Comodo could be quite formidable

“As companies continue to zero in on the silver bullet of “protection” without considering the redundancy and impotence of their security layers, the result is a porous security posture with limited capabilities.” ~Comodo

I by no means am an expert, my skill level is pretty minor, Ive just had some practice over the years refusing to accept defeat and cleaning instead of nuking.
It all started a while back, with an obsolete video divers from necessity, it turned into a keylogger, had a pile of graphical glitches affecting comodo, pornhub, website logins.
Running a full battery of hardware diagnostics ram, vram, hdd ram, l1/l2/l3 cpu cache, video card etc showed all was good.
Then google started flagging me for suspicious network activity.
There was some issues with memu (android emulator) leaking and corrupting filzilla sftp transfers, but i moved over to nox.
There was a worm that kept coming back in memu, infected nox
occasionally the sound driver wouldn’t boot properly on a cold boot.
sometimes laptop would run hot, fan going nuts, but nothing, and i mean nothing in task manager/cpu use cpu time/io etc would explain this
Then origin started acting strangely.

Putting it all together i was getting more and more sure something was there.
Not that i wasn’t checking things over time, but then the gloves really came off.

All running processes signed, clean by comodo, clean by virus total nothing suspicious cpu time/io/page faults and so on, i just didn’t go into handles and threads, never really having needed to before

All startup entries signed, clean by comodo, clean by virus total (precept for a couple of codecs in klite pack, but was expected long term issue, klite been using since forever its fine)
short of whois, no suspicious network activity
sigverif - nothing
comodo can - nothing
cce deep scan - nothing
gmer - nothing
avast deep scan - nothing
malware bytes - nothing
hyjack this - nothing
no bsods
pretty sure even thew combofix etc at it
all the bootcd virus scanners i could get to work - nothing
no comodo hips alerts etc
windows services cut to the bone, only what i need and still be secure - no improvement
auto runs minimum nessary
all the service center crud, and (official and legit of course) driver detection and diagnostic crud removed - random inexplicable laptop running hot and fans going nuts, fixed.

All files “safe” with comodo upload verify thingy but it was very hard to tell because of the flickering, ECEPT one suspicious powershell script in the comodo temp directory which would error out
not upload or verify (more on that later)

All on the surface absolutely clean, i decided to attack the problem from a network security perspective.
groans sooooooo many problems, where to begin!

To add almost every specific rule, comodo needs to understand, windows random ports, 49152 - 655135 and tack that in [windows random]

First thing i tried to do was stop the vpn from leaking and block everything but dns, 22, 80, 443 and icmp eco reply, no need for arp locally a static ip, open vpn cant be static, but it figures itself out without broadcasts

After i got the basic setup done i take a look at the logs
i see “windows operating system” connecting to china, Moscow, Netherlands, Moldova, and a ton of countries i had never even heard of
Most of the rubbish was only when open vpn was connected, yes safe, clean, vt and comodo verified, wtf!
Turns because the openvpn out of date , updated
there was vasts bursts of suspicious ips yet not a peep from hips about this because its exe “safe” when it was in fact compleatley compromised from a wide variety of sources

just because you think its safe does not mean i want all defenses lowered there must be some sane rules
just because the code is signed, legitimate, secure, and safe, does not mean i want it connecting to the internet!
just because i see what its up to doesn’t mean don’t want to on occasion selectively approve or deny various changes because sometimes good things are mixed with bad things.
just because the code is signed. legitimate, secure, do-sent mean its not downright malicious as various implementations of drm have been etc

nuking off openvpn and then putting on a fresh install from openvpn.net, everything was still “windows operating system” in comodo logs
fortunately there is somewhat of a workaround being application rules show up correctly to the correct application, in the logs but it dosent cover everything.
for example port 1900 (among others) is being absolutely smashed on outbound tcp constantly (denied), even though i disable on interface and service, SOMETHING is still being annoying so yes its a place to hide from the logs

I was pretty intrigued about what were the pre defined rules rules for windows, and while yes usage cases could be a complex beast i was expecting some selective and targeted and intelligent rules to learn from… what did i find? allow all!

so i guess the “new network detected” and clicking on “i am in a public place” thinking that will tighten things up and harden the firewall, is just there to look sexy huh?
let alone asking the user some questions, like do you use file sharing, detecting if the local private ip is 10, or 192.168 and setting some rules

still a pretty horrible back door for everything not explicitly denied with application and global rules to silently leak out onto the internet due to open vpn showing as window os
the only way to fix?

