By Staff What is really going on in the Comodo threads?

[Andy Ful]

The issue we've been discussing isn't about the strength of the dungeon or the height of the walls. It's about the gatekeepers knowingly ignoring a report that the main city gate has a broken lock. That's what an unpatched, documented CVE represents.

Yes, however, almost all newcomers (including the possible attackers) are not aware of this.

Your 'New York' full of cameras might seem chaotic, but at least its security team is actively trying to fix its broken cameras. The 'walled city' only feels safe. That feeling is a false one if the most fundamental entry point is known to be compromised and the guards are ignoring the warnings.

No. It would not be safe if the attackers were aware of the city's weaknesses. But, they are not. Almost all of them end up in a dungeon.

A strong dungeon is useless if an attacker can just walk through the unlocked front gate.

No. Almost all of them try to force the front gate, which cannot be forced. They are mainly unaware of the hidden unlocked gate.

You could be right about CIS security only in highly targeted attacks. The attackers would gather the essential information about where the city is located and find the hidden, unlocked gates. After this, it could be easier to attack the city compared to New York. However, New York is a more attractive target for many more attackers, and some of them can also break its security.
If you do not believe, look at the statistics of breaches in Enterprises.

 

[Trident]

Comodo threads never lack poetry

 

[annaegorov]

what is really going on with the comodo threads? "Only the phantom knows"

 

[Andy Ful]

Your statement about other AV having dangerous security flaws is so weak, it sounds like a Comodo commercial.

On the contrary. Next-gen security has a serious flaw in the poor detection of new malware families, especially FUDs.

Comodo users do not need CIS updates nor new releases, never change a running system, if it ain’t broke don’t fix it, so practical.

Of course, they need all of this, but less frequently than in the case of other AVs. With no releases, updates, or fixes, CIS would not work on new Windows versions. The critical flaws related to containment require fixing because most malware is contained. Otherwise, there would be no happy Comodo users.

 

[Andy Ful]

what is really going on with the comodo threads?

It is simple. Some members ask questions about Comodo. It would be unkind to ignore them.
The strange thing is that so many users want to read threads about it.

 

[ForgottenSeer 123960]

Yes, however, almost all newcomers (including the possible attackers) are not aware of this.



No. It would not be safe if the attackers were aware of the city's weaknesses. But, they are not. Almost all of them end up in a dungeon.



No. Almost all of them try to force the front gate, which cannot be forced. They are mainly unaware of the hidden unlocked gate.

You could be right about CIS security only in highly targeted attacks. The attackers would gather the essential information about where the city is located and find the hidden, unlocked gates. After this, it could be easier to attack the city compared to New York. However, New York is a more attractive target for many more attackers, and some of them can also break its security.
If you do not believe, look at the statistics of breaches in Enterprises.

Defense in depth and the fallacy of security through obscurity.

On the Sandbox

Relying solely on the sandbox as a failsafe is a fragile strategy. While sandboxing is an excellent security layer, the core principle of "defense in depth" dictates that we should never depend on a single control to be perfect. Advanced attackers specifically target sandboxes to find escapes. The professional approach is to patch the underlying vulnerability and have the sandbox as a backup, not to use the sandbox as an excuse to neglect the patch. One is a layered defense, the other is a single point of failure.

On Obscurity

The claim that these vulnerabilities are "under the radar" is demonstrably false. As this very discussion on a global forum shows, these CVEs are public knowledge. Security researchers and threat actors alike monitor public disclosures. To assume a documented vulnerability is unknown is to fundamentally misunderstand the modern threat landscape.

Let's be clear about the contrast in behavior here.

Reputable security vendors, as a rule, adhere to a strict policy of patching documented CVEs in a timely manner. This is the established standard.

A vendor that suggests users are safe despite these unpatched vulnerabilities is a significant outlier and is acting in direct opposition to security best practices.

 

[rashmi]

I would use the CIS.

Get ready to love Comodo even more! ... The buzz on the street in Comodo town suggests... The highly expected Comodo 2026 will introduce a revolutionary feature called "Infinity" (inspired by the "Infinity Stones")—that will snap away all those pesky "Infected Comments" about Comodo on forums and similar platforms!

 

[ForgottenSeer 114717]

• Immoral fanatical promotion
• Unethical bugs
• Super Duper Dangerous Vulnerabilities (Oh My!)

but...

Cucumbers and Rain

 

[piquiteco]

Get ready to love Comodo even more! ... The buzz on the street in Comodo town suggests... The highly expected Comodo 2026 will introduce a revolutionary feature called "Infinity" (inspired by the "Infinity Stones")—that will snap away all those pesky "Infected Comments" about Comodo on forums and similar platforms!

