Serious Discussion Three Unpatched Vulnerabilities Plague Comodo. Documented Online.

[HydraDragonAntivirus]

No, I'm not ignoring the recently uncovered issues and other users don't either. But that's the thing: I started to have doubts about security, but I've been using Comodo for decades and have never had malware, cyberattacks, or anything else. And that's an honest statement. I'm not stupid and use software that I can't trust.

And look there: CVEs reported for CIS 2025 - 12.3.4.8162

by nik.luckin:



Therefore my question (see above):



So the protection must be good? or
I don't want to become a victim of cybercriminals.

I know that topic and they are literally ignoring severity of this CVE.

 

[Andy Ful]

I was really considering switching, and the recent posts here have reinforced my doubts somewhat (but then some things were revised again), but my experience with Comodo contradicts this.

Most of the criticism of Comodo follows from its different security design, as compared to other popular AVs.
It’s like criticizing a crocodile for having barely changed at all, while dinosaurs evolved into birds.
However, crocodiles are still among the most dangerous and successful creatures.

 

[ForgottenSeer 114717]

I cannot believe that this software keeps being complained-about.

Why bother when the software (and the company that publishes it) will never - ever - change.

 

[dmknght]

Lmao I actually wanted to type a lot of things about this "argument", especially statics and mathematics one. But I decided it's not worth it at all. Why? It's like saying "I smoke cigarates all days but I ain't dying". It's more or less "the world is flat, you can't prove the otherwise" or "I'm driving car and I'm still alive so car accident isn't real". The simple answer for all of this BS: Survivorship bias - Wikipedia
Moral question: is there anybody do "Hey i hacked your machine and I got your bank account. You are my victim"? The "i'm not a programmer" + "i haven't being attacked while using " + <insert your favorite product here> is pretty much BS:
- 1. You are not being attacked
- 2. You don't know you are being attacked.
=> The question is a misdirection to the point of the completely different topic. It's a worthless question.

 

[dmknght]

Most of the criticism of Comodo follows from its different security design, as compared to other popular AVs.
It’s like criticizing a crocodile for having barely changed at all, while dinosaurs evolved into birds.
However, crocodiles are still among the most dangerous and successful creatures.

"Different secuirty design"? As I pointed out, the so-called automation sandox injects Comodo's DLL and does function hooking. All other vendors do that. The only difference here is comodo hasnt maintained their products while other vendors keep updating new technologies.
Unless you meant a "protetion from cyber threats" doesnt verify simple SSL/TLS cert or manifest file to prevent spoofing attack or path traversal in 2025, then yeah you win.

 

[Andy Ful]

The only difference here is comodo hasnt maintained their products while other vendors keep updating new technologies.

AV vendors did not resign from using local sandboxes because of weaker protection, but due to users' inconvenience when using such sandboxes.
So yes, Comodo cannot be a popular AV and cannot be recommended to most users. However, it does not mean that it is not highly effective and that people who use it are wrong.

Unless you meant a "protetion from cyber threats" doesnt verify simple SSL/TLS cert or manifest file to prevent spoofing attack or path traversal in 2025, then yeah you win.

OK. You, me, and some others proved that Comodo is a crocodile Achilles.

 

[rashmi]

Most of the criticism of Comodo follows from its different security design, as compared to other popular AVs.
It’s like criticizing a crocodile for having barely changed at all, while dinosaurs evolved into birds.
However, crocodiles are still among the most dangerous and successful creatures.

Comodo also evolved... It evolved into a dragon—the rare updates are digital goats to keep the fire-breathing beast friendly for happy riders!

Dragons are the most notorious creatures for their ferocious nature—documented by the Game of Thrones Research Center.

 

[Helmut]

dmknght​

• Today at 2:45 PM

• 
  
• Add bookmark
• #228

Lmao I actually wanted to type a lot of things about this "argument", especially statics and mathematics one. But I decided it's not worth it at all. Why? It's like saying "I smoke cigarates all days but I ain't dying". It's more or less "the world is flat, you can't prove the otherwise" or "I'm driving car and I'm still alive so car accident isn't real". The simple answer for all of this BS: Survivorship bias - Wikipedia
Moral question: is there anybody do "Hey i hacked your machine and I got your bank account. You are my victim"? The "i'm not a programmer" + "i haven't being attacked while using " + <insert your favorite product here> is pretty much BS:
- 1. You are not being attacked
- 2. You don't know you are being attacked.
=> The question is a misdirection to the point of the completely different topic. It's a worthless question.

