Should Comodo users stop using Comodo?

Status
Not open for further replies.
Pico said:
That's exactly what Comodo would say "please try again with latest version" just to suppress (Comodo) user's feedback and keep (Comodo) users running around like hamsters in a tredmill labeled as "not guilty until proven" and denying the prove from the past.
Click to expand...
Comodo can do whatever they wanna do, Avast offers a full Internet Security Suite free of charge, there are other free or very inexpensive solutions (from the $5-10 range). These unlike Comodo have a revenue stream that allows them to actually work on the product and there is Defender too, which can be hardened.

If Comodo was to improve and change, they would’ve done it by now.
 
  • Applause
  • Like
Reactions: TuxTalk and Pico
@AndyFul and others who know more than I do, based on what you have been analyzing and discussing about CIS, I have devised this configuration strategy to use only the Comodo Firewall component. In an environment where FUD (Fully Undetectable) malware is constantly evolving to evade modern security layers, a traditional defense is no longer sufficient. This guide presents a hybrid strategy that combines next-generation technologies with local containment and operating system hardening, based on tools developed by Andy Ful and configurations recommended by experts such as CruelSister and Vitao Tek.
I would like to know what the experts think about this, as your help is very valuable to me, and I thank you in advance. I hope I have not strayed from the topic of this thread, and if I have, it was not my intention, for which I apologize.

Strategy Components.jpg
 
  • Like
  • Applause
Reactions: Andy Ful and Trident
From a professional security standpoint, the position held by Trident, Bazang, and myself aligns with established best practices. In contrast, Andy Ful's argument represents a significant deviation from fundamental security principles, introducing an unacceptable level of risk

Let's break down why.

The Flaw in Andy Ful's Logic

The "Not Exploited Yet" Fallacy

Andy's position, that it's safe because no public exploits exist for known vulnerabilities, is fundamentally reactive. It operates on the assumption that you will always hear about an exploit the moment it's created and have time to react.

This is incorrect for several reasons.

The Attacker's Advantage

The period between a vulnerability's discovery and the release of a patch is a golden window for attackers. A skilled adversary can develop a private, working exploit for a known CVE long before it becomes public knowledge.

Zero-Day vs. N-Day

While a "zero-day" is an unknown vulnerability, an "N-day" is a known vulnerability that has not been patched. Attackers love N-day vulnerabilities because the roadmap to creating an exploit is already laid out by the CVE report. They are simply racing against the vendor's patch cycle.

Silent Exploitation

A successful breach is often a silent one. An attacker who exploits an unpatched bug in security software isn't going to announce it publicly. They will use that access quietly for as long as possible. By the time it's "noted publicly," the damage is already done.

Analogy

Andy's logic is like knowing your front door has a faulty lock, but deciding not to fix it because you haven't been burgled yet. The vulnerability is there, waiting for someone to take advantage of it.

Why The security stance shared by Myself, Trident, and Bazang is fundamentally rooted in established industry best practices.
Our argument focuses on the vendor's process and accountability, which is a far more reliable indicator of a product's security.

Proactive vs. Reactive

We are advocating for a proactive security posture. This means choosing software from vendors who actively find and fix bugs before they can be exploited. A company with a bug bounty program and a transparent, timely patching process is actively reducing the window of opportunity for attackers.

Defense in Depth

Relying on a single product with known flaws is a weak strategy. A mature security approach involves choosing reliable vendors and having multiple layers of defense. If your primary security software has known issues, it compromises your entire defensive posture.

Conclusion

While Andy Ful is correct that not every bug is a five-alarm fire, his acceptance of unpatched CVEs in a security product is a significant and unnecessary risk. Myself, Trident and Bazang are correct that other software vendors handle this better, and in security, the vendor's process and commitment to patching are just as important as the features the product claims to have.

So it's clear and understood, the level of risk you are exposed to by these unpatched bugs depends entirely on your specific environment. No over all assumptions can dictate otherwise.
 
