Which Elements of Comodo do You Use?

Discussion in 'Comodo' started by AtlBo, Nov 6, 2017.


Elements of Comodo that You Use

Poll closed Dec 6, 2017.
  1. Firewall

    43 vote(s)
  2. HIPS

    16 vote(s)
  3. Auto-Contain

    37 vote(s)
  4. Heuristic Command-line Monitoring

    24 vote(s)
  5. Cloud Lookup

    27 vote(s)
  6. Viruscope

    29 vote(s)
  7. Shortened (Edited) Trusted Vendors List

    11 vote(s)
  8. Detect PUP Software (setting in File Rating Settings)

    20 vote(s)
  9. Desktop Widget

    10 vote(s)
  10. Killstart

    12 vote(s)
Multiple votes are allowed.
  1. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    @Sunshine-boy It is because of x64 limitations for kernel-mode interception and ethical requirements. If an AV vendor patches the kernel and it all goes pear shaped, that is on them - they lose customers because of crashes and maybe even have to spend trouble dealing with law-suits if the data-loss was really bad.

    Some vendors use the hyper-visor for isolation, like Comodo (for their sandbox). When utilising the hyper-visor you can add support for kernel-mode patching without getting into trouble with PatchGuard - hooking techniques such as MSR (Model Specific Registers) or EPT (Extended Page Table) patching.

    Intel have Extended Page Table (EPT) and AMD have Rapid Virtualization Indexing (RVI). You can block kernel-mode operations on 64-bit systems using the above mentioned techniques through virtualisation - you could even use the techniques to actually monitor how PatchGuard itself works - but it is a bit overkill and can be extraordinarily unpredictable in terms of stability in new and creative ways unless the developer doing this line of work has experience.
    AtlBo and Sunshine-boy like this.
  2. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    Windows 10
    Where can I enable it?! does core I3 CPU support this? or need core i5+ CPU?
    So av vendors don't patch the bug because they want to make more money?! or they don't want to *** with costumes?:D am i right?
    AtlBo likes this.
  3. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    Qihoo 360
    Well its only delete. I was running in a standard account so I wonder what else someone could so easily put in malware in a standard account.

    Thing is with UAC on highest setting "Always Notify", I get a password dialog when trying to delete a folder protected by "File Locker". I think it uses UAC this way or maybe its just because of the limited account, idk. Anyway, I mean the file was just gone period. With File Locker, I was getting the UAC alert and then when I approved that I would get another UAC looking message box saying I dont have "permission rights to delete this file". That was File Locker using UAC I assume.

    @Opcode all you have said is validated with this, although I believed you already. Sometimes, I get the dreary feeling that even the best at Microsoft don't know what to do with the ever morphing blob they have created. Kernel security is right at the core of the problem. I mean, it seems like they are saying to each other, "How far do we have to go changing the kernel for Windows to be securable", but then they end up with tons of compromises because of what's there already and from before...idk...
    Opcode and Sunshine-boy like this.
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    Windows 10
    #144 Opcode, Nov 27, 2017
    Last edited: Nov 27, 2017
    You don't do anything regarding it. You can enable hyper-visor technology which is built-into the processor hardware via the BIOS if it is supported. For example, I have an AMD system and via the BIOS I can enable/disable AMD SVM, which is virtualisation technology which was developed by AMD and is supported by my processor. Virtual Machines will also rely on this technology for virtualisation of an OS environment from the ISO image.

    AV vendors don't patch it because it isn't actually a bug. They can't entirely stop attacks from kernel-mode, because kernel-mode is where the OS actually executes from. They can rely on documented kernel-mode callbacks on 64-bit systems to replicate protection mechanisms they may have previously accomplished through kernel-mode patching for older OS versions on 32-bit, but going further than this is just asking for trouble IMO - both genuine and rogue kernel-mode device drivers can bypass these callbacks if the developers know-how. Hyper-visor virtualisation is typically used for safe browsers (e.g. Kaspersky use it for theirs which is related to online banking protection) and sandboxing nowadays (e.g. Comodo use it for their sandbox to isolate sandboxed programs from the Host environment, similar to a Virtual Machine isolating an entire OS environment from the main Host environment).

    No matter what happens, if you allow malware to be ran with administrator rights and install a kernel-mode device driver, it is game over. At that point you should just format and re-install Windows unless you can reverse engineer the payload entirely to determine everything that had happened for reversing, or had a good and well-stored backup to revert back with. You can use an on-demand scanner or anti-rootkit tools and the such to identify malware on the system/malicious actions such as hooks and clean them, but how do you know you'll actually be clean after doing all of this? You'll never know for sure unless you know exactly what the infection did on the system - this is generally and not exclusive to just allowing rogue drivers to be installed though.
    AtlBo and Sunshine-boy like this.
  5. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    Windows 10
    Thank you for the information! you are very helpful:D
    AtlBo and Opcode like this.
  6. klaken

    klaken Level 2

    Oct 11, 2014
    Windows 7
    I have a sandbox to see the unknown applications (the last few times I have a year with secure applications) ..It also gives me an extra layer ..

    Comodo virus used in the sanbox to help identify malware in the sandbox.

    Many malware has not run in the sandbox, so it has not been made a program (absolutely nothing) for me it is very suspicious and virustotal use ...

    Each one is protected as he / she wants .. I prefer that the unrecognized applications stop me

    As mentioned before, nothing is 100% safe and even a BB can be violated XD
    AtlBo likes this.
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    ReHIPS notifies about file modifications only in expert mode. Otherwise, it goes by path.
    AtlBo and Sunshine-boy like this.
Similar Threads Forum Date
Need Help HitmanPro Alert - Blocking Photoshop Elements 14 on Startup Apps - Questions & Help Jan 8, 2016
Expired Get Ashampoo Burning Studio Elements for FREE Giveaways Archive Jan 9, 2012
Expired Giveaway of the Day - 4 Elements Premium Game Giveaways Archive Sep 4, 2011