By Staff What is really going on in the Comodo threads?

[ForgottenSeer 123960]

Respectfully responding to Divergent’s concerns:

You've raised important points about the risks of unpatched CVEs and the limitations of relying too heavily on sandboxing. I’d like to offer a different perspective on Comodo’s approach, especially in the context of real-world threat models.

Defense in Depth vs. Practical Containment Comodo’s containment model isn’t about trusting a single layer—it’s built around a default-deny strategy that has proven highly effective against non-targeted attacks. The sandbox is just one part of a broader system that includes script analysis, file reputation, and behavior blocking. This layered approach has consistently stopped threats that bypass traditional AVs.

Obscurity vs. Attacker Economics While CVEs are public and monitored, most attackers prioritize high-yield targets. Comodo’s lower market share makes it less attractive for mass exploitation. That’s not “security through obscurity”—it’s understanding attacker behavior. Most malware is designed to bypass mainstream AVs, not niche setups like Comodo’s.

Vendor Responsibility and Context Yes, vendors should patch vulnerabilities. But Comodo’s architecture means some CVEs may pose less practical risk due to containment. That doesn’t excuse delays, but it does offer context. The goal should be continuous improvement, not blanket dismissal.

User Choice and Risk Tolerance Labeling Comodo users as “complacent” overlooks the fact that many are power users who understand the trade-offs. They choose Comodo because its model aligns with their security philosophy. Informed practicality is not passivity.

In short, your critique is grounded in best practices, but it may underestimate the effectiveness of Comodo’s unconventional strategy in real-world scenarios. Let’s keep pushing for higher standards—while also recognizing that innovation doesn’t always follow the expected path.

Defense in Depth vs. a Compromised Foundation

You're correct that Comodo's model is a layered approach. However, the principle of "defense in depth" applies to the entire system, not just the sandbox. The critical CVEs we are discussing are "internal flaws in the security product's own trusted components", like the update mechanism.

A compromised updater with "SYSTEM privileges" (like CVE-2025-7096) renders every other "layer" irrelevant. That's not defense in depth, it's a compromised foundation.

Attacker Economics

Opportunity vs. Popularity

This view of "attacker economics" is dangerously outdated. While the development of complex, "zero-day" malware is targeted, the exploitation of *known, high-severity CVEs is often "automated and opportunistic".

Scanners are constantly searching for "any" unpatched system vulnerable to a known RCE. To an automated scanner, a vulnerable Comodo installation isn't a "niche target", it's simply a target. The cost to exploit is low, and the potential reward (SYSTEM access) is high, regardless of market share.

Vendor Responsibility is Not Contextual for Critical Flaws

The "context" you're offering is that the vendor believes their containment model justifies an absent patch for a critical vulnerability. This is a fundamentally flawed approach to risk management. The industry standard is to "patch critical vulnerabilities, period". Using one feature (the sandbox) as a reason "not" to fix a flaw in another critical component (the updater) is a dangerous precedent that no security professional should endorse.

Informed Choice Requires Acknowledging the Full Risk

"Informed practicality" is exactly what this discussion is about. A user can only be truly "informed" if the risks are presented clearly. Downplaying a critical RCE in a trusted update process as a "trade-off" is misleading. The real trade-off here isn't one feature versus another, it's accepting a vendor's poor security posture versus choosing one that adheres to basic standards of accountability.

In short, while Comodo's containment model is powerful in theory, it cannot be used as a shield to excuse fundamental failures in vendor responsibility and basic security hygiene.

 

[Halp2001]

Defense in Depth vs. a Compromised Foundation

You're correct that Comodo's model is a layered approach. However, the principle of "defense in depth" applies to the entire system, not just the sandbox. The critical CVEs we are discussing are "internal flaws in the security product's own trusted components", like the update mechanism.

A compromised updater with "SYSTEM privileges" (like CVE-2025-7096) renders every other "layer" irrelevant. That's not defense in depth, it's a compromised foundation.

Attacker Economics

Opportunity vs. Popularity

This view of "attacker economics" is dangerously outdated. While the development of complex, "zero-day" malware is targeted, the exploitation of *known, high-severity CVEs is often "automated and opportunistic".