well new rule c:*.* ask for all OUCH constant bing! bing! bing! bing! continuously 2 weeks later… bing! bing! bing! ffs…
for 1, adding a directory inst even in the menu!

ok so lets start with the notifications:
steam.exe wants to connect to the internet, ip 162.254.195.45 port 80

right, so:
can you drag and highlight the ip? no
can you double click on the ip to select the octet? no
can you triple click on the ip to select the whole ip? no
can you mouse over whois? no
can you right-click on ip and check ip reputation databases? no
can you right click on ip and telnet on port 80 and send a http get to see the code? no
can you right click on ip and allow this connection (remember to factor in windows random ports!)
can you right click on ip and deny this connection? no
can you right click on ip / executable and show filtered logs (for only that app / ip)
can you right click on application and send to virus total? no
can you right click on application and send hash to cloud and get hips baseline, ip/port requirements? (even crowdsourced because of games etc)
can you right click on application and sandbox it? no
can you right click on application and send to various online sandboxes for 3rd party validation? no
can you right click on application and temporally monitor it at various levels of aggressive debugging and logging? no
can you right click on application and get detailed sandbox reports with various cloud based statistics and a malicious confidence score? no

can you right click on application and tell comodo to “advanced learn” i wish!
and i don’t mean scan hard drive, i found “■■■■■.exe” lets alow it! like the last time i ever let comodo learn

i mean, learn and set specific rules!
ok sure, set up a warning box to yell at me, hey stupid if this is an online game/torrent client/web browser/chat app where you will encounter an unlimited number of ips, and so make an unlimited number of rules, which will degrade performance until computer crashes.
give the user 3 options
1 modify learning, so they can for example ignore ips and focus on ports change default learning period etc and add learned ip into specific network zones / port sets as an option
2 learn more, goes off to a help me documentation page explain ips ports etc
3 cancel

also to be able to step back and forward though alert bubbles and pause on specific bubble if you don’t catch them in time

then we have actually adding a rule

in the drop down box for allow, deny, etc have disable so that we can use this for testing and saving of headaches for later
and yes once again, add folder
one does wonder about the timeout of state-full rules considering comodos love of trying to force allow all down your throat and as a finishing touch one may want to configure that

Because CDN’s love spamming you with huge amounts of ips its not hard to imagine a hacker simply going, well ill just sign up for said CDN and then attack you, its not exactly ev-ssl verification to get an account so no, you dont want to allow entire ip ranges, because not all gateway ips are used for all customers but using comodo for this drives you to despair!

far be it, for techs to slap on comodo on as a diagnostic layer with rolling custom rules and then see what pops up, and then are happy to leave it on there for their clients knowing it wont be in their face over everything or allowing everything and being pretty useless overall since your already forking sysinternals you may as well seamlinessly integrate it because comodo self protection module blocks allot

the patterns are easy enough to spot in big data, security vs privacy sure, opt in, clear privacy policy, proper anonymization example submissions, authentication when pushing rules dialed up to stupid levels of paranoia, and knowing what applications to ignore ips from. you already have this for enterprise, and im happy to pay for it as a consumer.

just blind dumb heavy duty manual labor to do anything useful because after all comodos policy of creating trust online is to trust comodo, to allow everything and its only real layer of defense is hips which don’t remind to come back on and gets compleatley nuterd, by file upload validation which do not account for vulnerabilities in said “safe” application

so after wading though the endless muck and spending months on what should of taken a day at most:
slapping down the global rules fixed the strange flickering on pornhub

a while after laying down rules thick and fast, my firewalls repeatedly got smashed by an entire botnet on port 23725 trying to reconnect haven’t found much specific on that one unfortunately

tinkering around with mass effect Andromeda (been playing though the series as de-stress from all this ip hurt) resulted in a clean install of catalyst control center and nvidia drivers resulted in the strange flickering of comodo to go, and, the sound card to fix up, and of course on reboot for open vpn to suddenly forget its login and password. its still connecting to a university ip it shouldn’t be, but ive gotten unhappy* off at its cdn ip abuse and constantly pegging ip connection requests at me, so for now, im updating manually and dealing with it later

java updater connecting to a bunch of unusual ips again i got the crud with it and just blocked it

comodo connecting to a bunch of strange ips
8.248.1.254
107.17.102.175
205.185.216.10
205.185.216.42
8.247.211.254
67.27.150.126

one would think that comodo being an root CA and a core part of our security would understand chain of trust and deliver its updates from a comodo ip! or are you saying that a root ca cant secure a server?

