Comodo Bypass by CMD file

App Review - The Comodo’s challenge. | MalwareTips Forums

In this conversation, a user manages to stop Comodo services using a CMD shortcut. as he describes in conversation.

He said he is willing to help Comodo if they want to fix the problem.

Regarding mentioned video. Here HIPS module not only deny any malicious cmd execution but also protects CIS internal processes, keys, files etc. So here the analyst disabled it first using admin rights. After that point, none of the sensitive processes, keys, files are protected. I think “disable CF” script also writes to registry to stop cmdvirth.exe thats why he required a restart at that point. So basically he is also stopping containment too.

So if HIPS was not disabled by admin at first place, this case wont happen anyway. Even if that state if an Unknown application launching CMD, CIS would contain it whereas the user is launching it themselves.
So Its not a programmatic attack but user himself, on the computer is turning things off.


True if the user would not disable Xcitium Xcitium would have prevented the attack with HIPS and Auto-Containment


App Review - Comodo’s challenge part 2. | MalwareTips Forums

The user tested again with HIPS enabled, and the result was the same. Deactivation of Comodo services.

Nothing is 100%, there is always a fine line of burdening users. Usability vs Security is a constant battle. We have always been trying to make sure we provide the best security for the usability. We can add many theoritical scenerios that are not a current threat in the wild that might negatively affect usability. However we are always looking for new ways to improve the security without affecting the user experience. We very much appreciate the good work Andy has done and we welcome and encourage more of these kind of POCs so that we can all improve as a community!


@Melih Would it be possible for someone from the team to contact Andy? He was available to send the POC so that, if possible, the weakness could be corrected.

Can you please read my previous post. I think we posted at similar times and you might have missed it.