Comodo CIS)Dead?????? Who knows more ???

YES! Digital signatures aren't enough to go on! You need to consider other things too. I said this elsewhere in this thread, but several years ago, verisign got hacked and there was malware going around with valid and verified digital signatures from verisign. And comodo allowed all of them, because verisign was in their whitelist.

By the way, I actually uninstalled chrome and I just use MS-Edge chromium. It's still a wiretap, but microsoft is already collecting my data, so it's one less wiretap.

 

You make an excellent point! Although the overwhelming number of malware are unsigned, there have been an increasing number of malicious files that are signed with certificates that have not yet been revoked.

For this post I ran a little test with CF- I found malware (a coinminer, a RedLine Stealer, a tesla, and a ransomware file). They had certificates from Sony, HDD Verbatum, Cisco, and cars.com (the cars.com cert just showed up the other day). All had single Countersignatures from either Symantec or sectigo rsa. Some will have a "Certificate cannot be verified" note in spite of the Countersig.

On run, CF detected and deleted the Sony file via VirusScope, and all the other were shunted off into containment to die.

 

So it seams it would be a reasonable approach to trust only MSFT sigs out of the oix, as we don't want to brick windows LOL, and for all other files be they signed or unsigned ask the user to authorize their execution outside a sandbox. Perhaps with the option, for signed binaries, to white list the used certificate instead of only the file hash.

 

I don't quite understand the response, but for the files I cited above all were contained silently without user input with the exception of the ransomware where a very obvious Red Warning box appeared prior to the file being contained with Containment being the default action. Although a choice would appear giving the ability to Trust the file, doing so is equivalent to overriding a Norton AV Detection and proceeding anyway or forgetting to run a file in SBIE.

 

i dont trust comodo signatures, so NortonLifeloc/Symantec as they were abused. At last comodo software has abandoned itself for reason - pointless, useless, intrusive, dangerous.

 

Okay good to know.

 

You could do it like SecureAge does it. Make a static whitelist of everything on the system at first install and then have a database of signatures with thumbprints to be auto-allowed. But maybe also factor virustotal ratings or something into the mix as well. But any clean virustotal ratings should only be considered clean after at least one day of being known to VT.

 

Yeah, this guy hates comodo. Even said that he made a script that would unhook in comodos sandbox lol. not realizing that if you have comodo set in restricted or untrusted that comodo runs on the kernel level which nothing could basically unhook...

 

You can not hook anything in the windows kernel since the introduction of patch guard by MSFT, drivers must use callback mechanisms offered by the kernel and these mechanisms are available for file access, registry access, a sub set of object handles,... And as I wrote already I'm perfectly aware that comodo uses these facilities: "last time I checked (2021) Comodo was using a mini-filter driver, registry callbacks and obCallabacks". And guess what this is not enough! the windows kernel does _not_ offer a obCallback for "ALPC Ports" so what does comodo do to isolate those, only user mode hooks which can be unhooked easily.
Without a filter on ALPC Port connections any application with elevated privileges can mess with the system.

Look Its understandable why comodo did not properly isolate their sandbox, because its hard, but they could have prevented programs starting within their sandbox from runnign with administrative or system tokens.
Yes ofcause this would break the ability to run installers and alike in their sandbox, not cool, not cool at all... but it would be safe.

 

As a developer of one product it is rather unseemly to discuss perceived deficiencies in another.

There are settings that do just that if one so chooses.

 

To clarify, we should not forget that Sandboxie isn't an AV, so if it would allow malware to run unsandboxed, it's the job of the AV to stop this. My idea about simply looking at digital signatures was because I believe most tools like OSArmor and SpyShelter make use of the Trusted Vendors method whether to decide if they should auto-allow certain apps behavior.

It's weird that they have made it difficult to find the full installer for CIS, I don't like this at all. I do have an old version of Comodo Cloud AV (with sandbox) but I don't know if it will run on Win 10.

 

OK thanks, I sometimes go to YouTube to search for 80's and 90's pop and rap music. Also make sure to check out Higher Love from Steve Winwood, I totally forgot about this song. But anyway, what about my other question about the RATs? Do they try to evade the firewall or not?

I haven't got a problem with this, as long as it's based on facts. I don't think David Xanatos has got any bad intentions, but I'm not sure if what he says about Comodo is entirely true, I can't imagine them making such a design blunder, but who knows.

 

Yes! Comodo had an issue with that sometimes. After I did a windows update on my old laptop with comodo IS installed, the system bricked.

I got a black screen of death after login and I couldn't use the machine at all anymore. I tired to boot into safemode, but that version of windows 8.1 didn't let me do that without MS config, which I couldn't use because the screen after login was black.

My usage of comodo over the years has given me a lot of performance problems. And as I said before. Comodo/Xicitium's support over their forums is useless for any kind of performance issue with windows its self. They lead you in circles and make you repeat yourself over and over.

I'll wait until the next version of comodo comes out before I fiddle with it again.

 

Back to live, it seems:

https://forums.comodo.com/t/new-cis-2024-is-coming/358487

 

Interesting, not sure how I feel about the new GUI though, perhaps it's skinnable? And I hate those dumb and pointless HIPS alerts about ''openhosts.bat is trying to access notepad.exe in memory.'' How on earth are we supposed to know if this is normal behavior or not? I mean this kind of stuff is way too common.

 

The HIPS has always operated like that. Nothing new here. You can always check the filepath of the file or even check other parameters before taking the decision to allow or to block. Or simply skip the HIPS and use only the Containment.

 

Yes I know, and that's why it gets on my nerves. The HIPS shouldn't be asking these dumb questions about explorer.exe and what not, it should be more fine tuned. Of course it's probably possible to disable this stuff, that's what I've done in SpyShelter. And I already use Sandboxie, so I never really needed Comodo's containment feature. It's the HIPS what interested me, but I decided to go with SpyShelter which is probably a bit less advanced.

 

That’s the sole purpose of an HIPS… to tune it yourself, else there’s no point.

 

Yes of course, but I would advice HIPS developers to leave certain behaviors unchecked, so that you won't bombard users with all of these alerts. For people who might think it's useful to be alerted about stuff like ''process memory reading'', which is actually triggered by just about ALL apps, they can always turn this protection on, that's my point.

 

If Path and Wildcards are allowed in the HIPS, a lot of these endless alerts can be resolved with, for example:

Allow to access memory=

C:\Program Files\*
C:\Program Files (x86)\*
C:\Windows\System32\*
C:\Windows\SysWOW64\*

Just a simple example. Of course any kind of Path rule for a trusted executable could be created for this type of rule, and obviously you have to be careful not to over-allow paths that are commonly targeted by malware, such as in Temp and userspace areas.

 

I'm not sure if this is possible in Comodo and SpyShelter, to simply mark certain folders as trusted. Also, I assume this wouldn't help to stop alerts when you are installing apps. But to clarify, my point is that there are certain things that are pretty much pointless to monitor, since there is no way to know whether it's normal behavior or not. So that's why I simply turn them off.

 

BTW, speaking of Comodo's virtualization methods, it's described over here. I do wonder if this will break most apps from being able to run or install correctly, and I don't know if it's any more or less secure than Sandboxie's containment technology. I assume they work about the same, but Comodo has actually patented this ''Kernel API Virtualization'' stuff, so you would think it's unique to them?

https://techtalk.comodo.com/2020/08/17/comodos-patented-kernel-api-virtualization-under-the-hood/