Yes, CIS 2026, the CVE will be fixed, and half a dozen bugs will be resolved, and no one will even remember these conversations.

 

[ForgottenSeer 114717]

Comodo users do not need CIS updates nor new releases, never change a running system, if it ain’t broke don’t fix it, so practical.

When online gets too dangerous and insecure for users, the government can always turn off the electricity across the entire nation.

 

[Andy Ful]

On the Sandbox

Relying solely on the sandbox as a failsafe is a fragile strategy. While sandboxing is an excellent security layer, the core principle of "defense in depth" dictates that we should never depend on a single control to be perfect. Advanced attackers specifically target sandboxes to find escapes. The professional approach is to patch the underlying vulnerability and have the sandbox as a backup, not to use the sandbox as an excuse to neglect the patch. One is a layered defense, the other is a single point of failure.

On Obscurity

The claim that these vulnerabilities are "under the radar" is demonstrably false. As this very discussion on a global forum shows, these CVEs are public knowledge. Security researchers and threat actors alike monitor public disclosures. To assume a documented vulnerability is unknown is to fundamentally misunderstand the modern threat landscape.

True in highly targeted attacks.
Otherwise, not true, because Comodo is unexpected (it is rarely used).

Let's be clear about the contrast in behavior here.

Reputable security vendors, as a rule, adhere to a strict policy of patching documented CVEs in a timely manner. This is the established standard.

Yes. The established standards apparently apply to standard cities such as New-York, but not to Comodo city.

A vendor that suggests users are safe despite these unpatched vulnerabilities is a significant outlier and is acting in direct opposition to security best practices.

Yes, it is ... and still CIS can compete with top AVs against non-targeted attacks. You can call it Ninja-AV.
The attackers are so focused on bypassing next-gen AV features, that they fail on much simpler (but inconvenient) security layers implemented in Comodo.
If next-gen features in popular AVs also include the Comodo approach, then Comodo would be the worst AV.

 

[ForgottenSeer 123960]

True in highly targeted attacks.
Otherwise, not true, because Comodo is unexpected (it is rarely used).



Yes. The established standards apparently apply to standard cities such as New-York, but not to Comodo city.




Yes, it is ... and still CIS can compete with top AVs against non-targeted attacks. You can call it Ninja-AV.
The attackers are so focused on bypassing next-gen AV features, that they fail on much simpler (but inconvenient) security layers implemented in Comodo.
If next-gen features in popular AVs also include the Comodo approach, then Comodo would be the worst AV.

A mix of logical observations and rhetorical tactics that avoid the main point. You are dancing around the subject of vendor accountability by repeatedly shifting the focus of the argument.

Whataboutism

You claim Comodo's flaws are "not important" because alternative AVs have "even more dangerous security flaws". This is a logical fallacy. Another product's weakness doesn't excuse the vulnerability in the product being discussed. The goal of a security forum should be to hold all vendors to a high standard, not to accept one's flaws because others might be worse.

User Complacency as "Practicality"

You frame Comodo users as "practical" for sticking with a product that "works well," even if the company doesn't follow "standard norms". This argument ignores the fact that a product with an unpatched, documented vulnerability isn't truly "working well." It has a known defect, and ignoring it isn't practical, it's just accepting unnecessary risk.

Shifting the Topic

In you're "walled city" analogy, you change the subject from vendor accountability (failing to patch a CVE) to the effectiveness of security models (Default-Deny vs. Detection). While the analogy itself is logical in describing a security model, it's a diversion tactic. It completely ignores my core point that a vendor's failure to patch a known flaw is a sign of poor security posture, regardless of the model they use.

You're making logical points about user behavior and security models, but you're using them to dodge the central question of whether it's acceptable for a security vendor to knowingly ignore documented vulnerabilities.

 

[Halp2001]

The Citadel of Comodo: A Legendary Tale of Cybersecurity

In a forgotten corner of cyberspace stood a walled city called ComodoLand. Its walls were so tall that birds got dizzy trying to fly over them, and its dungeon was so deep that even the boldest malware regretted being born.

Andy Ful, the chief architect, spent his days reinforcing the dungeon with configurations so complex, even he forgot how to get out. Whenever someone asked about a vulnerability, Andy replied, “Strong dungeon, happy heart!”