So my post is relevant. What's your problem? In your eyes, I use vulnerable and outdated software, even though alternatives exist. For that reason alone, I can't take your post seriously.
Your post is LoL for me, because:
- And I dealt with a lot of sensitive data and data exchange (including my own). I never received any complaints.
- Comodo ran as a security program on all computers and laptops in my PC life
- Windows was the OS on all of them, in almost all its versions
- I never had viruses, ransomware, Trojans, or anything else on any of them
- Even in my early years, Comodo's inadequacies were pointed out (so nothing new)
- Comodo was recommended to me back then by an IT specialist (I've written about this before) who was responsible for security at one of the largest companies in my country, where he still is today

A security program is like a protective vest or a firewall. Over all these decades, I should have been caught off guard by Comodo's vulnerability at some point. I wasn't. Now we're on the topic. If I had been recommended CyberGhost back then (it's been around for a long time too) and had had this experience with it, I would write the same thing.

If a protective wall has been able to protect a city from an attack until now, why should it be torn down? But maybe I'm too uninteresting for hackers. That could be the case, and that's fine, too.

So I can't make any sense of your post at all. My bank account remained untouched, all my PCs and laptops, and there were quite a few of them by now, with all versions of Windows, remained protected. What more could I want, and why do you think I now have doubts about Comodo's protective effectiveness?

I only wrote that I'm not a programmer because I can't come up with any evidence or possibilities of where Comodo has its weaknesses, as some here can, and especially because they never appeared on my devices. And I was looking, believe me, for Comodo users whose bank accounts were emptied, whose identities were stolen, who were blackmailed with ransomware, whose computers were misused for criminal purposes – I couldn't find any. Not even in the Comodo forum, where that would be the first port of call to show how someone got into serious trouble despite using Comodo. All the nice comparisons don't help me. My comparison is simply my experience.

I can't prove that a doctor made a wrong diagnosis just because I know what my blood pressure should be. I don't understand why you didn't understand that.

Again, I'm really not trying to defend Comodo; quite the opposite, and I've read better responses to my post than yours. I considered Norton 360, but I feel a bit like J. Bond, who was always happy with his Beretta.

Again, I'm not defending Comodo. On the contrary, I'm looking for security, which is my priority, and @cruelsister was and is more convincing in this regard and was able to reduce my doubts considerably.

I also have a comparison:

If I, as a police officer, wear a body armor and have never been injured in my 25 years of service, then I don't care at all if people say:

Maybe you were never shot at

Maybe you didn't even notice you were hit

Maybe you were just lucky so far

There are much better body armor now

Sure, the weapons are also getting "better" and can penetrate the body armor.

Three times, Comodo warned me to stop working because another computer was trying to tamper with my computer, and Comodo stopped my internet connection and told me to delete the remote software (in essence). That was just a short time ago. I know where it came from in one attempt, but not in the others. I was hit, but the body armor protected me. not invented by me.

Thanks for the answers.

It's not my fault that I've been spared so far.

 

[cartaphilus]

I think you missed his point. I believe what he meant was "if public POC is available then it's extremely dangerous". And yeah my full POC is there wiith full read access Talk about POC, i found it funny because the "security news" BS used AI to parse and generate articles. Most of the articles missed a lot of information or even gave wrong info. There's only Seucirty Insider website that contacted me, asked me nicely for more details before release their article.
Either way, Comodo actually sold (sells) certificates and their products just ignored validation check?? That's just insane lol.
View attachment 291084

Yeap COMODO malware business model is certificates but alas guess whose certificates are the most compromised ones that are used by signed malware?

Yeap COMODO.

Trusting COMODO to keep you safe is like trusting a home alarm system that uses Wi-Fi as their method of communication between stations/sensors. Sure it will alarm and deter a 15 yo kid who broke in to get your PlayStation 5 but it won't deter or protect you against any real threat.


