App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
rashmi

rashmi

Level 12
Jan 15, 2024
551
Andy Ful said:
I disabled HIPS not to make the attack easier, but because it is a pretty popular practice when the Auto-Containment is set to Untrusted. As we can see, there can be some cons of that.
Click to expand...
Thank you for the test. Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test. The vendor's configuration should be tested for such tests, in which case proactive comes with HIPS enabled. But the test was informative and showed, as you mentioned, that there can be some cons to the popular practice.
 
  • Like
Reactions: simmerskool and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
rashmi said:
Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test.
Click to expand...

The video is not a test about the overall protection of Comodo AV, because the method used in the video is not a full attack.
In my opinion, it can be a part of the full attack. How strong can be Comodo against the full attacks can depend on Comodo's settings and the details of the attacks.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: vtqhtr413, wat0114, Shadowra and 7 others
Nikola Milanovic

Nikola Milanovic

Level 3
Oct 17, 2023
100
This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented
 
  • HaHa
Reactions: kylprq
Shadowra

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Nikola Milanovic said:
This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented
Click to expand...

As I said to you in mp, you must not have watched the video because you can see the auto-sandbox being triggered when the program is run.
As explained, he used a script with LOLBins that cut Comodo's services.
And yes, it's dramatic, and for me it could be a security problem.

It's true that Comodo is efficient, but it's not as perfect as its competitors.
 
  • Like
  • +Reputation
Reactions: Sandbox Breaker, brambedkar59, Sunshine-boy and 7 others
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.

There is also the bug (does it still exist in the latest release??) where all the HIPS rules disappear without warning.
 
Last edited:
  • Like
  • Applause
Reactions: kylprq, brambedkar59, Decopi and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Shadowra said:
It's true that Comodo is efficient, but it's not as perfect as its competitors.
Click to expand...

It is not perfect but in my opinion, it can still be a decent protection. I would not choose an average competitor to show the attack method.
Before making a video, I thought that with strict Auto-Containment and Proactive configuration one could safely skip HIPS. But as @ozer.metin (Comodo staff) mentioned, HIPS can be an essential part of Comodo's protection. I am not sure if HIPS can close all variants of the attack, but most of them can be prevented for sure.
 
  • Like
  • +Reputation
Reactions: brambedkar59, Zartarra, simmerskool and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
wat0114 said:
The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.
Click to expand...

I am not sure if @cruelsister intended to tweak Comodo against all highly targeted attacks. Furthermore, her settings were created several years ago and still could prevent almost all attacks (I tried several times). Even if someone can use my method as a part of the infection chain, it will be probably a targeted attack.
 
  • Like
  • +Reputation
Reactions: brambedkar59, roger_m, simmerskool and 4 others
rashmi

rashmi

Level 12
Jan 15, 2024
551
Overall, not an issue, at least for home users (my opinion). I suggest keeping HIPS disabled for not-knowledgeable users and setting containment to block instead for users who don't use containment, suspend alerts, or use silent mode. Containment set to block would prevent such attacks, correct, @Andy Ful?
 
  • Like
Reactions: simmerskool and Andy Ful
D

Decopi

Level 8
Verified
Oct 29, 2017
361
wat0114 said:
There is also the bug (does it still exist in the latest release??) where all the HIPS rules disappear without warning.
Click to expand...

Exactly!... and this is just one bug from a long list of hundreds of old unfixed bugs, all very well known bugs, repeatedly reported by users, and always ignored and minimized by Comodo' staff and fanatics.
The ridiculous Mantra is always the same: "Comodo works perfectly for me".
In real life, if users are infected or have serious problems due to Comodo' bugs, they are blocked/deleted from Comodo's forum.
Comodo's fiasco is not so big affecting thousands of users, just because only few fanatics use Comodo's products.
 
  • Like
  • +Reputation
Reactions: Virtuoso, wat0114, oldschool and 1 other person
D

Decopi

Level 8
Verified
Oct 29, 2017
361
Trident said:
They will be very sad watching these videos. All 5 of them.
Click to expand...

COGNITIVE DISSONANCE: Inside the mind of these few 5 fanatics, even when Comodo is full of bugs, even when Comodo' Containment can be bypassed, even when etc etc etc... in their masochist mind always is an "user fault", never a Comodo' fault.
The situation is so bizarre, that all the time Comodo's staff needs to invent subjective definitions about "what Comodo' protection is" (as a diversion, in order to hide bugs and other dangerous issues).
 
  • +Reputation
  • Like
  • HaHa
Reactions: roger_m, Virtuoso, vaccineboy and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
In the second part of Comodo's challenge, I tried Proactive Configuration + HIPS + max settings for Script Analysis, but Comodo crashed. So, one must be careful with HIPS.
The less problematic but still very strong config is similar to @cruelsister settings.
 
  • Like
  • +Reputation
  • Applause
Reactions: kylprq, brambedkar59, vtqhtr413 and 6 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Applause
App Review Comodo's killer.
Replies
38
Views
1,387
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Thanks
App Review Comodo's challenge part 2.
Replies
54
Views
4,760
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
357
Video Reviews - Security and Privacy
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top