whitelisted a few hundred ip for comodo before i gave up and blocked the rest

now when the computer boots its a case of:
does openvpn work? or does it get stuck with openvpngui not knowing the password for openvpn service
do the the rulesets in comodo apply properly (they wont show up inside comodo anymore been to corrupted/hacked)
does the keyboard work properly? (this is not a hardware issue but affects d key and sometimes other keys as well)
usually one of the above will stuff up so its cold boot after cold boot at this point to get it working and a whole can i really be stuffed knowing full well im gonna have to nuke all eventually and fresh install and repeat the process because i cant backup the ip rules as they are

and for god sake give us a permanent opt out button for yahoo, this is not the 90’s i am not using Netscape navigator because that was the last time it was any good!
your really “creating trust onlne” by being associated with and endorsing, record breaking database breaces, and chat apps where you couldn’t be online for 10 seconds before you get an endless horde of chatbots asking for your credit card for “age verification” and so on… sure, i REALLY want to use yahoo.

when comodo detects corruption and forcibly does a clean install, export all the rules!

At the end of the day, the security model is fundamentally flawed. It takes only one vulnerable yet “safe” application to be exploited by an open network socket, and a average user with no cloud based hips baseline or ip (CDN) confidence rating, to interpret the alert and warn them not to click allow. that’s if even hips bothers asking, is highly likely going to go, well that’s legit, allow on hips, then comdos defenses start to crumble, that’s even if it asks for access rather than sit in memory and spam away.

Are you using the latest version of CIS 11 (11.0.0.6744)?

Are you using Proactive Security Configuration? Also, have you tried to manually set Access Restrictions for the Containment (Partially Limited, Limited, etc)? Or, if you configure Containment to “Block” all “Unknowns”, is the problem solved?

You should report your findings in the Bug Reports section. If it’s indeed a bypass or not, developers will be able to tell (and fix).

the problem really isnt unknown threats, the problem is known safe verified and clean files being exploited in memory including comodo itself
and clearly comodo has little or no defenses against “safe” files being exploited
it didnt start out as a vulnerability report for comodo, but it most definatley is now because they did incorrect handling of strings, malicious code will be executed when comodo looks at a file
file name “i am malicious code” will be executed when read
file name ‘i am malicious code’ will not be executed when read (at least not by this method)

you can see a string being escaped and code being broken, here (no mount and blade is not malicious)

https://i.postimg.cc/d31Z1vtf/wtf8.png

or paste the ip 2.1.1.2 into any ip input box in programming terms . means join things together, aka concatenate

its just the tip of the iceberg of so many fundamental problems with comodo and there is just to much detail for me to have the remotest idea how to clean it all up and make it look pretty, the developers are just going to have to read it, because clearly comodo cannot be trusted as it is, it will not stop a determined hacker with nsa tools from showing off (saw him move from origin, to cpu spiking origin web browser plugin, to mass effect Andromeda etc, to trusted installer, then back to cmdagent)
ive never had to dig this deep before, so while ive known about the tools im using for a very long time, i just dont have the requisite experience, and very limited in time and sanity considering the unnecessary nightmare comodo is making it to implement a mildly secure baseline i really! dont want to have to go back though the mass of ips and firewall logs its a daunting nightmare im wating on developers to read the post, update comodo, implement the changes, and make life VASTLY easier to implement network security and eventually export and format

i dont have containment policy, i may need an update

i was at first fully up to date and using cis 11.0.0.6728 but then comodo was connecting outbound to a pile of suspicious ips before and i white listed a few hundred comodo and from memory ackami ip before i just gave up in despair and blocked the rest ill be doing manual updates for a while

but i will update now see if it improves things, i had to hard reset the router it finally died and i was well aware that’s where the hackers persistence was hiding, not much i could do about it, isp junk all consumer grade routers are exploitable im saving up for a secure one

computer also locked up compleatley installing mount and blade game so i had to reboot

we will see if the hacker comes back to show off, so after keeping it alive for over a month with a half dead battery cmdagent using 13% is now gone again, will see when it comes back.
now its humming along at 0% - 2%

my icedragon custom profile finally died cries that was about a weeks work testing and fine tuning about:config firefox update nuked it, perhaps i can rebuild it from the file location? where is it hiding?

