Comodo is a giant PITA. It can and will catch and show your entire chain of execution and a great deal of your file I/O. If you drop and run, it will show where you drop, what you run, and what you run runs. Yeah, its that bad.
There is a magical place that for some reason Comodo likes to ignore. The Recycle Bin. You know, that folder of stuff users have deleted? Stuff that probably has no business executing at all, let along dropping and running other code? Yeah – they like to ignore initial execution out of that bad boy.
So, if Comodo is being a pain (i.e., working as intended), try throwing your binaries into C:$Recycle.Bin (Win Vista/7/8) or C:\RECYCLER (XP). You don’t even have to throw it into any of the actual user’s recycle bin folders (the ones with the ginormously long SIDs as folder names), just in the root of the recycle bin itself is fine.
Please note that this is only a partial defeat. It may let you get away with initial execution, but other things you do once running could still get caught. Comodo is annoying like that. Test, test, retest, and may the force be with you.
Mind linking the source of this quote? Although this statement is false because the sandbox has a rule that blocks execution of executables that are located in the “suspicious locations” file group which contains the recycle bin path.
The CIA does not need a flaw to monitor the world; 88)
Sorry for the joke!
The sandbox blocks “recyclebin”, but the folder is in the exceptions of the antivirus and depending on the execution mode of the malicious file can perform part of the tasks for which it was assigned >:-D
The AV exclusion of the recycle bin is just that, an exclusion to prevent the av from scanning and thus detecting files in the recycle bin, if said files attempt to get executed then depending on how CIS is configured, you will get a HIPS alert warning for execution or sandbox automatically blocks the execution due to mentioned sandbox rule.
to finish that quote:
lots of them haven’t upgraded to 6.X. Kind of a shame, cuz this is a hole you could drive a very large wheeled freight carrying vehicle through. However, if you’re lucky enough to be going against a target running 6.X, have fun!
Sounds like both documents about comodo are talking about version 6 which means none of that is relevant for version 10.
Excluded recycle bin from AV scanning is not a big deal since we have default sandbox rule to block any execution from this location.
Although, I’ve requested removing it from exclusions back in 2013 with CIS version 7.0 alpha (Bugzilla=694). It was the time ZeroAccess rootkit placing its files in the recycle bin.
Comodo, as you may know, is a colossal pain in the posterior. It literally catches everything until you tell it not to, including standard windows services (say what?!?).
…at least, that’s what happens on Comodo 5.X. In 6.X, Comodo apparently decided that catching things that were part of windows was a Bad Thing™. Their “fix” was… kinda lame
Anything running as SYSTEM is automatically legit under 6.X. ANYTHING. Let that sink in. Got a kernel level exploit? Good, because you can drop the kitchen sink and the contents of your garage and as long as you continue to run as SYSTEM you are golden. Yeah.
Needless to say, Comodo 6.X doesn’t catch nearly as much stuff. Comodo’s user base, paranoid bastards that they are, has apparently caught wind of this and lots of them haven’t upgraded to 6.X. Kind of a shame, cuz this is a hole you could drive a very large wheeled freight carrying vehicle through. However, if you’re lucky enough to be going against a target running 6.X, have fun!
!ot! As a CCAV user, could someone advise which product (CCAV or CIS) offers the best security? I’m thinking CIS as it includes a firewall or is Windows firewall up to the job? Btw, running Windows 10.