Scanners are constantly searching for "any" unpatched system vulnerable to a known RCE. To an automated scanner, a vulnerable Comodo installation isn't a "niche target", it's simply a target. The cost to exploit is low, and the potential reward (SYSTEM access) is high, regardless of market share.

Vendor Responsibility is Not Contextual for Critical Flaws

The "context" you're offering is that the vendor believes their containment model justifies an absent patch for a critical vulnerability. This is a fundamentally flawed approach to risk management. The industry standard is to "patch critical vulnerabilities, period". Using one feature (the sandbox) as a reason "not" to fix a flaw in another critical component (the updater) is a dangerous precedent that no security professional should endorse.

Informed Choice Requires Acknowledging the Full Risk

"Informed practicality" is exactly what this discussion is about. A user can only be truly "informed" if the risks are presented clearly. Downplaying a critical RCE in a trusted update process as a "trade-off" is misleading. The real trade-off here isn't one feature versus another, it's accepting a vendor's poor security posture versus choosing one that adheres to basic standards of accountability.

In short, while Comodo's containment model is powerful in theory, it cannot be used as a shield to excuse fundamental failures in vendor responsibility and basic security hygiene.

Thank you, Divergent, for your detailed and passionate response. Your concern for responsible security practices and vendor accountability is clear, and your effort to highlight the risks of unpatched CVEs—especially those affecting trusted components like the updater—is appreciated. These are serious issues that deserve thoughtful discussion.

That said, I’d like to offer a final perspective to balance the conversation.

On the “Compromised Foundation” Argument You’re absolutely right that a vulnerability in a trusted component like the updater (e.g., CVE-2025-7096) is critical. However, Comodo’s containment model is designed to mitigate damage even in worst-case scenarios. While no security model is perfect, containment adds a unique layer of resilience that many traditional AVs lack. It’s not a substitute for patching—but it’s not irrelevant either.

On Automated Exploitation and Market Share You mention that automated scanners don’t care about market share, and that’s true in theory. But in practice, exploitation still depends on exposure. Comodo’s user base is relatively small and often configured by advanced users with hardened setups. That doesn’t make it immune, but it does reduce the likelihood of successful opportunistic attacks. Risk is never zero—but it’s not binary either.

On Vendor Responsibility and Risk Management I agree that vendors should patch critical vulnerabilities. But risk management is about prioritization, context, and mitigation. Comodo’s architecture—while unconventional—does offer compensating controls. That doesn’t excuse delays, but it does mean the conversation isn’t as black-and-white as “patch or perish.”

On Informed Choice and Transparency You argue that users can only make informed choices if all risks are clearly presented. I fully support that. But I also believe many Comodo users are well aware of the trade-offs and choose the product because its model aligns with their threat profile. It’s not about ignoring risk—it’s about managing it differently.

In closing, I appreciate your commitment to high standards and your willingness to challenge assumptions. That’s what makes this community valuable. While we may differ in how we assess Comodo’s approach, I believe both perspectives contribute to a more informed and balanced understanding.

Thanks again for the thoughtful exchange.

 

[ForgottenSeer 123960]

Thank you, Divergent, for your detailed and passionate response. Your concern for responsible security practices and vendor accountability is clear, and your effort to highlight the risks of unpatched CVEs—especially those affecting trusted components like the updater—is appreciated. These are serious issues that deserve thoughtful discussion.

That said, I’d like to offer a final perspective to balance the conversation.

On the “Compromised Foundation” Argument You’re absolutely right that a vulnerability in a trusted component like the updater (e.g., CVE-2025-7096) is critical. However, Comodo’s containment model is designed to mitigate damage even in worst-case scenarios. While no security model is perfect, containment adds a unique layer of resilience that many traditional AVs lack. It’s not a substitute for patching—but it’s not irrelevant either.

On Automated Exploitation and Market Share You mention that automated scanners don’t care about market share, and that’s true in theory. But in practice, exploitation still depends on exposure. Comodo’s user base is relatively small and often configured by advanced users with hardened setups. That doesn’t make it immune, but it does reduce the likelihood of successful opportunistic attacks. Risk is never zero—but it’s not binary either.

