cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
- Content source
- https://www.youtube.com/watch?v=KyudJitdHg4
Malware Obfuscation- Part 2
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
I can’t safely tell what’s in that YouTube embed from the tag alone, and I can’t make any malware/safety judgment based on an embedded video ID.
If you want meaningful help on MalwareTips, please post:
- The video’s direct link (copy/paste the full YouTube URL)
- What you want checked (e.g., claims made in the video, a tool shown, a download link mentioned, a suspicious behavior)
- Any specific timestamp(s) that matter
Security note: if the video includes download links, “cracks,” “optimizers,” or “disable Defender/AV” advice, treat it as high-risk and don’t run anything from it on your main system. Use a VM/sandbox and scan any downloaded file with reputable AV and/or submit the file hash/sample to VirusTotal for community review.
The video is a demonstration of Comodo's capabilities to prevent many evasive malware that can sometimes bypass popular AVs.
This follows from its different approach to malware fighting.
However, Comodo does not have some features that are included in Xcitium for good reasons.
It would be interesting to test the malware, which is the reason for the extended Xcitium protection.
Comodo may fail on some malware that is prevented/detected by popular AVs, which can follow from its different approach to malware fighting.
This follows from its different approach to malware fighting.
However, Comodo does not have some features that are included in Xcitium for good reasons.
It would be interesting to test the malware, which is the reason for the extended Xcitium protection.
Comodo may fail on some malware that is prevented/detected by popular AVs, which can follow from its different approach to malware fighting.
Last edited:
Bear malware prowls with sneaky flair,
Comodo's containment is always there.
In cybersecurity, the battle's clear,
Only Comodo fights off every fear.
Now MalwareTips users... don't you dare,
Comodo keeps you safe from all malware!
Comodo's containment is always there.
In cybersecurity, the battle's clear,
Only Comodo fights off every fear.
Now MalwareTips users... don't you dare,
Comodo keeps you safe from all malware!
That's true; no one on MT is using or paying for AV after invention of ComodoBear malware prowls with sneaky flair,
Comodo's containment is always there.
In cybersecurity, the battle's clear,
Only Comodo fights off every fear.
Now MalwareTips users... don't you dare,
Comodo keeps you safe from all malware!
I don't understand why you would sandbox something which is not trusted in the first place? Would blocking it be more rational?
Actually Comodo acts as a side VM; you can install VM to do what Comodo do.
But good luck running low-end PC with virtualization enabled in BIOS.
The logic of sandboxing (containment) over outright blocking is rooted in Business Continuity and Threat Intelligence. While blocking an "Unknown" file is more restrictive, it frequently results in false positives that halt legitimate work. Containment allows a file to execute in a virtualized state where it can be observed and verdicted without risking the host system, effectively eliminating the "patient zero" problem while maintaining productivity.
This has been well explained by @Divergent for the business environment.
However, there can be fewer arguments for that in the home environment, especially in the @cruelsister settings.
That is why CIS default settings are different (time criterion for sandboxed files, etc.).
Generally, CF is good for home administrators as the second protection layer besides standard AV (like Microsoft Defender).
The cons of Comodo auto-containment can be users' interactions.
A typical home user runs applications and can sometimes see the containment alert followed by a non-functional application. Many malware can pretend to be harmless applications, so there is a danger that the user will run the file again, but not contained.
To protect average users, one should set Comodo to do the job silently. This can be a good solution for static computer setups.
In @cruelsister settings, using the silent CF can be inconvenient for some users, mainly due to software autoupdates. This problem can be solved by using signed software.
A typical home user runs applications and can sometimes see the containment alert followed by a non-functional application. Many malware can pretend to be harmless applications, so there is a danger that the user will run the file again, but not contained.
To protect average users, one should set Comodo to do the job silently. This can be a good solution for static computer setups.
In @cruelsister settings, using the silent CF can be inconvenient for some users, mainly due to software autoupdates. This problem can be solved by using signed software.
Containment helps advanced users; these users evaluate and run files outside of it. Containment is not for average users; they don't examine or understand how it works. I used the "block" option for years on our kids' systems. I also used it on my system occasionally. It caused no issues. Block can prevent some threats (acting as anti-exe or pre-execution) that other containment levels may miss, as happened in a MalwareTips proof of concept, if I recall correctly.
But alerting for every single exe running is annoying (not allow rules as with default-deny app control); some exe name will change with updates, firing more alerts.
Comodo may be a good FW for average user, no more.
CF uses file lookup in the cloud (although not so good as SmartScreen), so many executables are automatically flagged as trusted. Many applications can be whitelisted by adding the signer to the Trusted Vendor List. That list already contains many popular vendors. You can also choose to skip autocontainment for files older than a few hours or days (three days are recommended in CIS). There is no big difference compared to other default-deny solutions.
However, many file types cannot be selectively allowed/blocked as is possible in SRP, so some LOLBins have to be restricted. This makes the management more complex.
Last edited:
It's more like WDAC/SAC but with virtualization-based containment, and less robust cloud lookup (much less user base compared to MD, K, or even B).
Comodo cannot be easily classified. There are some similarities to WDAC/SAC and some to MD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion". There are also some important differences.
Melih be like... "You know nothing, Jon Snow!"
Great JOB!
and Credit to Comodo where credit is due! Great JOB Comodo you did what you were designed to do no doubt!
But I am old and I will still refuse to use it.
edit: Would ESET with HIPS set to alert also alert the user and prevent the creation of the scheduler?
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
I would like to ask him about Comodo market shareMelih be like... "You know nothing, Jon Snow!"
You may also like...
-
-
Advent of Configuration Extraction – Part 2: Unwrapping QuasarRAT’s Configuration- Started by Khushal
- Replies: 1
-
AI-Driven Obfuscated Malicious Apps Bypassing Antivirus Detection to Deliver Malicious Payloads- Started by Brownie2019
- Replies: 2
-
Satori Threat Intelligence Alert: SlopAds Android Malware Covers Fraud with Layers of Obfuscation
- Started by Khushal
- Replies: 0