
    Only selected signed (also self-signed) applications will be allowed when the vendors are included on the reduced Trusted Vendors list.
    Other applications will be contained. Such vendors like Microsoft and Comodo must be included on that list.
Edit.
Of course, Administrators in organizations, should not forget about Microsoft Administrative Templates to adjust more restrictions.
 
Last edited:
  • +Reputation
  • Applause
Reactions: Gandalf_The_Grey, simmerskool, ErzCrz and 2 others
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
181
Andy Ful said:
I did not name my "conclusion" post the conclusion, so I do it now more clearly. :)

Suggestions for MT members who want to use CIS on their computers.
  1. It is OK to use the @cruelsister settings but be cautious when opening documents with macros or files from disk images, flash drives, and archives. Those files are common attack vectors for abusing Trusted applications and bypassing CIS protection.
  2. One can maximize the protection against abusing Trusted applications by:
    - using the 7-Zip trick for disk images and archives,
    - disabling execution from flash drives,
    - disabling macros in office applications,
    - tweaking Comodo's Script Analysis settings.

Administrators in organizations (small businesses) can consider
  • using SUA,
  • disabling macros in office documents,
  • tweaking Comodo's Script Analysis settings,
  • applying the @cruelsister settings (silent setup) with disabled cloud lookup and reduced Trusted Vendors list.
    Only selected signed (also self-signed) applications will be allowed when the vendors are included on the reduced Trusted Vendors list.
    Other applications will be contained. Such vendors like Microsoft and Comodo must be included on that list.
Click to expand...
If u disable Cloud then how will Xcitium rate the files as Malicious or Safe?
Will it be Unknown forever?
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
Nikola Milanovic said:
If u disable Cloud then how will Xcitium rate the files as Malicious or Safe?
Click to expand...

The signature detection still works, so malicious files are detected. All other files will be Unrecognized for Comodo, except files Trusted by the user or Trusted Vendor.
Such a setup is common in Enterprises where AppLocker or Windows Defender Application Control is applied.

Nikola Milanovic said:
Will it be Unknown forever?
Click to expand...

Yes, except when the user adds the vendor to the Trusted Vendors or Trusted files.
Of course, the user can enable Cloud Lookup from time to time if necessary.
 
  • +Reputation
  • Hundred Points
Reactions: simmerskool and Halp2001
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
  • Hundred Points
Reactions: simmerskool and Halp2001
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
181
Andy Ful said:
The signature detection still works, so malicious files are detected. All other files will be Unrecognized for Comodo, except files Trusted by the user or Trusted Vendor.
Such a setup is common in Enterprises where AppLocker or Windows Defender Application Control is applied.



Yes, except when the user adds the vendor to the Trusted Vendors or Trusted files.
Of course, the user can enable Cloud Lookup from time to time if necessary.
Click to expand...
i keep Cloud on everytime because i like Xcitium to rate files as Malicious or Trusted
 
bazang

bazang

Level 10
Jul 3, 2024
493
Andy Ful said:
- using the 7-Zip trick for disk images and archives,
- disabling execution from flash drives,
- disabling macros in office applications,
Click to expand...
These should be used by default on Windows no matter what AV is used.

Enterprises and governments are 99% of the office macro users in the world today; consumers do not need macro capabilities built-in to Office and Microsoft should remove them and make macros a separate application plug-in or module. But it won't because even Microsoft has admitted the office code is one crap layer on top of another. Security has been bandaided onto Office.

Andy Ful said:
Of course, Administrators in organizations, should not forget about Microsoft Administrative Templates to adjust more restrictions.
Click to expand...
Once the current batch of Administrators dies off, there will not be anyone around to know what Microsoft Administrative Templates are.

Microsoft CoPilot will run peoples' online lives (and security).
 
  • Like
Reactions: simmerskool and Andy Ful
bazang

bazang

Level 10
Jul 3, 2024
493
Andy Ful said:
This can take some time. :)
Click to expand...
The last real Administrator was born on December 31st, 1999.

By 2075 either AI runs the world's IT infrastructure or else there won't be enough Admins to even figure out how to connect the power chord into the power socket.