Divergente, the forum philosopher, wasn’t convinced. “What good is a dungeon if the front gate is wide open and the guards are playing chess?” he’d say, drawing analogies between New York, broken cameras, and invisible cities. His specialty: turning any CVE into an existential metaphor.

Tridente, the group’s poet, didn’t get involved in technical debates. He simply observed the chaos and dropped lines like, “Comodo threads never lack poetry.” No one knew if he was for or against anything, but everyone gave him a thumbs-up.

One day, a new antivirus called “Infinity” appeared, promising to erase all negative comments with a snap of its fingers. Rashmi introduced it like it was an Infinity Stone, and everyone in ComodoLand got excited… until Andy Ful asked, “But does it have a sandbox?”

And so, amid analogies, dungeons, poetry, and unpatched CVEs, the Comodo threads kept growing—like an epic novel nobody asked for, but everyone secretly enjoys reading.

 

[Halp2001]

Scene: The Council of ComodoLand

The three sages gather in the Tower of Security to discuss the fate of ComodoLand.

Andy Ful (adjusting his cloak made of configurations):“The dungeon is reinforced with 37 layers of defense! If malware manages to get in, it deserves a trophy.”

Divergent (holding a coffee mug, eyes full of philosophy):“Andy, what’s the point of a dungeon if the front gate has a welcome sign and the guards are playing chess? It’s like putting cameras all over New York without lenses.”

Trident (reading from a scroll):“In the city of Comodo, where CVEs bloom like daisies, poetry is stronger than any patch.”

Andy Ful (frowning):“Most attackers don’t even know there’s a back gate! They end up in the dungeon before they can say ‘payload.’”

Divergent (raising an eyebrow):“That sounds like relying on attackers being clueless. What if one reads the ComodoLand manual? Boom—free entry.”

Trident (gazing at the sky):“And so, in the dance between patch and containment, users ask: is this security or just theater?”

Andy Ful (sighing):“Trident, can you speak without rhyming for five minutes?”

Trident (smiling):“Only if the dungeon stops being a metaphor.”

Divergent (standing up):“Well, I’m off to New York. At least there, CVEs have expiration dates.”

Andy Ful (shouting as Divergent walks away):“But they don’t have Hard_Configurator!”

“This dialogue is created with affection and humor, with no intention of mocking anyone, but rather to celebrate the unique personalities of the thread’s participants.”

 

[Andy Ful]

I liked @Halp2001's jokes; however, they overcomplicate the Comodo security.
The core of it is pretty much simple: "Allowlisting + Script Analysis" supported by Auto-continement. It is well preconfigured by Comodo. Most users do not need to tweak it. It is used as a replacement for next-gen features used in popular AVs. Currently, it is as effective as next-gen features, at least for non-targeted attacks.

I think that we could talk over and over about why it was effective for the last 10 years, and will probably still be effective with some modifications for another 10 years. But I am currently exhausted after three long Comodo threads. So, anyone interested in Comodo matters must ask someone else.

As a supplement to my posts.
The security standards for popular AVs only partially apply to Comodo because it uses very different security layers, and the attackers do not bother to create Comodo-specific malware. For similar reasons, almost all bacteria that kill humans are ineffective for crocodiles.

Could Comodo be stronger if it followed the standards? Yes, it could.
Could Comodo be stronger if it included more next-gen features? Yes, it could. The Xcitium is a good example.
Could popular AVs be stronger if they include Comodo-specific features? Yes, they could.

What do I miss in CIS?

Hot Take Thread 'How we trained an ML model to detect DLL hijacking'

Oct 6, 2025

DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.

Trend in the number of DLL hijacking attacks. 2023 data is taken as 100% (download)

We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in Russia, Africa...

• harlan4096
• Replies: 1
• Forum: Kaspersky

• 
• 
• 

 

[Halp2001]

I liked @Halp2001's jokes; however, they overcomplicate the Comodo security.
The core of it is pretty much simple: "Allowlisting + Script Analysis" supported by Auto-continement. It is well preconfigured by Comodo. Most users do not need to tweak it. It is used as a replacement for next-gen features used in popular AVs. Currently, it is as effective as next-gen features, at least for non-targeted attacks.

I think that we could talk over and over about why it was effective for the last 10 years, and will probably still be effective with some modifications for another 10 years. But I am currently exhausted after three long Comodo threads. So, anyone interested in Comodo matters must ask someone else.

As a supplement to my posts.
The security standards for popular AVs only partially apply to Comodo because it uses very different security layers, and the attackers do not bother to create Comodo-specific malware. For similar reasons, almost all bacteria that kill humans are ineffective for crocodiles.

