App Review Comodo's killer.

[New_Style_xd]

From my tests here that I am doing, the CIS database is not being fed with malware.
There are threats that are more than 7 days old that the CIS is not detecting.

 

[Nikola Milanovic]

From my tests here that I am doing, the CIS database is not being fed with malware.
There are threats that are more than 7 days old that the CIS is not detecting.

i Subbmited to CIS SHA1 and the Comodo Staff FlorinG Blacklisted them you have to wait because they procced files from many other sources as well

 

[Nikola Milanovic]

i Subbmited to CIS SHA1 and the Comodo Staff FlorinG Blacklisted them you have to wait because they procced files from many other sources as well

i did a test again and CIS blocked everything with Cloud

 

[Andy Ful]

Guys, we should not focus on the general detection. The attack in the video is related to abusing Trusted EXE files via DLLs and other fileless methods. It would be more interesting if one could test the fresh malicious DLL samples. One month ago I did such a test (signature scan) on 50 one-day-old DLL samples from Malware Bazaar. Most of the popular AVs detected almost all samples and Comodo detected almost nothing. Such tests should be repeated independently by others to see if there is some improvement.

 

[rashmi]

The "Ignore" feature works for installation via UniGetUI but not for the installed Unrecognized files in "Program Files", and other locations. So, after installation with UniGetUI the Unrecognized applications will be still contained.

Previously, perhaps I made an error or overlooked something. I will try again. What software are you installing through UniGetUI?

Some installed applications create the *.tmp files each time on execution - they are created with the fresh dates. They are mainly unsigned and often blocked even with the 1-day time limit,

If we ignore the app folder, Comodo doesn't block *.tmp files with fresh dates, right?

 

[Andy Ful]

Previously, perhaps I made an error or overlooked something. I will try again. What software are you installing through UniGetUI?

If we ignore the app folder, Comodo doesn't block *.tmp files with fresh dates, right?

Probably, I did not check it.
The below list includes three applications currently blocked (but allowed with 1-day time limit and ignored *.tmp files). The executables are parts of applications installed via UniGetUI.

Example of the block for the uninstall.exe included in the Plex installation Folder in Program FIles.

 

[Andy Ful]

What is the difference between applying an "Ignore" action to the application and not doing this?

When Comodo Auto-containment is set to "Ignore" a particular application, all its actions are ignored too (including possible exploits, *.tmp files, etc.). This is very usable, but not always safe. Fortunately, the commonly exploited applications are popular/signed, so they rarely require the "Ignore" action. The cons are that several "Ignore" rules must be added for other applications (mainly to avoid blocks after update).

When using a "less than" time limit, Comodo allows running the installed application, but possible exploits, *.tmp files, etc., can still be auto-contained or restricted by Comodo's Script Analysis. Such a solution requires an anti-virus with good signatures to prevent infections by some non-0-day malware. Currently, this solution is not optimal for CIS users but prefers Comodo FIrewall + popular AV. Such a solution (silent setup) can be applied to the computers of happy clickers, children, or inexperienced users.

I think that for CIS users (MalwareTips members), the safest solution is not using "less than" time limit and avoiding "Ignore" actions for commonly exploited applications. To prevent most attacks via DLLs, one must be cautious when opening disk images, shortcuts, and archives (or use the 7-Zip trick for them). However, such a solution should not be applied to the computers of happy clickers, children, or inexperienced users (alerts require user interaction).

 

[Nikola Milanovic]

What is the difference between applying an "Ignore" action to the application and not doing this?

When Comodo Auto-containment is set to "Ignore" a particular application, all its actions are ignored too (including possible exploits, *.tmp files, etc.). This is very usable, but not always safe. Fortunately, the commonly exploited applications are popular/signed, so they rarely require the "Ignore" action. The cons are that several "Ignore" rules must be added for other applications (mainly to avoid blocks after update).