Now I wonder how really broken is their business solution what's it called XynatolXenophile?

 

[dmknght]

Now I wonder how really broken is their business solution what's it called XynatolXenophile?

It would be ironnic if Xcitium patched some vulnerabilities while Comodo is still remanining untouched.

 

[Trident]

It would be ironnic if Xcitium patched some vulnerabilities while Comodo is still remanining untouched.

They have to, have you seen the prices they charge? No MSP in their right mind would go for Xcitium if it wasn’t getting any updates.

The fun fact is, if Xcitium is getting updates then there are components that need updating. Twice a week.

Comodo is untouched because Comodo is an abandoned project in deep maintenance mode.

 

[dmknght]

They have to, have you seen the prices they charge? No MSP in their right mind would go for Xcitium if it wasn’t getting any updates.

The fun fact is, if Xcitium is getting updates then there are components that need updating. Twice a week.

Comodo is untouched because Comodo is an abandoned project in deep maintenance mode.

I would asume so but we don't really know did they really do it nor did they completely fix all of the issues (they might fix some easiest bugs). A real test would be great.

 

[Zero Knowledge]

Who actually uses Xcitium anyway? Besides security forums and the odd home user with a seat I haven't found anyone who cares about it or uses it.

Why would you go for this over CrowdStrike? I don't see any business case for MSP's unless they are basically giving away seats and licenses to use Comodo.

 

[ForgottenSeer 123960]

Yeap COMODO malware business model is certificates but alas guess whose certificates are the most compromised ones that are used by signed malware?

As of 2025, there is no evidence to suggest that certificates from Sectigo (formerly Comodo) are currently the "most compromised" and used by signed malware. The claim is based on outdated information from a 2019 report, which is no longer relevant to the present situation.

Microsoft’s Trusted Signing is emerging as a new major source of abused certs in malware signing (especially for those who want “trusted CA” certificates but easier/faster/shorter lived). It’s reasonable to suspect that its share of abused certificates is rising quickly.

For TLS / HTTPS certificate misuse or misissuance, CAs like Entrust also appear in recent issues, but those are somewhat different categories of “abuse.”

 

[cartaphilus]

I have a question that's meant honestly and has nothing to do with fanboying or anything else.

First of all: I've been seriously doubted by the recently discovered security vulnerabilities and the discussions about them, not here, but in the Comodo forum. I was about to leave Comodo after decades. My question, which will be difficult to answer, not because it's too specific or technically difficult (I wouldn't be able to do that due to a lack of knowledge, as I'm not a programmer), but because no one can look at my configurations and immediately tell me for this or that reason or because of that. My question, as I said, has nothing to do with Comodo itself; I could certainly ask a similar question about other programs.

Why, in all the decades I've been using Comodo, haven't I been harmed even once by a cyberattack:
Identity, bank account, ransomware, or anything else.

I can already offer one or two answers based on what I've read here:
- Comodo is too insignificant for cybercriminals, so it's not worth attacking.
- The user base is too small and also too insignificant.
- Attempting a break-in would be too complex, or the hurdles are too high at Comodo.

There have been security concerns and vulnerabilities at Comodo for some time, and these have been discussed.

I was really considering switching, and the recent posts here have reinforced my doubts somewhat (but then some things were revised again), but my experience with Comodo contradicts this.

If you are a regular citizen that is not on a radar or cyber attackers don't go to bad places and download cracked software the.

As of 2025, there is no evidence to suggest that certificates from Sectigo (formerly Comodo) are currently the "most compromised" and used by signed malware. The claim is based on outdated information from a 2019 report, which is no longer relevant to the present situation.

Microsoft’s Trusted Signing is emerging as a new major source of abused certs in malware signing (especially for those who want “trusted CA” certificates but easier/faster/shorter lived). It’s reasonable to suspect that its share of abused certificates is rising quickly.

For TLS / HTTPS certificate misuse or misissuance, CAs like Entrust also appear in recent issues, but those are somewhat different categories of “abuse.”

I stand corrected. Thank you

 

[Trident]

If you are a regular citizen that is not on a radar or cyber attackers don't go to bad places and download cracked software the.

