Comodo bypassed AGAIN!

I’ve uploaded the rogue malware for those who want to test it, particularly Egeman and his team haha.

In “Clean PC Mode”, you get no alerts when you run this program. In “Safe Mode” or “Paranoid Mode”, you get 2 alerts about registry modification, and even if you block it, the rogue program keeps running.

I am very surprised that this has bypassed Comodo so easily.

Please check this thread for the original poster:
http://www.wilderssecurity.com/showthread.php?p=1512424#post1512424

Anyone who can confirm that Comodo is bypassed by this rogue malware too?

Edit:
Live malware removed.
!Please do not post live malware on the forums!

Someone is working overtime to bust Comodo’s ■■■ :stuck_out_tongue:

Am still rebuilding my Linux machine - I’ll certainly have a go at this later this evening :slight_smile:

Nothing is being bypassed here… Maybe while testing, people should at least try to know what they are doing… It is not even a sophisticated malware. Just a simple application…

[attachment deleted by admin]

Oh dear, perhaps it’s because I ran the test within Sandboxie? Sorry if this turns out to be a false alarm, but I don’t get any of those alerts that you are getting Egeman.

EDIT: Egeman by the way, if you blocked all those alerts, the program doesn’t run? What I had to do to get Comodo to block the program from running after execution was to set Image execution on Aggressive. Even then, I didn’t get an initial execution alert.

I couldn’t confirm The block action with CIS as the program was stopped when I told it to block. Same with OA++ and OPPro. None of the AV’s from these three found anything.

Mbam finds two items, a-squared didn’t find anything. That’s as far as I got. It doesn’t seem to do very much, as Egemen pointed out.

Avira AntiVir detects it. So you got an initial execution alert?

Funny,
I can only block the thing from running if i set image execution control to aggressive :-\ :-\ :-\

Might be because you’re running Shadow Defender to run it haha.

you just want me to run this without any virtual environment. What difference does it make with shadow defender?

I’m not too sure mate. But how come Egeman is getting the initial execution alert, and successfully blocking it, all presumably with default configuration?

Because you assume the default configuration is just about turning some settings on or off. It does not work that way. Compuiter Security Policy differs… Switch to proactive security mode if you would like to see more alerts or even COMODO Firewall Security configuration.

This type of software must be detected by AV software as rogue software. And HIPS by default can protect against harmful actions if AV misses it. D+ does its job as expected.

I am in proactive mode.

Same here.

Hello.
Live malware should not be posted on a public forum 88)

Lazy mods ;D taking more than 4 hours to remove the link haha

This is CIS installed on a clean machine, not a VM and all I changed was the setting to proactive security:

I allowed it to go so far before blocking it, picture 4

[attachment deleted by admin]

Which proactive mode should i use for everyday use? ???
the one which says Proactive security Updated-Updated
or the one which just says Proactive security? ???

It is confusing and I think it should be changed. The default is simply ‘Proactive Security’ If you make a change it becomes ‘Proactive Security Updated’ etc, etc.

Ohh, so when i switch to the default proactive mode, i get a execution alert :-TU. but what setting could have caused the execution alert not coming in my changed settings?

And then they think they are being helpful by creating topics with sensationalist titles, lol.

I agree.

After an install or re-install I always ramp up the settings a bit, but then I have no idea if I am still in “Proactive Security” since the information presented is not clear!