App Review Comodo's killer.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
@Andy Ful
OK. The off-topic discussion about the general Comodo recommendations and opinions is now closed. ⛔
I commented on @vitao's post because of my video. Anyone can post comments about Comodo and "moving on ..." to the threads he has opened if necessary. (y)
 
Last edited:
  • Like
  • Hundred Points
  • Applause
Reactions: comolokko, Jonny Quest, Jan Willy and 1 other person
Andy Ful said:
DecimaTech explained the Comodo/UAC flaw, which is well-known to Comodo staff. If you think other AV vendors are eager to patch all known flaws, you will be disappointed. :confused:
Furthermore, despite this incompatibility, you can hardly find a stronger solution than @cruelsister settings + safe mode HIPS + some hardening via Script Analysis (of course there can be some with similar strength).

Comodo has some important advantages for non-enterprise users:
  1. It is rarely a target of criminals.
  2. It uses auto-containment and most solutions do not.
If you will see malware attacking your personal computer, it will not be the sandbox bypass, except when you are a celebrity, dissident, or VIP. If something might pass by your Comodo protection, it would be via DLL hijacking or a similar fileless (non-EXE) technique. Even then, you will have a fair chance to stop the attack flow because many attacks starting from fileless vectors, still use standard methods at the later infection stages. So in the end, the final payload can be contained anyway.

As an example, one could take the @Loyisa exploit. From points 1-2 it follows, that you hardly can see such an exploit on your computer, but rather a modified version when the auto-containment bypass via creating service is replaced by a UAC bypass unrelated to sandbox escape. Such a UAC bypass can be mainly contained with no escape. In the case when the file with UAC bypass is not contained and tries to run an EXE payload, the payload can be auto-contained into a full-strength sandbox (payload will start with Administrator privileges before containment = no sandbox escape).:)(y)

Of course, there is still some possibility that malware can compromise your protection (via purely non-EXE attack or by using some unrestricted LOLBin), but such malware is very rare and other solutions can hardly do better. Anyway, there is nothing wrong with trying.
I am afraid that after moving on, most people will replace strong protection + known but rarely exploited feature, with not-so-strong protection + unknown by the user (but known by attackers) more frequently exploited features.
Click to expand...
I understand what youre saying but i can not agree. For this lack of interest in solving this exploitation now cis has a "friend". cis trust an ransomware so it can run and do whatever he wants. the video is online. ill bring a topic about it.

so even if comodo is small and dont get much attention, the lack of updates and bugfixes just shows how they just dont give a danm about their userbase. and this is the case with xcitium too as the poc bypasses it too (the new one too) and xcitium is a pai product for enterprises and it has a god danm edr... or am i going too far?
 
  • Like
Reactions: comolokko and zidong
Decopi said:
Hi @Andy Ful , please, once again, and with all due respect, allow me to disagree with your last post.

Comodo is an abandon-ware, it has not had any real update/upgrade for years, it is full of dangerous unfixed bugs, most of its features are garbage, and several times "Containment" already has been proven by-passable. Therefore, in this context, as a matter of principle, no software in this condition should be used. Period!

The problem is the IMMORALITY and IRRESPONSIBILITY, both, of Comodo (which continues to promote its software as "the most complete solution for cyber security"), as well as of its fanatics, who lie, omit and manipulate information, creating a false myth that has lasted for years.

In addition, Comodo is not able to detect viruses/malware, so at best it can only be classified as a “blocker”. However, with the lack of updates + no bug fixes, nowadays not even the blocker function is reliable! Also, it's worth mentioning the fact that 99% of users are NOT suitable to use blockers as security systems. And if it is a matter of “blocking” stuff, then it would be enough to harden Windows. Finally, there is also no logical reason to use a blocker, when there are countless excellent free alternatives on the market, real antivirus/antimalware, modern and well maintained.

In this pathetic context, continuing to promote Comodo, besides being immoral and irresponsible, is like promoting the unplugging of a computer from the internet or electricity, as the most “infallible complete cyber security system”... RIDICULOUS! Every time a problem is reported with Comodo, what is always proposed is a patch/hack where more and more stuff is blocked. And considering that the current blocker function (Containment) already triggers hundreds of false blockings (safe files blocked), the only thing they will achieve by hardening/patching/hacking Comodo more and more is that its security will be analogous to unplugging a computer from the internet/electricity (Comodo will totally kill user usability). Comodo has been dangerous for years, and now they are turning it into a totally unusable software.

As I mentioned, 99.99% of users are not prepared to use any kind of blocker as security software. And by hardening/patching/hacking Comodo (instead of fixing or improving Comodo), the only thing they will achieve is that 99.999999% of users will NOT be able to use Comodo.

And the fact that Comodo is useful for 0.000001% of users does not justify the immorality and irresponsibility of Comodo fanatics, who continue to promote Comodo as an alternative for everyone.
Click to expand...
and here i have to disagree with you.

i hate the fact that melih doesnt care about his userbase. I hate the fact that cis has no real update since 2020 (2025 has a new gui, an ugly one if i may). But i can not agree about the protection thing. In fact, maybe its the reason they "dont care" too much as cis containment is the best prevention solution out there.

sure. cis has many problems, many incompatibilities, many bugs, many exploits can bypass it, but even with all that, its a strong solution for prevention. but its not suitable to everyone. that i agree...
 