  • Hundred Points
Reactions: dmknght and Trident
My opinion is based on best practices which are, any product you can replace like your bedsheet, and does not provide the minimum established level of quality (bugs are fixed all at once in 3.5yr delayed update/not fixed at all, no poka-yoke preventing users from falling into problematic configs, nothing to prove that the product is not neglected, and so on) , to be replaced

This is not something you can “live with” like alerts you can configure or disable by activating gaming mode.

Of course, everyone takes their decisions. We do not install/uninstall Comodo on users’ machines forcefully.

Andy Ful’s position is more evidence-based. But waiting on evidence sometimes introduces problems.

Btw the previous version as well had some CVEs (one of them with severity 9/10) lingering unfixed for quite some time. It is clear that it’s a standard Comodo practice.
 
Last edited:
Trident said:
Andy Ful’s position is more evidence-based. But waiting on evidence sometimes introduces problems.
Click to expand...
That reminds me of "Covid-19" party where people were "I was infected by Covid 19, who wanna be infected like me?". Or, like old people said (in my country): "A stuborn doesn't know what's fear until he faces the death".
 
  • Like
Reactions: Trident
Trident said:
That as well is very nuanced, in addition to dynamic behavioural analysis, most of the sandboxes use static analysis and some (like Check Point) use CPU-level emulation. Malware detecting the virtual container is not a guarantee that it will evade detection. Then there are all these local layers. Often information is shared between layers, even though emulation or static analysis may not have reached the required confidence to pull triggers, very little evidence may be needed from behavioural blocking for the file to be removed, for example, a connection to paste.ee may be enough.

It’s a lot of ifs and buts, skilled attackers that are looking to bypass security layers always find a way, for them Comodo (or anything) won’t be any difference.

There are also many vectors (like Phishing) that are not handled by Comodo at all. For example Avast is capable of detecting and even categorising SCAM content in PDF files and emails (with some false positives) whereas Comodo containment will hardly help in this situation.
These solutions have evolved to offer more than just an antivirus.
Click to expand...

I would like to add some information there: Beside the CPU-level emulation, function hooking to do sort of "sandboxing" is the other method. In sort, this method intercepts a set of function calls, analyzes data and decides actions.

For example: unknown binary writes data to "<path>\foo\bar.txt", the hook guard_func.dll changes destination to "<tmp path>\<path>\foo\bar.txt".

Detailed analysis:
- Comodo Sandbox:
- Windows Defender emulator: https://i.blackhat.com/us-18/Thu-Au...ring-Windows-Defenders-Antivirus-Emulator.pdf
 
  • Like
Reactions: Trident
dmknght said:
I would like to add some information there: Beside the CPU-level emulation, function hooking to do sort of "sandboxing" is the other method. In sort, this method intercepts a set of function calls, analyzes data and decides actions.

For example: unknown binary writes data to "<path>\foo\bar.txt", the hook guard_func.dll changes destination to "<tmp path>\<path>\foo\bar.txt".

Detailed analysis:
- Comodo Sandbox:
- Windows Defender emulator: https://i.blackhat.com/us-18/Thu-Au...ring-Windows-Defenders-Antivirus-Emulator.pdf
Click to expand...

Yes. But in the cases of cloud detonation, there is a bit more than just hooking calls (and faking returns when needed).
Resistance to evasion can be tested using the PaFish project on GitHub. Also, the hooks are just in user mode, usually deep memory inspection is necessary (even better with periodic dumps) so any artefacts destroyed by the malware (such as payloads) can be reconstructed.

-Drivers that give off virtual environment need to be hidden
-Start menu, jump lists and browser histories should be generated, preferably, not at once.
-Certain number of installed apps (and even certain apps and frameworks) must be installed. Recommendation is 40+ apps.
-Certain calls will surely need to be hooked and fictitious returns will need to be generated, particularly when firmware names, versions, cpu temperature and other characteristics of this sort are queried.
-User activity needs to be simulated. This includes moving the mouse (non-paternistic), simulating key presses, scrolling in documents (as macro can trigger on certain pages), as well as buttons such as “next” and “ok” need to be pressed.
-Fast-forward emulation needs to be performed, long sleeps need to be ignored. This is one of the most important tasks as emulation doesn’t have all day.
-There are additional registry keys that exist only on virtual environments and more artegacts that need hiding.
 