and for god sake give us a permanent opt out button for yahoo, this is not the 90’s i am not using Netscape navigator because that was the last time it was any good!
your really “creating trust onlne” by being associated with and endorsing, record breaking database hacks, and chat apps where you couldn’t be online for 10 seconds before you get an endless horde of chatbots asking for your credit card for “age verification” and so on… sure, i REALLY want to use yahoo.

and if you really want people to pay for things, then well, paypal, bitcoin, anything but raw cc info because after all, you cant even get strings right.

Try adding those supposed vulnerable applications into Embedded Code Detection list, also enabling the other processes in this list (Warning: Might cause issues).

You can apply Acces Restrictions in Contaiment rules. Untrusted level is the restriction level with highest security. You can also change the “Run Virtually” for all Unknowns rule to “Block” by editing it.

Regarding NSA, they mentioned in a report (made public by Wikileaks) that Comodo is hard to bypass.

well the update (via website) deleted all network zones, firewall rules, portlets, rule-sets, everything. comodo didnt even have the courtesy to export it, just nuke everything because they know better by alowing everything, exposing everything, and not even trying to defend it.

its taking everything i got not to say what i want to comodo about this and get banned from the forums as much as they deserve it

i cant exactly contain nvidia, intel, soundcard, openvpn, java updater mabe the rest of the list just got blown away

i need to walk this off, and calm down. thanks for trying to help though this one is definatley not on you.

ok so the rules are all still there, firewall log is filling up again, i just cant see them, or modify them wonderfull

https://i.postimg.cc/FHRJy8wv/wtf9.png

that black box on the battery is the only remainder of the original blacking out, not comodo, but still there
the sandbox with unknown threats is secure id agree, i did read for their eyes only its the whole reaason why i actually trusted comodo and got into this mess in the first place
but there is a big difference between breaching 10k lines of carefully audited Assembly to escape the virtualization stack, and attacking comodo itself outside of it, from a known “safe” application. mabe im just chasing ghosts around my computer and seeing more things than i should in the numbers, but, the more i look and deeper i dig the stranger it gets.

ok yeah rules are gone, ice dragon profile has been overwritten with a new default, yet still complains the profile is corrupted, all plugins /settings everything removes so there goes all the umatrix profiles sigh for god sake you just cant win.

and comdo didnt even last 10 seconds before stopping to respond.

https://i.postimg.cc/xjBzv6nN/wtf-10.png

If you use Default settings (Internet Security configuration) it’s easy to terminate or mess with Comodo’s processes using safe applications.
That’s why I asked if you using Proactive Security configuration or not.

If you claim you can bypass Comodo’s Fully Virtualized level (which I doubt BTW), try configuring Access Restriction for Containment (Untrusted level) and problem solved. Even NSA struggles to bypass Comodo’s protection layers, so here we have a higher probability of you misunderstanding how Comodo works or misconfiguring some of CIS components.

Posting all this here will accomplish nothing, Comodo developers don’t have time to crawl through huge walls of text and images and try to understand it. Please report your findings in the Bug Reporting section following appropriate format. Thank you.

EDIT: As the Wikileaks NSA report on Comodo said: "Comodo, as you may know, is a colossal pain in the posterior. It literally catches everything until you tell it not to, including standard windows services " (NSA basically said that Comodo intercepts even legitimate processes) I am more inclined to believe in them than in a report from a random Forum user which pressed “ALLOW” on a HIPS alert for “Mount&Blade.exe” (As per your CIS logs), and is claiming a “bypass using legitimate processes”, said user which also regarded himself to “not be an expert”.

