App Review Comodo's killer.

[Vitali Ortzi]

Hello everyone! I would like someone who is more expert than me on the subject, to test Comodo firewall by activating “hips” and selecting the option “Do not show popup alerts / Block requests” and in the Sandbox module “Do NOT show privilege escalation alerts / Block” to know if this would increase protection against unknown malware, POC, etc. Thanks and best regards

Pretty sure it allows it even with hips because it's trusted but probably you can write rules to use hips to monitor at least some actions in trusted executables to prevent a dll hijacking or at least give an alert about that action



Btw it having a flaw doesn't mean I don't recommend and use it on every PC I own and my family's PC
It's excellent at blocking a lot of threats av software have a hard time dealing with and cruel sister countless times showed how different APT threats got restricted with her config and even cia according to vault 7 had a hard time with comodo when it was far more aggressive even blocking system processes they dropped payloads into


What changed is comodo is trying to balance security and usability and to make comodo great against certain methods has a usability cost of false positives

 

[rashmi]

Hello everyone! I would like someone who is more expert than me on the subject, to test Comodo firewall by activating “hips” and selecting the option “Do not show popup alerts / Block requests” and in the Sandbox module “Do NOT show privilege escalation alerts / Block” to know if this would increase protection against unknown malware, POC, etc. Thanks and best regards

Comodo's protection is ineffective against malware exploiting programs or services in Comodo trust or whitelist databases, a vulnerability for Comodo users.

 

[Vitali Ortzi]

Comodo's protection is ineffective against malware exploiting programs or services in Comodo trust or whitelist databases, a vulnerability for Comodo users.

Wasn't the case in comodo 5.0 at least according to cia but over time comodo has decided for the better to increase usability even having trusted vendors in recent years and this is the cost
if I gone back to old comodo it would have been to unusable because of false positives , possible bsod etc
So Comodo has has to find some solution that isn't too aggressive but should give recommendations for enterprises , advanced users how to workaround this issue meanwhile even if it's aggressive

 

[oldschool]

But she's an actual security expert

CIA.

 

[oldschool]

CIA.

@Vitali Ortzi I'm serious.

 

[Vitali Ortzi]

CIA.

That's a great conspiracy
XD made me laugh so hard
As authorities are known to leave a backdoor
Personally I don't think she is and even if she is cruel sister genuinely wants everyone more secure

 

[Vitali Ortzi]

@Vitali Ortzi I'm serious.

Proof is that her configs even using older versions(of dates when the nsa actually used the toolkits) have blocked a variety of nsa malware she shown in her videos (older versions for the time the malware was actually used should block it too )

 

[Vitali Ortzi]

Comodo's protection is ineffective against malware exploiting programs or services in Comodo trust or whitelist databases, a vulnerability for Comodo users.

But it's containment technology itself is great although not perfect (check project zero research to see its issues that were fixed but probably just partially and generally how it works )

Was able to block a ton of apt threats and is remarkable


Some benefits is that their solution has much lower performance usage then hypervisors , vms

 

[ErzCrz]

Topic unfollowed. Just getting a bit much. There is some useful discussion here but I'll come back to it when there are more conclusions.

 

[Vitali Ortzi]

Comodo's protection is ineffective against malware exploiting programs or services in Comodo trust or whitelist databases, a vulnerability for Comodo users.

Script analysis reduces the tricks that can be used but still some like dll hijacking is still an issue till they come up with some solution and I'm sure they eventually will

 

[rashmi]

I think cruel sister settings are not too bad on usability as you can install a fair amount of popular games , popular piracy with not too many false positives although some here and there

CruelSister's settings do not affect Comodo's usability or security. Her settings only restrict certain actions for contained programs, providing optional protection. However, they do not enhance Comodo's core protection outside the containment or address any vulnerabilities in Comodo. The claim that her settings block connections from unrecognized programs is also incorrect.

 

[rashmi]

Wasn't the case in comodo 5.0 at least according to cia but over time comodo has decided for the better to increase usability

Comodo Defense+ prioritized security.