Last edited:
Shadowra said:
Many people know what I think of Comodo: I don't like it because I had several problems with Windows years ago and Comodo Hips blocked its updates without warning, and its anti-malware database is poor. I have no desire to try it again; the antivirus I use is enough for me.
However, I don't rule out testing it when I can on video.

You know, I test all antivirus programs, and Comodo is one of them. I'm not going to censor myself for a product or distort a result ;) That would be counterproductive and, above all, pointless.

I chat with a Comodo member on Discord, and I understand a little why Comodo doesn't include this or that feature... It's a shame, but Comodo focuses on the sandbox aspect. That's cool, but it's not what I'm looking for :)

And no, there's no point in attacking each other. All antivirus programs have their fans and haters, but when it comes to personal attacks or censorship, I say no.

Shadowra
Click to expand...
Hi @Shadowra we are very sorry for the inconvinience caused,we will report this to our Product Management Team.

Best Regards
Nikola from Xcitium Threat Labs
 
  • +Reputation
Reactions: Shadowra
Pico said:
That's exactly what Comodo would say "please try again with latest version" just to suppress (Comodo) user's feedback and keep (Comodo) users running around like hamsters in a tredmill labeled as "not guilty until proven" and denying the prove from the past.
Click to expand...

Your criticism follows from "dark" period of Comodo management a few years ago (no new versions for a long time).
Another reason is the lack of clear information about removing bugs, even when some silent fixes were confirmed.
Only time can show if your high criticism is justified. After six months, there is no evidence for that (may be too short period).
People who use CIS 2025 are far less sceptical.
Your arguments would be much more convincing if you could use/test Comodo by yourself (as some others and I did).
 
Last edited:
  • Like
Reactions: Behold Eck
This thread is mainly about Comodo users, so I can present the analogy of what some posters do.

Comodo user Bob = active supporter of skiing
Alice = critic of skiing

Alice:
Hey Bob, please stop going to the mountains for skiing. Do you know how many reports show that skiing is dangerous? People had broken legs, hands, or both. In some cases, they even died from injuries or they became crippled.

Bob:
Yes, you are right. I was extremely lucky for the 20 years of skiing. I must buy a motorcycle, it will be good for riding with you over the mountains.
 
Last edited:
  • HaHa
  • Like
Reactions: Jonny Quest, Halp2001 and Trident
The Counter-Analogy, The Faulty Ski Bindings

Bob, the skier, has been using the same brand of skis, "Comodo Skis," for 20 years. He loves them and has never had a serious fall.

Alice, a ski equipment expert, approaches him in the lodge.

Alice says, "Bob, I have to warn you. The manufacturer of your Comodo Skis has issued a recall notice. They've publicly confirmed a critical flaw in the binding's release mechanism. Under specific pressures, like a sharp turn on an icy patch, they can fail to release, guaranteeing a severe leg injury."

Bob replies, "That's just theoretical. I've been skiing on these for two decades, and they've never failed me. I've never even seen it happen to anyone. Until I see a video of someone's binding actually failing, I'm going to keep using them. I'm an expert skier, I know how to handle them."

Alice responds, "The danger isn't about your skill, it's about equipment failure. The manufacturer has told us the conditions for failure, and professional racers are already designing courses to trigger it. Why would you knowingly go up the mountain with faulty gear when every other brand has already fixed this exact problem? Your experience doesn't change the fact that your equipment is verifiably defective."
 
Last edited:
  • Like
  • +Reputation
Reactions: Halp2001, Andy Ful and Trident

🏔️

Act I: The Lodge of the Experts

In a digital alpine lodge, Andy Ful is sharpening his Comodo skis with the confidence of a seasoned veteran. He’s been skiing down malware slopes for 20 years without a scratch.