Heck, people will not even have to go to school anymore. When someone asks them a question they can just have that person ask their personal phone - which the AI on it will provide the correct answer to the person asking the question.

AI will talk to AI and just cut-out the real nuisance - the people.

I really do think people (the world, humanity, whatever you want to call them) are stupid enough that this is the sort of future dystopia the world is headed towards. That's if the hoomans don't kill each other first.
 
  • Like
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
rashmi said:
Comodo Cloud Antivirus detection relies on Cloud Lookup, if I remember well.
Click to expand...

If local signatures do not detect the file, it is checked against the cloud backend (cloud lookup). To maximize the detection with disabled cloud lookup, it might be necessary to use the full signatures locally.
 
  • +Reputation
Reactions: simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
bazang said:
The last real Administrator was born on December 31st, 1999.

By 2075 either AI runs the world's IT infrastructure or else there won't be enough Admins to even figure out how to connect the power chord into the power socket.

Heck, people will not even have to go to school anymore. When someone asks them a question they can just have that person ask their personal phone - which the AI on it will provide the correct answer to the person asking the question.

AI will talk to AI and just cut-out the real nuisance - the people.

I really do think people (the world, humanity, whatever you want to call them) are stupid enough that this is the sort of future dystopia the world is headed towards. That's if the hoomans don't kill each other first.
Click to expand...

Predicting the future for the next 50 years is virtually impossible. :)
One cannot be certain that there will be any future after 40 years. Let's hope for the opposite.
 
Last edited:
  • Hundred Points
  • Like
Reactions: simmerskool and Vitali Ortzi
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
181
1737290018740.png

Static Analysis: Malware
Behaviour
Kill Chain Report(Red circle right up)
Link: Valkyrie Verdict
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
@Nikola Milanovic,

It is not necessary to post examples of malware detected by Comodo. We already know that it can detect many malware.
By the way, your example cannot convince anyone that Comodo has a good singnature detection.

We can see the detection from 7 hours ago (3 days after the sample was first seen in the wild ).

1737293319574.png

(.....) skipped AVs that detected the sample. The below AVs missed the sample:

1737293382934.png

1737298447991.png
 
Last edited by a moderator:
  • +Reputation
  • Like
Reactions: simmerskool and Nikola Milanovic
Nikola Milanovic

Nikola Milanovic

Level 4
Verified
Oct 17, 2023
181
Andy Ful said:
@Nikola Milanovic,

It is not necessary to post examples of malware detected by Comodo. We already know that it can detect many malware.
By the way, your example cannot convince anyone that Comodo has a good singnature detection.

We can see the detection from 7 hours ago (3 days after the sample was first seen in the wild ).

View attachment 287223
(.....) skipped AVs that detected the sample. The below AVs missed the sample:
View attachment 287224
Click to expand...
Still Xcitium 95% of the time returns a verdict in under 45 seconds
 
  • Like
Reactions: simmerskool and Andy Ful
vitao

vitao

Level 4
Mar 12, 2024
176
Andy Ful said:
If local signatures do not detect the file, it is checked against the cloud backend (cloud lookup). To maximize the detection with disabled cloud lookup, it might be necessary to use the full signatures locally.
Click to expand...
but this will not bring any difference in detection, as anybody can see here:



Edit.: If somebody need, please, say so and I can create subtitles for this video, instead of you guys using the automatic ones...
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,777
vitao said:
but this will not bring any difference in detection, as anybody can see here:



Edit.: If somebody need, please, say so and I can create subtitles for this video, instead of you guys using the automatic ones...
Click to expand...


In your video, you showed, that for a few-day-old malware samples, the difference can be small. But, that is how the reduced set of signatures is selected. It probably does not contain less than few-hour-old and more than few-month-old malware.
 
Last edited:
  • Like
Reactions: simmerskool

Similar threads

Andy Ful
    • Like
    • +Reputation
App Review AV/EDR challenge
Replies
18
Views
1,112
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Shadowra's Big Comparative - Episode 1 : Free Antivirus
Replies
173
Views
11,290
Video Reviews - Security and Privacy
nickstar1
nickstar1
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
48
Views
6,214
Video Reviews - Security and Privacy
badboy
badboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top