 

[Vitali Ortzi]

CruelSister's settings do not affect Comodo's usability or security. Her settings only restrict certain actions for contained programs, providing optional protection. However, they do not enhance Comodo's core protection outside the containment or address any vulnerabilities in Comodo. The claim that her settings block connections from unrecognized programs is also incorrect.

It seems to have blocked connection in her videos at what cases it wouldn't block the command and control connection of unrecognized software?

 

[Andy Ful]

The claim that her settings block connections from unrecognized programs is also incorrect.

She probably had the contained/blocked applications in mind.

If an Unrecognized application is not contained (like DLL), this restriction does not work.

 

[Andy Ful]

There is some useful discussion here but I'll come back to it when there are more conclusions.

You have already read one:
https://malwaretips.com/threads/comodos-killer.133558/post-1115213

 

[ErzCrz]

You have already read one:
https://malwaretips.com/threads/comodos-killer.133558/post-1115213

Thanks. Will safe that to my notes

 

[rashmi]

She probably had in mind the contained/blocked applications.

If an Unrecognized application is not contained (like DLL), this restriction does not work.

I didn't mean it was CruelSister's claim, as she's already addressed it in this thread.

Serious Discussion - Comodo Containment "Restricted" Restriction Level

For Containment, some Comodo users opt for @cruelsister's configuration, which primarily includes Proactive Configuration + Restricted (Restriction Level). According to @cruelsister, the "restricted" level prevents network connections from contained programs. Comodo users who use CruelConfig...

malwaretips.com

 

[Andy Ful]

I did not name my "conclusion" post the conclusion, so I do it now more clearly.

Suggestions for MT members who want to use CIS on their computers.

1. It is OK to use the @cruelsister settings but be cautious when opening documents with macros or files from disk images, flash drives, and archives. Those files are common attack vectors for abusing Trusted applications and bypassing CIS protection.
2. One can maximize the protection against abusing Trusted applications by:
   - using the 7-Zip trick for disk images and archives,
   - disabling execution from flash drives,
   - disabling macros in office applications,
   - tweaking Comodo's Script Analysis settings.

Administrators in organizations (small businesses) can consider

• using SUA,
• disabling macros in office documents,
• tweaking Comodo's Script Analysis settings,
• applying the @cruelsister settings (silent setup) with disabled cloud lookup and reduced Trusted Vendors list.
  Only selected signed (also self-signed) applications will be allowed when the vendors are included on the reduced Trusted Vendors list.
  Other applications will be contained. Such vendors like Microsoft and Comodo must be included on that list.

Edit.
Of course, Administrators in organizations, should not forget about Microsoft Administrative Templates to adjust more restrictions.

 

[Nikola Milanovic]

I did not name my "conclusion" post the conclusion, so I do it now more clearly.

Suggestions for MT members who want to use CIS on their computers.

1. It is OK to use the @cruelsister settings but be cautious when opening documents with macros or files from disk images, flash drives, and archives. Those files are common attack vectors for abusing Trusted applications and bypassing CIS protection.
2. One can maximize the protection against abusing Trusted applications by:
   - using the 7-Zip trick for disk images and archives,
   - disabling execution from flash drives,
   - disabling macros in office applications,
   - tweaking Comodo's Script Analysis settings.

Administrators in organizations (small businesses) can consider

• using SUA,
• disabling macros in office documents,
• tweaking Comodo's Script Analysis settings,
• applying the @cruelsister settings (silent setup) with disabled cloud lookup and reduced Trusted Vendors list.
  Only selected signed (also self-signed) applications will be allowed when the vendors are included on the reduced Trusted Vendors list.
  Other applications will be contained. Such vendors like Microsoft and Comodo must be included on that list.

If u disable Cloud then how will Xcitium rate the files as Malicious or Safe?
Will it be Unknown forever?

 

[simmerskool]

interject question: my apology if asked & answered or if obvious... Can / should @Andy Ful FWH be run with CF 12.3.4.8162 (@cruelsister settings), fully compatible?, and if yes, does FWH add anything not covered by CF? Running CF with MS Defender.