On Vendor Responsibility and Risk Management I agree that vendors should patch critical vulnerabilities. But risk management is about prioritization, context, and mitigation. Comodo’s architecture—while unconventional—does offer compensating controls. That doesn’t excuse delays, but it does mean the conversation isn’t as black-and-white as “patch or perish.”

On Informed Choice and Transparency You argue that users can only make informed choices if all risks are clearly presented. I fully support that. But I also believe many Comodo users are well aware of the trade-offs and choose the product because its model aligns with their threat profile. It’s not about ignoring risk—it’s about managing it differently.

In closing, I appreciate your commitment to high standards and your willingness to challenge assumptions. That’s what makes this community valuable. While we may differ in how we assess Comodo’s approach, I believe both perspectives contribute to a more informed and balanced understanding.

Thanks again for the thoughtful exchange.

Thank you for the polite summary. However, I must firmly disagree with the premise that this is a matter of "balanced perspectives."

This isn't a philosophical debate, it's a technical risk assessment. Risk management isn't about balancing a known, critical flaw against a mitigating feature. It's about "eliminating the critical flaw."

A feature like containment is a compensating control for "unknown" threats, not an excuse to ignore a severe, documented vulnerability in a core, trusted function.

Let's use one final analogy. You own a skyscraper with a state-of-the-art fire suppression system. That's your containment. The fire department has informed you that the building's main electrical wiring has a documented flaw that causes it to spontaneously combust.

A responsible owner fixes the faulty wiring. They do not say, "The fire suppression system will probably handle it," or "Arsonists don't usually target buildings on this street."

The existence of an unpatched, critical RCE in a trusted updater is the faulty wiring. It is an objective, unacceptable failure of security fundamentals. There is no "context" or "perspective" that makes this acceptable.

Thank you for the discussion.

 

[Halp2001]

Thank you for the polite summary. However, I must firmly disagree with the premise that this is a matter of "balanced perspectives."

This isn't a philosophical debate, it's a technical risk assessment. Risk management isn't about balancing a known, critical flaw against a mitigating feature. It's about "eliminating the critical flaw."

A feature like containment is a compensating control for "unknown" threats, not an excuse to ignore a severe, documented vulnerability in a core, trusted function.

Let's use one final analogy. You own a skyscraper with a state-of-the-art fire suppression system. That's your containment. The fire department has informed you that the building's main electrical wiring has a documented flaw that causes it to spontaneously combust.

A responsible owner fixes the faulty wiring. They do not say, "The fire suppression system will probably handle it," or "Arsonists don't usually target buildings on this street."

The existence of an unpatched, critical RCE in a trusted updater is the faulty wiring. It is an objective, unacceptable failure of security fundamentals. There is no "context" or "perspective" that makes this acceptable.

Thank you for the discussion.

Thank you, Divergent, for your detailed and passionate response. Your concern for responsible security practices and vendor accountability is clear, and your effort to highlight the risks of unpatched CVEs—especially those affecting trusted components like the updater—is appreciated. These are serious issues that deserve thoughtful discussion.

That said, I’d like to offer a final perspective to balance the conversation.

On the “Compromised Foundation” Argument You're absolutely right that a vulnerability in a trusted component like the updater (e.g., CVE-2025-7096) is critical. However, Comodo’s containment model is designed to mitigate damage even in worst-case scenarios. While no security model is perfect, containment adds a unique layer of resilience that many traditional AVs lack. It’s not a substitute for patching—but it’s not irrelevant either.

On Automated Exploitation and Market Share You mention that automated scanners don’t care about market share, and that’s true in theory. But in practice, exploitation still depends on exposure. Comodo’s user base is relatively small and often configured by advanced users with hardened setups. That doesn’t make it immune, but it does reduce the likelihood of successful opportunistic attacks. Risk is never zero—but it’s not binary either.

On Vendor Responsibility and Risk Management I agree that vendors should patch critical vulnerabilities. But risk management is about prioritization, context, and mitigation. Comodo’s architecture—while unconventional—does offer compensating controls. That doesn’t excuse delays, but it does mean the conversation isn’t as black-and-white as “patch or perish.”