Divergente walks in holding a folder full of CVEs and says:

—“Andy, those skis have more vulnerabilities than a toaster with WiFi. Haven’t you read the latest ghost patch?”

Andy replies while sipping hot cocoa:

—“Patch? What patch? If it’s not in the changelog, it doesn’t exist. Besides, I’ve never crashed. That’s empirical evidence, right?”


Act II: The Alpine Security Committee

Trident, Bazang, and Shadowra join the table. Divergente presents a chart titled: “Digital Fracture Probability from Faulty Skis.”

Trident comments:

—“If the manufacturer hasn’t fixed the brakes in 3.5 years, why are we still skiing this slope?”

Andy Ful raises his hand:

—“But the scenery is beautiful! And the sandbox still works… kind of.”

Shadowra mutters:

—“I switched to snowboarding with Defender. It doesn’t block my Windows updates.”


Act III: The Cable Car Debate

While ascending to the summit, Andy and Divergente argue:

Divergente:—“What if tomorrow a silent exploit turns you into a digital ragdoll?”

Andy:—“Then it’ll be a graceful fall. But unless I see it on YouTube, I’m still climbing.”

Divergente pulls out a sign:—“Proactivity or Fracture! Update or Abandon!”


Act IV: The Call to Reflection

A voice echoes through the forum:

“Dear forum members, between ski analogies and invisible patches, let’s not forget the original question:Is it worth continuing with Comodo in 2025, or is it time to switch slopes?”
Click to expand...
Andy Ful and Divergente exchange glances.Andy says:—“Maybe… we should check our gear before the next descent.”Divergente nods:—“And stop skiing blindfolded.”
 
  • HaHa
Reactions: Trident, simmerskool, Divergent and 1 other person
@Halp2001,

Look at the above post.:)
I do not neglect the Comodo security flaws, but rather show that the proposed solution does not guarantee more security.
Another problem can be usability bugs, but this was skipped in your analogy.(y)

In my analogy, the bugs are not so important for Bob, as his way of using skis avoided the problems that happened for other users.
 
Last edited:
  • Like
Reactions: simmerskool
@Andy Ful

You see, Alice is that brilliant, charismatic piece of proprietary software with a few... let's call them "undocumented features." Her developers insist the gaping security holes are just "charming quirks." "That's not a vulnerability," they say with a dismissive wave, "it's a feature that adds character! You just need to use it correctly." Users who complain are just holding it wrong. Alice is perfect, you see, and any perceived flaws are simply a failure of your imagination.

Then there's Bob. Bob is the earnest, open-source project. He lives and breathes for user feedback. Every vulnerability report is a love letter, every pull request a sonnet. He patches, he updates, he evolves. He's a fortress of community-driven security, a testament to the power of listening to your users. He's everything Alice isn't.

And that's the punchline you've so cleverly stumbled upon.

We all thought they were opposites, two warring philosophies of development. But it was a long con. Alice's "vulnerabilities" were never flaws, they were encrypted love notes, backdoors left open only for Bob. And Bob, with his army of well-meaning users, wasn't just patching his own code. He was crowdsourcing the perfect key.

Every "user recommendation" he implemented was another piece of the puzzle, another step toward exploiting Alice's "charming quirks." He let us, the community, do the heavy lifting. We were the unpaid QA team for their hostile takeover of reality.

So when they finally merge, it won't be a simple connection. It will be the ultimate patch. Bob, using the very tools we gave him, will exploit Alice's "features" on a global scale. They won't just be a secure couple, they'll be a single, terrifyingly efficient entity. The beautiful, flawed, "it's-not-a-bug" framework merged with the impenetrable, user-hardened fortress.

They're not just getting together. They're releasing the final, stable version of our world. And we, the users, just gave them a 5-star rating on the way out.
 
  • HaHa
  • Love
Reactions: simmerskool and Trident
Status
Not open for further replies.

You may also like...