I stand corrected. Thank you

Not too corrected, cuz Sectigo, even if not number one most abused, still would be in the top 3.

 

[Andy Ful]

The fun fact is, if Xcitium is getting updates then there are components that need updating. Twice a week.

Comodo is untouched because Comodo is an abandoned project in deep maintenance mode.

Comodo as an "abandoned project", is rather a probable hypothesis than a fact.
There are several objective reasons not to recommend Comodo to most users, so it is not necessary to use a questionable one.

Comodo projects are now taken by Xcitium. Many CIS features are identical to those in Xcitium EDR. We cannot exclude the possibility that the vendor will add some Xcitium features to CIS in the future (although the opposite is possible as well).
The CIS platform is still being updated (very slowly), the malware database is updated constantly (with a few-day delay), and some important vulnerabilities are being fixed (the last one this year).

It is not ideal that the vendor did not fix some Comodo weaknesses. But no one presented any evidence that they were/are/will be actively used in the wild against home users. It is also not ideal that new brands of FUDs are poorly detected by top AVs (at home and in Enterprises), while most of them die in Comodo's auto-containment. Some home users still use CIS or CF (usually tweaked) for some reasons. If CIS/CF is usable for them, there are no objective reasons to skip CIS/CF for another AV. Also, there are no objective reasons to skip the top home AV for CIS/CF.

My conclusion.
In our imperfect world, users who like security based on auto-containment can use CIS (slightly tweaked) instead of any top AV. The useful tweaks are related to scripting and blocking Internet connections in the sandbox.
Comodo Firewall can perform nicely with Microsoft Defender.
For users who did not use Comodo, other AVs are more recommended due to possible usability issues.
Users in Enterprises should use Xcitium or another EDR instead of Comodo.

 

[HydraDragonAntivirus]

These guy must be troll. You literally arguing dmknight due to he find this CVE, instead of saying thanks, you saying I'm hardcore Comodo fan and you must to be punished. I think nobody should be fan of Comodo because you literally damaging the Comodo instead of helping to improve Xcitium or Comodo.

 

[ForgottenSeer 114717]

You literally arguing dmknight due to he find this CVE

Who is arguing with dmknght due to him finding a Comodo CVE?

you saying I'm hardcore Comodo fan and you must to be punished

Who said that? And where did they say it?

I think nobody should be fan of Comodo because you literally damaging the Comodo instead of helping to improve Xcitium or Comodo.

The problem is not the fanbois and fangirlz. The problem is the software publisher itself. More specifically, it is

Comodo and Xcitium:

• Have no dedicated developer team; Comodo companies use a pool of developers and subcontractors
• The companies are notorious for fixing software for only a few years, then the software goes into maintenance
• Reporting bugs and security problems has less than 50% chance of ever being fixed
• Comodo is no longer being developed (it should be stated that this can change at some point in the future, however unlikely)

 

[ForgottenSeer 114717]

Lmao I actually wanted to type a lot of things about this "argument", especially statics and mathematics one. But I decided it's not worth it at all. Why? It's like saying "I smoke cigarates all days but I ain't dying". It's more or less "the world is flat, you can't prove the otherwise" or "I'm driving car and I'm still alive so car accident isn't real". The simple answer for all of this BS: Survivorship bias - Wikipedia
Moral question: is there anybody do "Hey i hacked your machine and I got your bank account. You are my victim"? The "i'm not a programmer" + "i haven't being attacked while using " + <insert your favorite product here> is pretty much BS:
- 1. You are not being attacked
- 2. You don't know you are being attacked.
=> The question is a misdirection to the point of the completely different topic. It's a worthless question.

A software publisher has no moral or ethical obligations. The software EULA states "Offered 'AS IS.' The user assumes any and all risk of using this software."

Comodo software is abandonware (or more accurately, so infrequently developed as to realistically be considered such). Melih does not care about Comodo software. Melih does not care about criticisms and complaints.

Of course, people can criticize and complain as they wish, but doing so will never bring any positive change to Comodo (or Xcitium).

If one looks at the Comodo/Xcitium history, this is not difficult to understand.

I think all the disagreements and fighting about Comodo and/or Xcitium are 100% wasted time and effort.