On Informed Choice and Transparency You argue that users can only make informed choices if all risks are clearly presented. I fully support that. But I also believe many Comodo users are well aware of the trade-offs and choose the product because its model aligns with their threat profile. It’s not about ignoring risk—it’s about managing it differently.

In closing, I appreciate your commitment to high standards and your willingness to challenge assumptions. That’s what makes this community valuable. While we may differ in how we assess Comodo’s approach, I believe both perspectives contribute to a more informed and balanced understanding.

With this response, I’ll be stepping away from this topic with you—always with respect and gratitude for the dialogue.

 

[ForgottenSeer 123960]

Thank you, Divergent, for your detailed and passionate response. Your concern for responsible security practices and vendor accountability is clear, and your effort to highlight the risks of unpatched CVEs—especially those affecting trusted components like the updater—is appreciated. These are serious issues that deserve thoughtful discussion.

That said, I’d like to offer a final perspective to balance the conversation.

On the “Compromised Foundation” Argument You're absolutely right that a vulnerability in a trusted component like the updater (e.g., CVE-2025-7096) is critical. However, Comodo’s containment model is designed to mitigate damage even in worst-case scenarios. While no security model is perfect, containment adds a unique layer of resilience that many traditional AVs lack. It’s not a substitute for patching—but it’s not irrelevant either.

On Automated Exploitation and Market Share You mention that automated scanners don’t care about market share, and that’s true in theory. But in practice, exploitation still depends on exposure. Comodo’s user base is relatively small and often configured by advanced users with hardened setups. That doesn’t make it immune, but it does reduce the likelihood of successful opportunistic attacks. Risk is never zero—but it’s not binary either.

On Vendor Responsibility and Risk Management I agree that vendors should patch critical vulnerabilities. But risk management is about prioritization, context, and mitigation. Comodo’s architecture—while unconventional—does offer compensating controls. That doesn’t excuse delays, but it does mean the conversation isn’t as black-and-white as “patch or perish.”

On Informed Choice and Transparency You argue that users can only make informed choices if all risks are clearly presented. I fully support that. But I also believe many Comodo users are well aware of the trade-offs and choose the product because its model aligns with their threat profile. It’s not about ignoring risk—it’s about managing it differently.

In closing, I appreciate your commitment to high standards and your willingness to challenge assumptions. That’s what makes this community valuable. While we may differ in how we assess Comodo’s approach, I believe both perspectives contribute to a more informed and balanced understanding.

With this response, I’ll be stepping away from this topic with you—always with respect and gratitude for the dialogue.

I'll accept that as your final word on the topic.

This has never been a debate between two valid perspectives on risk management. It has been a discussion about an objective security failure versus a series of justifications for it.

The fundamental, unaddressed facts remain.

The software has a critical, unpatched RCE.

It affects a trusted component with SYSTEM privileges.

It bypasses the very containment model offered as a defense.

A compensating control for unknown threats cannot excuse a vendor's failure to patch a critical, known vulnerability. That is the beginning and the end of the issue.

I appreciate the exchange as well.

 

[Andy Ful]

A compensating control for unknown threats cannot excuse a vendor's failure to patch a critical, known vulnerability. That is the beginning and the end of the issue.

I regret that you did not read my post from over two weeks ago. This could save us much time. Be safe:

Serious Discussion Post in thread 'Three Unpatched Vulnerabilities Plague Comodo. Documented Online.'

Sep 21, 2025

From the ENISA Vulnerability Database, it follows that Comodo products (Comodo Dragon, CIS, CA, CF) had 13 vulnerabilities (reported last year), and 0 were exploited in the wild.

EUVD

European Vulnerability Database

euvd.enisa.europa.eu

The database accepts Comodo as a vendor.
Of course, this cannot be an excuse for not fixing vulnerabilities; however, it can explain why some Comodo users do not care much about unpatched Comodo vulnerabilities.

Edit.
Although CIS cannot be considered Defense in Depth, it works as an efficient Security by Obscurity.

• Andy Ful

• 

 

[simmerskool]

sine die...?