When using a "less than" time limit, Comodo allows running the installed application, but possible exploits, *.tmp files, etc., can still be auto-contained or restricted by Comodo's Script Analysis. Such a solution requires an anti-virus with good signatures to prevent infections by some non-0-day malware. Currently, this solution is not optimal for CIS users but prefers Comodo FIrewall + popular AV. Such a solution (silent setup) can be applied to the computers of happy clickers, children, or inexperienced users.

I think that for CIS users (MalwareTips members), the safest solution is not using "less than" time limit and avoiding "Ignore" actions for commonly exploited applications. To prevent most attacks via DLLs, one must be cautious when opening disk images, shortcuts, and archives (or use the 7-Zip trick for them). However, such a solution should not be applied to the computers of happy clickers, children, or inexperienced users (alerts require user interaction).

For most Childrens Xcitium is really good it will sandbox or block anything unknown

 

[Vitali Ortzi]

For most Childrens Xcitium is really good it will sandbox or block anything unknown

Except if a malicious dll , operation is loaded by a trusted application , trusted certificate (vendor)
Only unknown executables are blocked
So yes it will block majority but not everything as the pocs here prove it has a weakness

 

[Nikola Milanovic]

Except if a malicious dll , operation is loaded by a trusted application , trusted certificate (vendor)
Only unknown executables are blocked
So yes it will block majority but not everything as the pocs here prove it has a weakness

most of children they download free games from cracked sources so Xcitium would stop the malwares either with Containment or block it with signatures
a.k.a Malware@0

 

[Vitali Ortzi]

most of children they download free games from cracked sources so Xcitium would stop the malwares either with Containment or block it with signatures
a.k.a Malware@0

They can run a archive that will have a trusted exe and a dll
Even a trusted exe of a game can probably be used

Or extract a dll into the game directory for mods
Guess what that malicious dll will be loaded by a trusted game executable

 

[vitao]

most of children they download free games from cracked sources so Xcitium would stop the malwares either with Containment or block it with signatures
a.k.a Malware@0

are you sure about it?

well, this is just an testing for fun:



then i explained how i acomplished it by showing every single step:



its a silly test, i know, but it can provide more perspective for what could be done with these dlls and cis will do nothing to prevent any of these...

these videos has no official subs, only the google automatic ones.

if one need, please ask and i will work hard to bring official subs for these videos.

 

[Vitali Ortzi]

are you sure about it?

well, this is just an testing for fun:



then i explained how i acomplished it by showing every single step:



its a silly test, i know, but it can provide more perspective for what could be done with these dlls and cis will do nothing to prevent any of these...

these videos has no official subs, only the google automatic ones.

if one need, please ask and i will work hard to bring official subs for these videos.

Great example of a malicious dll (starrailbase)
Launched by a game executable and causing a ransomware to infect a system
That's why a third party av with comodo is great as you shown before how Kaspersky have detected the malicious dll easily

So a free av , configured defender is a good combination to comodo and since comodo itself can block majority of malware (those not launched by a trusted process ) it should boost the security of the system a lot

Btw another advice for kids is to add a secure DNS , extensions as they block malicious fake piracy sites that google doesn't block ,fake modding sites etc
As that's how most malware gets into kids computers

 

[vitao]

Great example of a malicious dll (starrailbase)
Launched by a game executable and causing a ransomware to infect a system
That's why a third party av with comodo is great as you shown before how Kaspersky have detected the malicious dll easily

So a free av , configured defender is a good combination to comodo and since comodo itself can block majority of malware (those not launched by a trusted process ) it should boost the security of the system a lot

Btw another advice for kids is to add a secure DNS , extensions as they block malicious fake piracy sites that google doesn't block ,fake modding sites etc
As that's how most malware gets into kids computers

so now the excuse is that for cis to protect its users they should use it with another security solution ? nvm... lets get back to the topic...