There is no bypass here. Just another random guy boasting “I can bypass Comodo Virtualization”. There are many of those at Youtube and “security” blogs.

if co

if you think comodo is so secure, then why is it sending outbound tcp requests to the following ips

8.248.1.254
107.17.102.175
205.185.216.10
205.185.216.42
8.247.211.254
67.27.150.126

go do a whois, they certanly are not comodo

and with the hell they put me though to set up ip rules, they can suck it up and read it. comodo asked for help, i gave it, and spent an enormous amount of work and thought into putting it together

can you drag and highlight the ip? no
can you double click on the ip to select the octet? no
can you triple click on the ip to select the whole ip? no
can you mouse over whois? no
can you right-click on ip and check ip reputation databases? no
can you right click on ip and telnet on port 80 and send a http get to see the code? no
can you right click on ip and allow this connection (remember to factor in windows random ports!)
can you right click on ip and deny this connection
can you right click on ip / executable and show filtered logs (for only that app / ip)
can you right click on application and send to virus total?
can you right click on application and sandbox it?
can you right click on application and send to various online sandboxes for 3rd party validation
can you right click on application and temporally monitor it at various levels of aggressive debugging and logging?
can you right click on application and tell it to learn ip and port requirements? no
can you get a detailed sandbox report? no
can crtrl click and slect a bunch of ips and ports and add to network zone / port set? no

and so on, comodo is pretty useless to do anything with and its real hard to NOT understand that.

the main problems with comodo file validation:
just because the code is signed, does not mean its legitimate
just because the code is legitimate, does not mean its secure
just because you think its safe does not mean i want all defenses lowered there must be some sane rules
just because the code is signed, legitimate, secure, and safe, does not mean i want it connecting to the internet!
just because i sandbox it do sent mean i don’t want to take a look under the hood at what its up to
just because i see what its up to doesn’t mean don’t want to on occasion selectively approve or deny various changes because sometimes good things are mixed with bad things.
just because the code is signed. legitimate, secure, do-sent mean its not downright malicious as various implementations of drm have been etc

and i mean how hard is it to understand when a whole pile of applications who have passed all the checks, do not trigger hips, and connecting to a whole bunch of ips they shouldn’t be?
like for example isp users (not servers), university ips, countries ive never heard of, along with the usual malicious favorites, on for example us based applications

your putting nsa on way to high of a pedastool snowden did a number on them and there has been so many of their exploits which are their most precious possessions and most closely guarded secrets have got out into the wild and continue to do so, its horrifying and hilarious and has resulted in things like wannacry shutting down England’s hospitals not to mention those suspicious ips i mentioned well one of them was 11.231.149.27:30005 Whois Lookup Captcha on a server authoritative, (so not chat etc) game were Chinese billionaires were interacting with a sizable amount of active duty and former us military personnel. its really dumb to run servalance from a 11.x ip until i kicked up a stink about it, probably unhappy* em off. and now at last glace its still there just from a server in Moldova most juicy of all its a china based game hosted in the us that got slapped with a national security letter ant they complied with it. i would consider nsa a laughing stock not the pinnacle of security at this point.

i do not have a exploit for a layer1 hypervisor, but there has been a handful of them over recent years, but if i did, the bug i mentioned is exactly where i launch it from, just because comodo is standing on the shoulders of giants and calling them selves secure does not mean their code is remotely secure at all, if i were going to hazard a guess they are using a modified xen.

then we have the whole structure of its interface in the first place, so what, they expect us to manually type out every single ip, into whois, . to then find exploited applications in the first place, then seucre them with a sandbox? what about drivers? if you sand box that you will instantly destroy your os. comodo has gotten to high on its own juices and is arrogantly automatically allowing everything though the firewall not factoring in that the applications may be vulnerable in the first place. then you have to manually re type in every ip because you cant paste them because of said “bug”

after a bit of digging i found the right box, sure that will contain some thigns and help in some ways thanks for that, that said, comodo is a very long way from what i would consider secure, let alone, what i would recoomend to someone else

ill be disabling comodo firewall for now, im not going though that manual ip typing hell again, and putting on zone alarm, because apparently at least that has a decent database of rules for ip / port requirements which is one of the many things comodo needs to fix…

edit:

id say while i struggle with picking things apart after a certain depth i understand much more than you thinkl admittedly i am having a medical issue, causing me to have bouts of dazed and confused in gathering thoughts and connecting dots, but its not messing with my memory, just speed and methodology of approach.

yeah and you think its a GREAT idea for every invalid character on every input to corrupt comodo internals? in mount & blade’s case it was the & yes just the & which is why i recognized it for what it was and allowed, go try any application with any programming character in its name and watch comodo break