 

[ForgottenSeer 123960]

I regret that you did not read my post from over two weeks ago. This could save us much time. Be safe:

Serious Discussion Post in thread 'Three Unpatched Vulnerabilities Plague Comodo. Documented Online.'

Sep 21, 2025

From the ENISA Vulnerability Database, it follows that Comodo products (Comodo Dragon, CIS, CA, CF) had 13 vulnerabilities (reported last year), and 0 were exploited in the wild.

EUVD

European Vulnerability Database

euvd.enisa.europa.eu

The database accepts Comodo as a vendor.
Of course, this cannot be an excuse for not fixing vulnerabilities; however, it can explain why some Comodo users do not care much about unpatched Comodo vulnerabilities.

Edit.
Although CIS cannot be considered Defense in Depth, it works as an efficient Security by Obscurity.

• Andy Ful

• 

You've tagged a post that perfectly illustrates the dangerous flaw in this entire line of reasoning.

The argument that 13 vulnerabilities last year went unexploited "that they know of" is not a defense, it's an admission of survivorship bias. It's the security equivalent of saying, "I drove home with faulty brakes yesterday and didn't crash, so they're probably fine for the foreseeable future."

Professional security is the practice of eliminating known, critical risks, not banking on the hope that attackers will continue to overlook them.

The situation today is objectively worse. We are discussing critical, publicly-known RCEs in a trusted update mechanism. To suggest that we should all just "get lucky" again is a complete abandonment of security principles. Luck is not a strategy.

 

[Andy Ful]

@Divergent,

You are turning in a circle. You have taken the discussion back to the post:

By Staff Post in thread 'What is really going on in the Comodo threads?'

Oct 5, 2025

@Trident and @Divergent seem to be right in the context of general users who seek recommendations for the AV.
However, @cruelsiter is also right in the context of those who use Comodo for months/years.

For example, people who are happy with a small local grocery store will not check how the shop manager cares about the stable supply and other things, until they do not have problems with shopping. Especially when the fish are delivered directly from the fisherman.

• Andy Ful

• 

You can continue (if you want) by reading my posts again. I have nothing better to add.

Edit.
Maybe Comodo users can explain their choice better. However, I would suggest not being a do-gooder for them.

 

[rashmi]

Summary of this thread... In a world full of Batmans flaunting fancy toys, Comodo is like Superman with Kryptonite and new CVE weaknesses—still proving it's the ultimate superhero with natural unbeatable powers of containment! Just stick with your red-caped superhero, Comodo!

 

[ForgottenSeer 123960]

To summarize the core security issue for anyone following this discussion:

The Facts

The current version of Comodo Internet Security has several documented, unpatched CVEs, including critical ones like CVE-2025-7096.

The Risk

These specific vulnerabilities allow for Remote Code Execution with the highest possible (SYSTEM) privileges.

The Vector

The attack vector is the software's own trusted update process, which means that containment features like the sandbox are bypassed by design.

The Principle

The industry best practice is that a known, critical vulnerability in a security product's trusted core must be patched. Relying on market share or other features as a reason to ignore the flaw is not a recognized security strategy.

I hope this provides a clear, fact-based conclusion for anyone assessing the risks involved. Thank you.

 

[piquiteco]

Summary of this thread... In a world full of Batmans flaunting fancy toys, Comodo is like Superman with Kryptonite and new CVE weaknesses—still proving it's the ultimate superhero with natural unbeatable powers of containment! Just stick with your red-caped superhero, Comodo!

I don't understand why there is so much drama surrounding Comodo. Most people don't use CIS, they only use third-party CF + AV. The firewall and containment are essential for protection, nothing more. To tell the truth, even CF updates are of little importance.

 

[Zero Knowledge]

Grab some and watch the drama. I've never seen so much discussion over such irrelevant software that hardly anyone uses.

With the amount of time people have wasted and spent arguing we could of probably designed, developed and launched a brand new HIPS .

And posting A.I. generated slop as a response is a waste of everyone's time.

 

[rashmi]

I don't understand why there is so much drama surrounding Comodo. Most people don't use CIS, they only use third-party CF + AV. The firewall and containment are essential for protection, nothing more. To tell the truth, even CF updates are of little importance.