 

[Nikola Milanovic]

Great example of a malicious dll (starrailbase)
Launched by a game executable and causing a ransomware to infect a system
That's why a third party av with comodo is great as you shown before how Kaspersky have detected the malicious dll easily

So a free av , configured defender is a good combination to comodo and since comodo itself can block majority of malware (those not launched by a trusted process ) it should boost the security of the system a lot

Btw another advice for kids is to add a secure DNS , extensions as they block malicious fake piracy sites that google doesn't block ,fake modding sites etc
As that's how most malware gets into kids computers

Comodo blocks many malwares with its Cloud as either .UnclassifiedMalware@1 or Trojan or whatever

 

[Andy Ful]

For most Childrens Xcitium is really good it will sandbox or block anything unknown

Not anything, but most of the unknowns.
Which configuration do you propose?
CIS/Xcitium does not contain the unknown DLLs loaded by applications (except for some LOLBins included in the Script Analysis panel).
However, the main problem is with Comodo's alerts. Most children should not be allowed to interact with containment alerts, because they tend to bypass the restrictions.
It is hard to configure CIS/Xcitium to be silent and very strong, without problems with software.
So yes, CIS/Xcitium can be really good for children, but not optimal for parents who must solve problems with silently blocked/contained software.

Post edited.

 

[Vitali Ortzi]

Comodo blocks many malwares with its Cloud as either .UnclassifiedMalware@1 or Trojan or whatever

Then why doesn't it block starrailbase?
Because it's launched by a trusted exe
Using dll files to spread malware is common in modding , piracy and game exe files are usually marked trusted by Valkyrie cloud or else the game likely wouldn't work (restricted)

Both default and cruel sister like configs will fail
Andy gave alternative solutions but unfortunately they will case too much false positives in my opinion
So there is no best solution but in my opinion cruel sister like config without alerts and some av to try to detect the malicious files getting launched by trusted executables is the most balanced approach for my system and what I recommend others to use
(Defender is good enough and isn't disabled by comodo firewall and can be hardened using Andy ful tools but other good free options are Kaspersky, bitdefender,avast )

 

[Vitali Ortzi]

Not anything, but most of the unknowns.
Which configuration do you propose?
Please note, that most children should not be allowed to interact with containment alerts, because they tend to bypass the restrictions. The setup should not also block/contain software updates.

How much damage can be done if a standard user account would have been used with comodo on default , cruel sister settings?

I guess at least infostealing but can ransomware and other threats be an issue if they bypassed comodo
How safe generally is a user account?
As I would assume that's a recommendation Microsoft gives for a PC used by kids

 

[Andy Ful]

How much damage can be done if a standard user account would have been used with comodo on default , cruel sister settings?

It would be a good idea (if children do not know the admin password.). The unknown applications refuse to run or are auto-contained. But, the child can still press "Do not isolate it again" to bypass the containment. So for children, one should also use the silent mode (no containment alerts).

I guess at least infostealing but can ransomware and other threats be an issue if they bypassed comodo

Both infostealers and ransomware can affect users on SUA.

How safe generally is a user account?

It is much more resistent to system changes.

As I would assume that's a recommendation Microsoft gives for a PC used by kids

It is a Microsoft's recommendation for all users (even experts).

 

[Vitali Ortzi]

It would be a good idea (if children do not know the admin password.). The unknown applications refuse to run or are auto-contained. But, the child can still press "Do not isolate it again" to bypass the containment. So for children, one should also use the silent mode (no containment alerts).

View attachment 287195



Both infostealers and ransomware can affect users on SUA.



It is much more resistent to system changes.



It is a Microsoft's recommendation for all users (even experts).

What about having defender rule for protected folders (chrome app data too ) since even low privileges users can access the documents folder or is there any external solution that can help against at least some malicious actions of a user with comodo and user account (in a situation comodo was bypassed or a way to prevent that ) oh and using a keyboard scrambler software can maybe help too against keylogging in user account


My partial solution of adding Antivirus software should detect mainly known malware that can bypass comodo but will have a hard time against some zeroday so it's not a great solution although better but I wonder what different solutions can work and if there are ones that wouldn't really increase much the false positive containment, blocking of different software

As for example a kid will have tens of different gaming launchers each with updates (technically you can make rules of ignore etc but it's probably inconvenient for many users the solution of harding comodo with Andy advices )