App Review The Comodo's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
It's somewhat paradoxical that the attack without the UAC bypass might be easier to execute against home users. Most home users would kindly ignore the UAC prompt and run the file. Anyway, several more popular attacks make this particular one unlikely at home.
 
Last edited:

PALTO01

Level 1
Jul 7, 2021
24
Comodo is blocking users from there forums who is trying to give suggestions and feedbacks for the improvement of the antivirus engine and realtime protection and overall protections for there upcoming CIS 2024 stable release, really concerning and not good at all. Recently some of my friends got blocked. They are arguing a lot when suggestions were given to them for improving the antivirus and then banning .
 

Attachments

  • comodo ban 1.jpg
    comodo ban 1.jpg
    18.8 KB · Views: 129
  • Screenshot 2024-03-26 133745.png
    Screenshot 2024-03-26 133745.png
    4 KB · Views: 122
  • Screenshot 2024-03-29 192949.png
    Screenshot 2024-03-29 192949.png
    19.4 KB · Views: 127
  • Like
Reactions: roger_m

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Comodo is blocking users from there forums who is trying to give suggestions and feedbacks for the improvement of the antivirus engine and realtime protection and overall protections for there upcoming CIS 2024 stable release, really concerning and not good at all. Recently some of my friends got blocked. They are arguing a lot when suggestions were given to them for improving the antivirus and then banning .
They probably want users to think it's all good lol
 
  • Like
Reactions: PALTO01

PALTO01

Level 1
Jul 7, 2021
24
They probably want users to think it's all good lol
Which is not the case in real world as we all have seen how miserably comodo antivirus failing in terms of the antivirus engine and signatures in various tests, also they don't have any proper web and url filtering protection and the firewall component too lacks the presence of a proper network intrusion detection/prevention module and the firewall component itself hasn't been updated for ages which is very very important thing and is present in almost all major security software vendors be it kaspersky or norton or eset or avast or avg that's that. And when someone highlights this critical points to them on there forum they blocks that user, this kind of behaviour looks extremely weird and strange itself from there end.
 
  • Like
Reactions: kylprq

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Guys,

This thread is not about several possible Comodo issues, but about tampering with antimalware drivers and protected services.
Please, we should not stray from the subject too much.(y)
 

Sephirothnight

Level 1
Sep 19, 2018
10
Bonjour,

Rien de nouveau sur la censure du forum comodo et ses pratiques forcément très "politiquement correctes", une histoire avec un ancien Admin "Shaoran" de mémoire, qui avait démontré avec très peu de lignes de code, la fermeture de comodo et l'infection, ça faisait longtemps, comodo version 4 Je pense, en tout cas... L'équipe de comodo a-t-elle vu ce test d'Andy Ful et envisage-t-elle de faire quelque chose ? Merci.
 
  • Like
  • Wow
Reactions: kylprq and Andy Ful

vitao

Level 3
Mar 12, 2024
110
Can Comodo's Auto-Containment be bypassed?


Hello Andy.

Would You mind sharing the files so I can test it and maybe do it live on my channel? im curious as im always trying to find something that could bypass cis containment but i always fail on it. If You dont see any problems it would be kind of You to share it. Maybe in private msg if You prefer?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hello Andy.

Would You mind sharing the files so I can test it and maybe do it live on my channel? im curious as im always trying to find something that could bypass cis containment but i always fail on it. If You dont see any problems it would be kind of You to share it. Maybe in private msg if You prefer?
Hi @vitao,
I shared the attack method only with the AV vendors (Kaspersky, Microsoft, etc.).
I do not plan to share it further except if it will be seen in the wild. (y)
I do not think that this method can become popular in attacks on home users. The gain of using it is related to Enterprises.
 
Last edited:

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,585
Hi @vitao,
I shared the attack method only with the AV vendors (Kaspersky, Microsoft, etc.).
I do not plan to share it further except if it will be seen in the wild. (y)
I do not think that this method can become popular in attacks on home users. The gain of using it is related to Enterprises.
It worked on comodo set to restricted too ? Or just untrusted?
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Response of @ozer.metin (Comodo Staff- Chief Innovation and Technology Officer)
App Review - The Comodo's challenge.

The response is related to one of many possible variants only. Slightly modified variants do not use anything that could be blocked by HIPS:
 
  • Like
Reactions: Vitali Ortzi

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,585
It does not matter because nothing was contained. The attack uses only legitimate executables.
I'm not sure how it works but is there anything you can do like setting exploit guard to comodo core components (no idea how it works so unsure if any harding by exploit guard might help )
Or maybe some srp rule
Like is there anything someone can do without a vendor patch to deal with this bypass of the driver ?
And what vendors do you believe cam protect against this and maybe future variants are at least responsive enough to care about an advanced attack vector like shown here
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I'm not sure how it works but is there anything you can do like setting exploit guard to comodo core components (no idea how it works so unsure if any harding by exploit guard might help )
Or maybe some srp rule

You can use SRP to block shortcuts in UserSpace (like in H_C, WHHLight, or SWH). But, most AVs can be bypassed also without using shortcuts.
Anyway, it would be much harder to bypass Comodo without using a shortcut.
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,585
You can use SRP to block shortcuts in UserSpace (like in H_C, WHHLight, or SWH). But, most AVs can be bypassed also without using shortcuts.
Anyway, it would be much harder to bypass Comodo without using a shortcut.
Is there any vendors that hardened the driver to be able to deal with this attack or does Microsoft need to create some SDK to allow further hardening to allow av software drivers to be protected against some of these advanced attacks

Although this is only a specific it would be interesting to know which vendors could deal with this attack
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
It wasn't blocked because cmd embedded code detection under Script Analysis is toggled off by default due to quite a few FPs. Thankfully, you can harden your system with @Andy Ful 's tools along side CIS/CF but that's overkill. CyberLock blocked the action which I bought this year. I'm on a CIS/CF hiatus waiting on Certificate issue to be resolved.
 
  • +Reputation
Reactions: Vitali Ortzi

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Is there any vendors that hardened the driver to be able to deal with this attack or does Microsoft need to create some SDK to allow further hardening to allow av software drivers to be protected against some of these advanced attacks

Although this is only a specific it would be interesting to know which vendors could deal with this attack

The driver cannot be hardened to avoid the attack. I cannot give more details.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
It wasn't blocked because cmd embedded code detection under Script Analysis is toggled off by default due to quite a few FPs.
Although I used CMD in one particular variant, the modified attack can bypass Comodo with all options related to embedded code detection.
 
  • +Reputation
Reactions: Vitali Ortzi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top