Could Comodo be stronger if it followed the standards? Yes, it could.
Could Comodo be stronger if it included more next-gen features? Yes, it could. The Xcitium is a good example.
Could popular AVs be stronger if they include Comodo-specific features? Yes, they could.

What do I miss in CIS?

Hot Take Thread 'How we trained an ML model to detect DLL hijacking'

Oct 6, 2025

DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.

Trend in the number of DLL hijacking attacks. 2023 data is taken as 100% (download)

We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in Russia, Africa...

• harlan4096
• Replies: 1
• Forum: Kaspersky

• 
• 
• 

Thank you, Andy Ful, for your thoughtful and generous contributions. Your insights have consistently brought clarity and depth to complex security discussions, and your analogies—like the crocodile metaphor—make technical concepts accessible and memorable. It’s clear you’ve poured years of dedication into helping others understand Comodo’s unique approach, and many of us have learned a great deal thanks to your efforts.

Even if the threads have been exhausting, your voice remains one of the most respected and valuable in the community. Please know that your work is appreciated, and your perspective continues to inspire meaningful dialogue. If and when you feel ready, we’d be truly grateful to hear more from you—your experience and reasoning are irreplaceable.

Thanks again for everything you’ve shared. You’ve made a lasting impact.

 

[Pico]

Comodo's commercial break is running...

 

[ForgottenSeer 114717]

“Once you start down the Comodo path, forever will it dominate your destiny. Consume you, it will.”

— Yoda

“Fear is the path to Comodo. Fear leads to anger. Anger leads to hate. Hate leads to suffering.”

— Yoda

 

[ForgottenSeer 123960]

@Andy Ful

I believe we've reached an impasse, as the conversation continues to move away from the core technical issues. The debate is no longer about analogies, but about the following established facts.

There are critical, unpatched CVEs in this version of the software.

These vulnerabilities, such as CVE-2025-7096, specifically affect the update mechanism and allow for remote code execution with SYSTEM privileges.

A flaw of this nature bypasses containment features, as it compromises a trusted channel into the operating system.

The vendor has reportedly been unresponsive to these disclosures.

These are the fundamental points. Until they can be addressed directly, any discussion about user habits or other products is a deflection. I've made my position on this risk clear, and I see no value in continuing this back-and-forth.

 

[Halp2001]

@Andy Ful

I believe we've reached an impasse, as the conversation continues to move away from the core technical issues. The debate is no longer about analogies, but about the following established facts.

There are critical, unpatched CVEs in this version of the software.

These vulnerabilities, such as CVE-2025-7096, specifically affect the update mechanism and allow for remote code execution with SYSTEM privileges.

A flaw of this nature bypasses containment features, as it compromises a trusted channel into the operating system.

The vendor has reportedly been unresponsive to these disclosures.

These are the fundamental points. Until they can be addressed directly, any discussion about user habits or other products is a deflection. I've made my position on this risk clear, and I see no value in continuing this back-and-forth.

Respectfully responding to Divergent’s concerns:

You've raised important points about the risks of unpatched CVEs and the limitations of relying too heavily on sandboxing. I’d like to offer a different perspective on Comodo’s approach, especially in the context of real-world threat models.

Defense in Depth vs. Practical Containment Comodo’s containment model isn’t about trusting a single layer—it’s built around a default-deny strategy that has proven highly effective against non-targeted attacks. The sandbox is just one part of a broader system that includes script analysis, file reputation, and behavior blocking. This layered approach has consistently stopped threats that bypass traditional AVs.

Obscurity vs. Attacker Economics While CVEs are public and monitored, most attackers prioritize high-yield targets. Comodo’s lower market share makes it less attractive for mass exploitation. That’s not “security through obscurity”—it’s understanding attacker behavior. Most malware is designed to bypass mainstream AVs, not niche setups like Comodo’s.

Vendor Responsibility and Context Yes, vendors should patch vulnerabilities. But Comodo’s architecture means some CVEs may pose less practical risk due to containment. That doesn’t excuse delays, but it does offer context. The goal should be continuous improvement, not blanket dismissal.

User Choice and Risk Tolerance Labeling Comodo users as “complacent” overlooks the fact that many are power users who understand the trade-offs. They choose Comodo because its model aligns with their security philosophy. Informed practicality is not passivity.

In short, your critique is grounded in best practices, but it may underestimate the effectiveness of Comodo’s unconventional strategy in real-world scenarios. Let’s keep pushing for higher standards—while also recognizing that innovation doesn’t always follow the expected path.