  • Like
Reactions: ebocious and comolokko
rashmi said:
You're either gonna fall in love with Melih or fall in love with the fact that you can't beat him. 😊 "D" knows what I'm talking about! 😉
Click to expand...
? no feelings about him or anything else. just comenting things that are happening these days :) in fact, maybe he will fall in love with me it that thing continues... in fact he is here looking close... right cruel? :p
 
Last edited:
  • Like
Reactions: comolokko
Andy Ful said:
OK. The off-topic discussion about the general Comodo recommendations and opinions is now closed. ⛔
I commented on @vitao's post because of my video. Anyone can post comments about Comodo and "moving on ..." to the threads he has opened if necessary. (y)
Click to expand...
here i see some sarcasm, or some kind of "i have the truth in me and everyone else is wrong and if someone disagree can go out my beloved topic",

sorry, it seemed a little sick but its not the goal nor the point. i dont know how to express this kind of "idea" in other languages than mine so if this feels strange, please ignore, or try to understand without rocks on hand... :)
 
  • Like
Reactions: comolokko
vitao said:
here i see some sarcasm, or some kind of "i have the truth in me and everyone else is wrong and if someone disagree can go out my beloved topic",

sorry, it seemed a little sick but its not the goal nor the point. i dont know how to express this kind of "idea" in other languages than mine so if this feels strange, please ignore, or try to understand without rocks on hand... :)
Click to expand...

No sarcasm. I closed the interesting (but off-topic) discussion in this thread, but someone can have another opinion and may want to share it with you.
Guys please, talk about general Comodo problems in another thread.
If you want I can ask the MT staff to move the interesting (but off-topic here) posts to one of your threads, where they can be non-off-topic and welcome.(y)
Any posts about killing Comodo, Comodo bypasses, escaping from the sandbox, UAC incompatibilities, etc. are welcome here. :)
 
  • Applause
  • Like
Reactions: comolokko and Jonny Quest
Andy Ful said:
No sarcasm. I closed the interesting (but off-topic) discussion in this thread, but someone can have another opinion and may want to share it with you.
Guys please, talk about general Comodo problems in another thread.
If you want I can ask the MT staff to move the interesting (but off-topic here) posts to one of your threads, where they can be non-off-topic.(y)
Any posts about killing Comodo, Comodo bypasses, escaping from the sandbox, UAC incompatibilities, etc. are welcome here. :)
Click to expand...
that was not my point but i understand and i agree with you. and sorry if i did bring any kind of offtopic for this topic and if i, in some way, contributed to it. not my intention. lets focus on the first post of yours here.
 
  • Like
Reactions: comolokko and Andy Ful
Hello,

thanks Andy for this video on comodo. as i already reported in another post, there have already been "issues" on comodo, with Shaolan who also reported a bug and obviously he was banned, in short... to this day we have no means of protection against this kind (poc? if i'm not mistaken) and for the challenge of comodo and other editors elsewhere, what would you recommend as protection software? i admit that i like comodo for its lightness (the full installation consumes very little ram compared to competitors) and its ease of use (compared to old versions of comodo i mean). Because in firewalls, apart from zonealarm and wfc, there is not much accessible to the general public apart from paid software. Huorong, which seems to be the closest to Comodo in terms of features is not very conclusive in light of the tests. What do you think? THANKS.
 
  • Like
Reactions: comolokko and simmerskool
Sephirothnight said:
Hello,

thanks Andy for this video on comodo. as i already reported in another post, there have already been "issues" on comodo, with Shaolan who also reported a bug and obviously he was banned, in short... to this day we have no means of protection against this kind (poc? if i'm not mistaken) and for the challenge of comodo and other editors elsewhere, what would you recommend as protection software? i admit that i like comodo for its lightness (the full installation consumes very little ram compared to competitors) and its ease of use (compared to old versions of comodo i mean). Because in firewalls, apart from zonealarm and wfc, there is not much accessible to the general public apart from paid software. Huorong, which seems to be the closest to Comodo in terms of features is not very conclusive in light of the tests. What do you think? THANKS.
Click to expand...
If you use Comodo in non-enterprise environment, you can still use it. Please note:
https://malwaretips.com/threads/comodos-killer.133558/post-1107412
 
  • Like
Reactions: comolokko and simmerskool
vitao said:
can you provide me this file? :D i would like to do some testings and some videos
Click to expand...

I do not share this one. The video is already available, so Comodo users and staff are informed.
In the attack, the shortcut does not use scripting (Comodo would alert/contain the attack via Script Analysis). This method is not commonly known (can be dangerous).
I don't want to make any more fuss than necessary.:)(y)

Here is the attack flow:
Malicious ISO download (contains a shortcut and some hidden files) ----> shortcut to TDSS Killer executed by the user -----> shortcut runs TDSS Killer with CmdLine to kill Comodo ----> No UAC alert because LUA is disabled ----> TDSS Killer installs the driver and restarts Windows ----> the driver kills Comodo

The attack is successful because it uses only Trusted resources.
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Behold Eck, rashmi, simmerskool and 2 others
I'm considering starting a thread discussing Comodo's containment policies, balancing usability and security.

The impact of the policies is something I have yet to investigate. For tests, can you and @vitao run the POCs against these containment policies?

In Proactive Configuration, remove the last or All Applications - Unrecognized policy from Auto-Containment. Place the three policies in the same order at the bottom in Auto-Containment.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File Age - Less than 1 hour
 
  • Like
  • +Reputation
Reactions: Captain Awesome, simmerskool, Andy Ful and 2 others

You may also like...