App Review Malware bypass Comodo Firewall @ CS settings

[Deleted member 178]

Uhhh wait... Now I'm confused.... Why this video then, and why your setup which no longer includes Comodo?

Because:
1- Comodo has a 10 years old bug, that make all rules disappear, and when you spent hours making them it is quite annoying, of course i could import them again, but the fact that this bug is still present irritate me to the most.
2- i use Appguard, which give me the same level of protection than Comodo without the hassle to configure everything and answering alerts.

 

[woodrowbone]

Has anyone pointed this out on the comodo forums yet or not? if not , I will post this at the forums if that is ok? cruesister is on the road for sometime , so I do not know when she is able to reply back to this thread.

Hi Trickster,
Did you report it?
If you did, could you give us a link?

If you reported it to their forums of course

/W

 

[FrFc1908]

Not het but I Will tomorrow ok?

 

[FrFc1908]

posted a topic on the comodo forums :
Comodo firewall bypassed by signed malware - News / Announcements / Feedback - CIS

 

[AtlBo]

Actually Comodo should provide much careful on the connection of components; for example even the program is trusted however a pop-up should shown about missing digital signature or other information.

This seems like a very logical solution to this kind of issue. Add a pop up for unsigned with a choice that said "unsigned file is whitelisted by cloud lookup, what do you want to do?". User could choose sandbox. Actually, maybe a setting to bypass cloud lookup for unsigned and auto-sandbox them would be a good idea. VERY concerning that this can run uncontained without user knowledge that the file is not signed. More activity from Comodo, OK, but unsigned is unsafe, yes?

 

[shmu26]

This seems like a very logical solution to this kind of issue. Add a pop up for unsigned with a choice that said "unsigned file is whitelisted by cloud lookup, what do you want to do?". User could choose sandbox. Actually, maybe a setting to bypass cloud lookup for unsigned and auto-sandbox them would be a good idea. VERY concerning that this can run uncontained without user knowledge that the file is not signed. More activity from Comodo, OK, but unsigned is unsafe, yes?

The problem with this solution is that there are a lot of system files that are unsigned by Microsoft. So the user will get too many prompts.

 

[AtlBo]

OK, thanks for the information @shmu26. I didn't have that in perspective. I noticed that some apps aren't signed from MS such as Insomnia (anti-sleep app) and I think MouseWithoutBorders. I was a little bit surprised by that.

Stupid question, but shouldn't all MS files be signed? They are a signature provider I believe.

 

[shmu26]

Stupid question, but shouldn't all MS files be signed? They are a signature provider I believe.

I wish I knew the answer to that. You would be surprised how many are not signed, though. For instance, powershell is not signed, and neither is cmd.exe. There are lots and lots of others. I don't quite get it, but that's the weird reality.

 

[woodrowbone]

A working Valkyrie implemented in CFW could help the analyst who made this blunder.

/W

 

[Arequire]

A working Valkyrie implemented in CFW could help the analyst who made this blunder.

/W

It can also hinder. Valkyrie has a history of labelling legitimate applications as malware and vice versa. Doesn't happen often enough to be much of a problem but it's there. I put more faith in the analyst personally although obviously neither are perfect.

 

[woodrowbone]

Was the deal not with Valkyrie that first machine then human, when Valkyrie could not make up his/her mind over an unknown file?

/W

 

[nsm0220]

Comodo year after year it haves disappoint me and even on my birthday, where Comodo got its throat silt by nasty malware.

 

[_CyberGhosT_]

It can also hinder. Valkyrie has a history of labelling legitimate applications as malware and vice versa. Doesn't happen often enough to be much of a problem but it's there. I put more faith in the analyst personally although obviously neither are perfect.

Right, and all it takes is for one to get through no matter your skill level there is a chance for big
problems, I was big into Comodo when they launched in early 2000 (I think) I lost interest in their products but
I keep an ear to the ground on their progress, if they release something impressive I would give it a look
but nothing they have out now interests me.

 

[Arequire]

Right, and all it takes is for one to get through no matter your skill level there is a chance for big
problems, I was big into Comodo when they launched in early 2000 (I think) I lost interest in their products but
I keep an ear to the ground on their progress, if they release something impressive I would give it a look
but nothing they have out now interests me.

How could you not be impressed by the absolute masterpiece that is CCAV?

 

[_CyberGhosT_]

How could you not be impressed by the absolute masterpiece that is CCAV?

I guess I am just not worthy

 

[Arequire]

I guess I am just not worthy

Oh don't you worry. You'll be impressed when they release Comodo Cloud Antivirus Complete. CCAV in all its semi-functional glory... with a lifetime GeekBuddy subscription!

 

[shmu26]

Oh don't you worry. You'll be impressed when they release Comodo Cloud Antivirus Complete. CCAV in all its semi-functional glory... with a lifetime GeekBuddy subscription!

When I first installed Comodo, it failed to turn off Windows firewall, as is well known.
I decided to try the GeekBuddy support.
They told me it's no problem, you can run 2 firewalls at the same time.
That's it, fellas: GeekBuddy support is worth it at any price!

 

[Arequire]

When I first installed Comodo, it failed to turn off Windows firewall, as is well known.
I decided to try the GeekBuddy support.
They told me it's no problem, you can run 2 firewalls at the same time.
That's it, fellas: GeekBuddy support is worth it at any price!

"Double the firewall, double the protection!"

 

[shmu26]

But on a more serious note, Comodo Firewall has come a long way.
It works well, it can be quickly tweaked to a high level of protection (CS settings, for instance), and even this bypass does not actually do damage. Because at the bottom line, Comodo firewall blocks the payload from connecting out (at CS settings), or prompts the user about a network request (at the default settings of Proactive mode or Firewall mode).
Besides that, most users run a decent AV alongside of CFW, so in real life, the bypass would be nipped in the bud.

 

[TheMalwareMaster]

@Av Gurus @cruelsister and all COMODO Firewall users: I figured out an easy way of preventing these whitelisted malware bypasses. I tested COMODO Firewall with cloud OFF and it was a pain when installing new software (blocking a lot of stuff, not usable).

This is an easy was to prevent these "whitelisted malware on the cloud". Just let the full cloud functionality on, open regedit and locate the key "ValidateAdminCodeSignatures". Set its value to 1 and reboot. This way, you will be able to install digitally signed software with no troubles, considering cloud is ON. You will block this "whitelisted malware", considering unsigned software won't be allowed to run. If you need to install some safe unsigned software, just set the value to 0, install it and then set it again to 1