I currently have separate Eazy Fix screenshots for Comodo and AndyFul's Tools. Andy's Tools are excellent, and I might consider making a permanent switch from Comodo to H_C Tools.@rashmi Why don't you play Superman?Or maybe you want to tone it down like 0Pathy. Like, you activate ARP blocking, block PowerShell to prevent attackers from delivering Metasploit payloads, another thing would be to monitor that folder ../../../ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/ maybe you have another card up your sleeve?
Three Unpatched Vulnerabilities Plague Comodo. Documented Online.
- Thread starter Trident
- Start date
- Status
@Trident How awful of Comodo. It's been a month since this was posted on 7 July 2025. That was the most terrible thing to read: "Comodo has not responded to attempts to disclose vulnerabilities." Was Comodo not going to pay the reward for the discovery, or is it just sloppy?
Comodo is not running any bug bounty programmes so neither it will fix the vulnerability, nor it will reward the person who discovered it.
Yes, that's sad, but since it's a free product, it's likely to stay that way. Fortunately, there are many good alternative security products out there.
@Trident Although it is rare for ordinary people to use Comodo nowadays, it is more of a product for geeks. However, if there is anyone using CIS/CF who is unaware of CVE, I feel sorry for them if this vulnerability is exploited, because it has now become public knowledge.
Is Eazy Fix, which you mentioned, a snapshot program? Similar to RBX? Or did I misunderstand?
I'm going to say this comodo got so bad with development even languy99 gave up on it that speaks volumes. The windows xp days was comodo's time to shine and bring the company up but comodo has been walking in "dirty underwear" ever since and has not "changed" quality wise.
I didn't get you.
I prefer Comodo with minimal tweaks. Configuring Comodo is troublesome; for example, enabling scripts makes it kinda impossible to whitelist some files. I can strengthen Comodo with some advanced configurations, but the proactive configuration and some tweaks are sufficient for my usage. Anyway, I'm enjoying H_C Tools and may permanently switch to them.@rashmi Why don't you play Superman?
Yes, Eazy Fix, a snapshot program similar to RollBackRx.
Team AVeraGe strikes again!
The Comodo policy clearly states, "Comodo and the community have a no-underwear policy!" 
Such attacks often do not use the PATH environment variable. They can usually trick users into downloading a benign, vulnerable portable application with a weaponized DLL (side loading) or by adding a weaponized DLL with a file name of a system DLL (search order hijacking). The attack happens in the
Last edited:
So search order hijacking depends on have their malicious DLL in the PATH var ? So I made every PATH dir non-writable. Or did I mis-understood what search order hijacking means ?
Last edited:
In programming as you know, there is this concept of breaking down code to small chunks. For various reasons, nobody wants one long pile of spaghetti code.
The code is broken down across many executables and modules.
For the software to know which module it has to load from where, the following is possible:
- You can write hardcoded paths set in stone. It can be written in the registry, in various files like ini, in the executable logics. This is HIGHLY undesirable for various reasons.
- Potentially, I can write the installdir and various other directories needed for functionality, then construct the paths in real time.
The other way to do it, is to just specify the name of the module that needs to be loaded. Windows will then go around looking for module with this name in this order:
- The Application's Directory: The folder where the application's executable (.exe) is located. This is the primary location attackers target
- The System Directory: C:\Windows\System32
- The 16-bit System Directory: C:\Windows\System (mainly for legacy reasons)
- The Windows Directory: C:\Windows
- Directories in the PATH Environment Variable: The folders listed in the system's PATH variable, searched in order.
- The Current Directory: The directory from which the application was launched.
So let's say that my portable application TudaPlayer has TudaPlayer.exe and ccCodecSupport.dll.
TudaPlayer is a very popular and widespread app that I've signed submitted to AV vendors as well. Most of these vendors now trust TudaPlayer, potentially excluding it from behavioural monitoring as well (some AVs do not monitor trusted and prevalent apps).
When I've been writing TudaPlayer, I couldn't have placed hardcoded variables/constants with the module paths - it is a portable app, I don't know where you will download and extract it.
Attacker replaces ccCodecSupport.dll with a fake copy that performs malicious actions. These actions are now hidden behind my trusted app and potentially, the AV has a blind spot.
There is very little you can do to prevent this. To make things more exciting, attacker can create subdirectories, something like "Resources" and place a few fictional files, along with the real DLL. Attackers can load the real DLL through instructions in the malicious one. In this case, the player will function.
Assuming that ccCodecSupport.dll is not signed, SAC could block its loading.
Last edited:
@Trident
You can make sure that the app directory is not writable by users group, only by administrators group. So the adversary cannot overwrite ccCodecSupport.dll. But maybe portable apps are meant to be deployable by end users who are not admins. I never quite get the advantages of portable apps. Sorry but I am an IT N**i
Last edited:
It can be anything, it can be a fictional software installer as well. Attacker is not gonna try to modify installed apps. They will target apps that the user is attempting to install now. Cracked and hacked applications on not so trusted websites would be the golden mine.
The attacker will exploit the trust in the installer (which has been ran times and times again) and will perform whatever they wanna perform on the side. Making application directories not writeable is not a good idea.
What will happen when there is an update and the updater wants to modify files in this directory?
System hardening is a good idea when it remains that — hardening. When it turns to system breaking, this is not what you want.
However, behavioural blocking and anomaly detection can detect DLL sideloading. Potentially, the malicious DLL could be identified by anti-malware.
Behavioural blocking can create reports both locally and on the cloud, of what the application is normally trying to load (metadata of the modules and so on). The malicious DLL likely won’t match that and becomes anomalous.
Last edited:
Enjoy the uncut scenes from Game of Thrones... Parkinsond Targaryen's fearless dragon, Progon... Pracarys...
!
Never watched GOT so don’t really understand any of thatEnjoy the uncut scenes from Game of Thrones... Parkinsond Targaryen's fearless dragon, Progon... Pracarys...
"Dracarys" is a High Valyrian word meaning "dragonfire," used by Daenerys Targaryen in the series Game of Thrones to command her dragons to breathe fire.Never watched GOT so don’t really understand any of that
- Status
You may also like...
-
Windows Active Directory Vulnerability Allows Attackers to Execute Malicious Code- Started by Brownie2019
- Replies: 1
-
Critical Windows Admin Center Vulnerability Allows Privilege Escalation- Started by Parkinsond
- Replies: 4
-
AVideo Platform Vulnerability Allows Hackers to Hijack Streams via Zero-Click Command Injection
- Started by Brownie2019
- Replies: 1
-
TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data
- Started by Brownie2019
- Replies: 1