Cheers to the one and only truth! ... The firewall and containment are the real Comodo heroes, not the drama queens of updates!

 

[ForgottenSeer 123960]

The Bridge of the U.S.S. Integrity

Red alert sirens are blaring softly. CAPTAIN DIVERGENT is calmly sipping a coffee-like beverage. ENGINEER ANDY FUL frantically adjusts a console.

Captain Divergent

"Engineer, status report on that hull fracture listed in this week's Starfleet security bulletin."

Engineer Andy

"The fracture is stable, Captain! Our containment field is state-of-the-art. If anything gets through, it'll be instantly trapped in a temporal loop in the cargo bay! Besides, the Ferengi ships have even bigger fractures!"

(A transmission comes in from the observation deck.)

Ensign Rashmi (over intercom)

"Captain, some of the civilian crew see this differently. They say the U.S.S. Integrity is like a Kryptonian—even with a small piece of Kryptonite nearby, its natural, unbeatable powers of containment make it the ultimate superhero!"

Captain Divergent

"Ensign, remind the civilians that Kryptonite doesn't just weaken a Kryptonian, it neutralizes all their other powers. That hull fracture is our Kryptonite. It makes our 'unbeatable' containment field irrelevant."

Science Officer Trident

(Looking up from a glowing blue tricorder)

"A crack upon the vessel's hide,
Invites the void to come inside.
A field of force, a noble thing,
But what of flaws the builders bring?"

(A junior technician from engineering chimes in.)

Technician Piquiteco: (over intercom)

"Respectfully, Captain, most of the crew just relies on the containment field and the forward shields. The system that delivers the weekly patches... it's of little importance."

Captain Divergent

(Leans into his comms panel, his voice firm)

"Technician, that system is the single most trusted channel on this ship. The CVE we're discussing allows an enemy to hijack it. That's not a hull fracture, that's letting them beam their own sabotage crew directly into Engineering."

Engineer Andy

"But Captain, we haven't exploded yet! The ship works well! And no one is designing 'Integrity-specific' torpedoes!"

Captain Divergent

(Points to the main viewscreen, which shows a small, non-threatening probe approaching)

"They don't have to. That's a standard Class-1 survey probe. It's not a threat... unless it happens to bump into our known hull fracture and causes a catastrophic decompression."

Engineer Andy: "...I'll get right on that patch, Captain."

-Crafted with respect for the passionate minds on this thread.

 

[ForgottenSeer 114717]

Grab some and watch the drama.

It's like this everywhere on the internet.

I've never seen so much discussion over such irrelevant software that hardly anyone uses.

Historically, hundreds of millions of people have downloaded Comodo.

Today, there's probably 1+ million Comodo users globally - that don't care about any online security forum discussions, debates, outrage, drama, flame wars, gaslighting, trolling, etc.

I don't understand why there is so much drama surrounding Comodo.

There has been Comodo drama since its birthday - Day 1.

Melih and Comodo live rent free in a lot of peoples' minds.

 

[simmerskool]

Today, there's probably 1+ million Comodo users globally - that don't care about any online security forum discussions, debates, outrage, drama, [snip]

...but how could those 1,000,001 run it successfully without watching and discussing @cruelsister CF setup video(s)

 

[piquiteco]

There has been Comodo drama since its birthday - Day 1.

@bazang is literally shooting in all directions, but with good reason.

 

[piquiteco]

...but how could those 1,000,001

Although, your question was directed at @bazang, Comodo collects telemetry like many other products make. They estimate how many CIS installations there are worldwide using their product. Is this true? Yes, even if you don't believe it, it's quite possible that Comodo has over 1 million global users. It may seem like little to some and a lot to others, but it is an estimate.

 

[ForgottenSeer 114717]

...but how could those 1,000,001 run it successfully without watching and discussing @cruelsister CF setup video(s)

• No CruelTV channel subscription
• Read the manual
• Smart. figured it out for themselves
• Just lucky
• Turned off all the settings
• Don't know there's a problem
• Don't care there's a problem
• Comodo just works for them
• Too busy watching porn to notice anything else
• Comodo Jedi Knights
•