’ vs " is code security basics first 10 minutes, and they cant even get that right

https://xenproject.org/ is your precious virtualization, that comodo would be using its the closest to the metal to build code on top of and if that gets exploited? well at minimum 40% of the servers in the world would be vulnerable, amazon had to shut down because of one for a bit so yeah its pretty much the holy grail and deeper than i ever gonna dig, i certainly got errors of things hitting that deep though they went successful.

so yeah i found injection points, no i dont have payloads.

i have enabled proactive security, i just highly doubt its going to change much, more isolation is nice, more aggressive filtering of com interfaces is even better, i still dont see it as a replacement for a good solid ip whitelist the more layers the merrier as far as i am concerned

zone alarm is just… medieval, ill be looking for an alternative
looks like recent activity is working now, on comodo allerts i like it, before nothing was in it, so i didn’t pay it much attention. it will come in handy.

As has previously been stated. If you do believe you are able to bypass Comodo defenses then everyone here would love to hear from you. Please post an example of a bypass that you have carried out in the real world.

i have given examples 3 times, and given a screenshot of code breakage, i will not repeat it again

but i did however notice the edits above, adding nvida to embedded code prevention has resulted in this new alert, which for the life of me i cant understand why hips did not pick up with standard settings once again known “safe” applications… and lack of defenses on them… so yeah id LOVE for comodo to explain why this one wasn’t picked up.

https://i.postimg.cc/XqpyqqZB/wtf11.png

yeah, thats right, a dam text file is trying to modify a registry key.

its not my job to forensically analyses every aspect of comodo’s defences and precicley understand how they are being breached, it still does not mean there isnt one!

mabe its just writing a key to the log, i need to take a closer look at these new tools

cpu time always at 13% cpu use things change over time, its being actively defended the hacker is just showing off with that one

cmdagent using around 13% was a known issue for previous versions of CIS 11. This is fixed in 11.0.0.6744. So I doubt this was your supposed hacker.

so i wasted my time on trying to pick apart comodo because it was not behaving normally if you like i can remove all that from the main post and reduce it by a chunk still alot of things that need fixing

thats 1, there is still nvidia, java updater, ccleaner, open vpn… all connecting to suspicious ips and strange and numerous memory bugs yes did hardware tests,
and yet according to comodo everything was perfectly fine! no alert that would have raised any alarm at all.
taking a look at that log file, there are no registry keys in it
now that the rules are gone, im going to format soon anyway so i allowed one single key to see if it would show up in log, it didnt
searching though procmon only shows comodo executable accessing that file dispite continuous allerts

so yeah, as usual the more i look the stranger things get… and all this has been happening because i took a lazy approach to comodo because i trusted it

just checked no ntfs alternative data streams on file either
but a text file modifying the registry? (without renaming extension to .reg) lol wow! thats a new one alright
i did save the procmon dump

its parent process nvcontainer was writing registry keys, lots of them in procmon, strange ones to, the comodo recent activity only 1 its just 3am… i give up need sleep

If you could clean it up, it would help. Most people are not going to bother reading the security novel that you are writing.

Honestly, I was bored which is the only reason I did.

After it’s cleaned up we can narrow things down even further.

Regarding your comments about how Comodo trusts trusted files etc, this has all been covered so I won’t bother even replying to the comments. I think this is why people are ignoring your comments on it. It’s been covered, and no one has managed to effectively exploit it. It’s all theory and it never seems to work in the real world. Suffice to say Comodo is setup in a way that most exploit points, even when compromised themselves, should not be able to do any damage to this system, other than break the source file.

As to your system, no AV has picked up any malware. This doesn’t mean you don’t have any; it’s just unlikely that you do. But possible nevertheless.

I would be more inclined to think any issues with your system may be due to you messing on with it attempting as you say to repair rather than nuke.

However, yes the log file trying to modify a reg key does seem odd, but maybe someone else here can explain a possible reason for it.

P.s. I appreciate you taking out your time to list points you may think are of an issue.

I think the best way forward is:

a) List suggestions in the suggestions forum here: Comodo Forum

b) List anything you see as a bug in the bug forum here: Comodo Forum

c) Ask for help detecting and removing malware in the AV Forum here Comodo Forum

This is not to be awkward but the relevant people and moderators will use the relevant forums. Posting them elsewhere means the relevant people may not see your thread and thus will not be able to reply to it.

