App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

rashmi

Level 12
Jan 15, 2024
578
I disabled HIPS not to make the attack easier, but because it is a pretty popular practice when the Auto-Containment is set to Untrusted. As we can see, there can be some cons of that.
Thank you for the test. Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test. The vendor's configuration should be tested for such tests, in which case proactive comes with HIPS enabled. But the test was informative and showed, as you mentioned, that there can be some cons to the popular practice.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Please don't take it the wrong way, but "popular practice" is not a test of Comodo, especially for a bypass test.

The video is not a test about the overall protection of Comodo AV, because the method used in the video is not a full attack.
In my opinion, it can be a part of the full attack. How strong can be Comodo against the full attacks can depend on Comodo's settings and the details of the attacks.
 
Last edited:
Oct 17, 2023
108
This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented
 
  • HaHa
Reactions: kylprq

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
This test is not fair because he disabled everything in Xcitium as ozer metins says if he wouldnt disable everything in Xcitium Xcitium would have protected the system with Auto-Containment and HIPS and the attack would be prevented

As I said to you in mp, you must not have watched the video because you can see the auto-sandbox being triggered when the program is run.
As explained, he used a script with LOLBins that cut Comodo's services.
And yes, it's dramatic, and for me it could be a security problem.

It's true that Comodo is efficient, but it's not as perfect as its competitors.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.

There is also the bug (does it still exist in the latest release??) where all the HIPS rules disappear without warning.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
It's true that Comodo is efficient, but it's not as perfect as its competitors.

It is not perfect but in my opinion, it can still be a decent protection. I would not choose an average competitor to show the attack method.
Before making a video, I thought that with strict Auto-Containment and Proactive configuration one could safely skip HIPS. But as @ozer.metin (Comodo staff) mentioned, HIPS can be an essential part of Comodo's protection. I am not sure if HIPS can close all variants of the attack, but most of them can be prevented for sure.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The one problem with enabling the HIPS and blocking by default every conceivable LOLBin imaginable, then having to create individual rules to allow trusted programs to use the required LOLBins, is that it is time-consuming, tedious work and the end user will have to have rather intimate knowledge of what they're doing, otherwise they will either allow something too permissively, cripple their system by being too restrictive, or a combination of both. I'm pretty sure sure this is one reason why Cruelsister does not enable HIPS in her Comodo setup.

I am not sure if @cruelsister intended to tweak Comodo against all highly targeted attacks. Furthermore, her settings were created several years ago and still could prevent almost all attacks (I tried several times). Even if someone can use my method as a part of the infection chain, it will be probably a targeted attack.
 

rashmi

Level 12
Jan 15, 2024
578
Overall, not an issue, at least for home users (my opinion). I suggest keeping HIPS disabled for not-knowledgeable users and setting containment to block instead for users who don't use containment, suspend alerts, or use silent mode. Containment set to block would prevent such attacks, correct, @Andy Ful?
 

Decopi

Level 8
Verified
Oct 29, 2017
361
There is also the bug (does it still exist in the latest release??) where all the HIPS rules disappear without warning.

Exactly!... and this is just one bug from a long list of hundreds of old unfixed bugs, all very well known bugs, repeatedly reported by users, and always ignored and minimized by Comodo' staff and fanatics.
The ridiculous Mantra is always the same: "Comodo works perfectly for me".
In real life, if users are infected or have serious problems due to Comodo' bugs, they are blocked/deleted from Comodo's forum.
Comodo's fiasco is not so big affecting thousands of users, just because only few fanatics use Comodo's products.
 

Decopi

Level 8
Verified
Oct 29, 2017
361
They will be very sad watching these videos. All 5 of them.

COGNITIVE DISSONANCE: Inside the mind of these few 5 fanatics, even when Comodo is full of bugs, even when Comodo' Containment can be bypassed, even when etc etc etc... in their masochist mind always is an "user fault", never a Comodo' fault.
The situation is so bizarre, that all the time Comodo's staff needs to invent subjective definitions about "what Comodo' protection is" (as a diversion, in order to hide bugs and other dangerous issues).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
In the second part of Comodo's challenge, I tried Proactive Configuration + HIPS + max settings for Script Analysis, but Comodo crashed. So, one must be careful with HIPS.
The less problematic but still very strong config is similar to @cruelsister settings.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top