Finally this will reduce the amount of text per each topic which will mean people will quite frankly be more motivated to read it and help you in the first place.

Hope this helps.

To be frank and honest with you. Your style of writing gets in the way of the message you are trying to get across. Nobody in his or her serious mind will read your contribution; I am surprised some members did reply.

It is not only the tone that deters people but also the lack of punctuation: lack of capitals at beginning of sentences and dots at the end of sentences fail to provide structure. Reading is not necessarily a linear process in which one read word for word and line by line but it also contains skimming to get a basic idea of what is being conveyed.

but i did however notice the edits above, adding nvida to embedded code prevention has resulted in this new alert, which for the life of me i cant understand why hips did not pick up with standard settings once again known "safe" applications.... and lack of defenses on them... so yeah id LOVE for comodo to explain why this one wasn't picked up.

https://i.postimg.cc/N2v0PgkQ/wtf11.png

yeah, thats right, a dam text file is trying to modify a registry key.

its not my job to forensically analyses every aspect of comodo’s defences and precicley understand how they are being breached, it still does not mean there isnt one!

mabe its just writing a key to the log, i need to take a closer look at these new tools

One could argue about what settings should be default settings or not but then we’re missing the point that CIS is a very powerful tool that provides a lot for those who seek more in depth and detailed control.

It’s not clear what your concern is. CIS does give you the protection you seek but not at default settings. If your concern is that a safe executable could be hijacked and then forced to execute scripts then you are forgetting that CIS protects executables from being modified by unknown executables in the first place.

You cant even copy an ip!
Or be exploited via a open network socket, and they were, and the firewall allows all for safe instead of whitelisting known good ip, no learning, no bulk rules, no easy config, no further steps and so on.

the topic really has just spiraled out of control, tomorrow after sleep and when my head is more clear ill try and carve up the various chunks and dump in various forums
not really after virus removal, its beyond saving apart from a mild curiosity of learning new tricks
but i do want a substantial list of new features, features that im happy to pay for, features that will actually give me confidence in recommending comodo
an features that will save us all a world of pain.

You are not the only one who has asked for more granular control over the firewall alerts. Interesting suggestions have been made in the past but unfortunately Comodo never made changes to the UI.

So they have a fundamentally flawed security model, and they make it almost impossible figure out you have been exploited, let alone take further steps to mitigate it and try and force you to blindly expose everything.

you after all have to manually type in every single ip, on every alert twice, because you cant even paste an ip at this point, ie paste 2.1.1.2
this is not creating trust online.

well… i have seen almost everything in my life, so… this guy… its just another internet “crier”…

just set cis as proactive, set default deny to all, set all as untrusted so they get terminated and thats all you need to be safe forever…

or keep winning on the forum…

if you are so certain your secure PROVE IT.

go ahead and do what i did, set up rules for dns, arp, dhcp, 80, 443
then go add new rule c:*.* any any any any ask
then check every ip here
https://www.ultratools.com/tools/ipWhoisLookup
then set each rule.

then tell me that all your applications are connecting to all the ips they should be and there is nothing supicious i might believe you.
i found about 100 suspicious outbound including 6 outbound for comodo before i gave up in despair.

far be it, for me to then to come back and create a decent list of features to implement that will make everyone’s lives vastly easier to actually configure it, rather then being fundamentally useless all the while having bouts of medical issues, whats your excuse?

sure i could devolve into insults but this is just a waste of time

even after adding the proactive security etc there are problems
laptop running hot but it is hot today.
svhost once again legit, cpu spiking. (a new flavor, will dig)
a text file, modifying a registry key which is downright sacrilege

default deny is only going to work after a vast amount of unnecessary manual work whitelisting rather than sorting it all out with a few clicks and mouse hovers.

but hey go right ahead keep things as they are… and wonder why comodo has a entire thread begging for help being more popular.

did a lot of refining on this one, still needs work but its a start
https://forums.comodo.com/wishlist-cis/comodo-is-insecure-but-it-could-be-quite-formidable-t123837.0.html

I suggest to stop polarizing and am asking others not to respond. This topic was flawed from its conception.

Your contributions are illegible for reasons already mentioned. The aggressive tone and needless testimonial display of ego gets in the way. When you would break down your concerns on a one by one basis in separate topics and stay on topic without aggressive tone and testifying you will stand a chance of getting responses.