Comodo could be quite formidable.

vitim · February 24, 2019, 7:02pm

ifurn0 post:19:

if you are so certain your secure PROVE IT.

go ahead and do what i did, set up rules for dns, arp, dhcp, 80, 443
then go add new rule c:*.* any any any any ask
then check every ip here
https://www.ultratools.com/tools/ipWhoisLookup
then set each rule.

then tell me that all your applications are connecting to all the ips they should be and there is nothing supicious i might believe you.
i found about 100 suspicious outbound including 6 outbound for comodo before i gave up in despair.

far be it, for me to then to come back and create a decent list of features to implement that will make everyone’s lives vastly easier to actually configure it, rather then being fundamentally useless all the while having bouts of medical issues, whats your excuse?

sure i could devolve into insults but this is just a waste of time

even after adding the proactive security etc there are problems
laptop running hot but it is hot today.
svhost once again legit, cpu spiking. (a new flavor, will dig)
a text file, modifying a registry key which is downright sacrilege

default deny is only going to work after a vast amount of unnecessary manual work whitelisting rather than sorting it all out with a few clicks and mouse hovers.

but hey go right ahead keep things as they are… and wonder why comodo has a entire thread begging for help being more popular.

did a lot of refining on this one, still needs work but its a start
https://forums.comodo.com/wishlist-cis/comodo-is-insecure-but-it-could-be-quite-formidable-t123837.0.html

I do better.

I install CIS, configure it to always block unknow activities and do all i want online. Im safe clicking everywhere, doing anything on my computer… so. yeah… CIS makes my computer safe…

i agree that we have some things that should be better handled, have better aproachs, better responses from melih and/or comodo devs… but its a free product that do what it promises: it protects my computer.

If you want to mess everything than cry on a forum because you saw something suspicious thant its not an cis problem, its an ego problem and it all lies on yourself…

ifurn0 · February 25, 2019, 3:29am

exactly what i did, short of the enabling proactive there should be a ? on that
yet safe applications got compromised

this is not checking your ip connections and PROVING IT. Which is exactly what you say you do just at a deeper lever.

fanboys crying they are safe without technical specifics. roles eyes Why should i believe you? How do i even know you have the remotest clue of what you are talking about?

sure these download sites are dodgy:

https://www.java.com/en/

and so on, yet the damage was done and i was looking at what appears to be some form of remote code execution.

Weather proactive improves things, We will see. hopefully i can find a suitable replacement to sift though the mess of ips to draw conclusions. I don’t see the point putting in weeks of work typing out all ip again before i format just for bragging rights on a forum.

they could put a ? there to refresh our memory when doing the intal setup and go oh yeah that one is more aggressive filtering enable.

the only “dodgy” files i have put on my laptop, are video and music, yet in all my years i have never heard of any exploit for playing one, short of requiring a malicious codec which i know better than to install. Everything else is either big! or opensource.

picking apart svchost.exe from its threads looks like its a windows update there is only 2 needed being the latest quarterly and ie, im deciding between force installing it, or watching cpu time, its racked up 20 hours cpu time already, at 13% (lol again!) cpu plausible.

As far as i see it, its all about containment, sure containment is nice the more the merrier heck id be using qubes if i had the hardware and didn’t need opengl to de-stress but containment only goes so far. it dont stop code from running inside it, an permission control alerts from legitimate application? Mabe just mabe that’s how i got into this mess.

One could argue the driver on the network card will block the attacks im talking about, low hanging fruit sure, but then pattern based recognition vs code obfuscation and over 1m new virus samples a day its a mugs game and will not replace a good solid ip whitelist.

Half the features i requested would take less than a day to implement there is no reason at all not to implement them, some might be a bit expensive but its wandering into enterprise clients territrory if they are not implemented already will i pay for it? sure why not. A good product sells itself, and the ui is the single greatest peace of marketing comodo has

Yet you cant even copy an ip, and if you paste an ip, prospective enterprise clients would instantly recognize the security implications of this and move on to the next product. let alone be impressed by what they see.

You asked how would i attack comodo? Id treat it like any other corrupted or broken anti virus / its broken uninstaller that i have encounterd before, and nail its registry load points, there has always been 1 that you can disable that protects the rest, for this exact reason.

devilbat66 · February 25, 2019, 3:38am

The alleged problem OP is complaining about is already covered by CIS, as the above video shows (Trusted RAT Malware is blocked by HIPS at 4:46).

Cruelsister is well known here at Comodo forums. She is a former Malware coder and conducted several tests against Comodo, failing to bypass its protection layers. Including with Safe/Trusted files.

So we can choose whether to believe in Cruelsister and NSA (True security professionals) OR in someone who thinks Comodo developers have time to read through huge walls of text…

vitim · February 25, 2019, 3:56am

i guesss this guy is that fat one who left comodo years ago complaining about everything… do you guys remember this episode?

maybe its the same fat kid… or someone related to him…

devilbat66 · February 25, 2019, 4:39am

All of this burping “I can bypass Comodo Virtualization”, OK. Let’s be generous and assume he can. What he don’t get is: He can’t bypass Access Restrictions (Untrusted Level) + Virtualization. He will be unable to damage real System if the alleged Payload don’t have the privileges for that… This is called common sense.

As for Trusted files supposedly doing harm, Cruelsister and NSA already covered the issue. I’d rather believe in true experts, than in someone without common sense for reporting problems in a Forum, resorting to giant Walls of Text…

Regarding “IP whitelisting” this guy probably don’t know that most IP adresses are Dynamic IP’s, also most Companies rely on 3rd Parties for storing/delivering Content (Updates, Telemetry, etc)… He is scared just because legitimate Programs can connect to some random IP’s belonging to legitimate 3rd Party CDNs…

About his “laptop getting hot” (;D ;D ;D): Now Comodo software is responsible for his own faulty Hardware problems? LOL

I bet his System was not even Restarted after enabling Proactive Security configuration… 88)

Dennis2 · February 25, 2019, 8:18am

Yes there maybe a few fanboys, but most are users trying to help others with their extensive knowledge.

At the moment all I see is a member filling his posts with bumf, expecting us to read this to find something that may be there.

If you want anyone to read your posts please provide short precise information of any problems.

Dennis

ubuysa · February 25, 2019, 9:23am

I’ve scanned the main parts of your essays here (TL:DR) and what leapt out at me was this…

...Ive just had some practice over the years refusing to accept defeat and cleaning instead of nuking...

Does that mean that you have not done a clean reinstall of Windows and drivers, followed immediately by CIS in Proactive Security mode? If you’ve not done that then I most strongly recommend that you do.

If you install CIS on an already compromised system such that CIS thinks that everything running is safe (when it’s not) then of course CIS is going to allow malware to execute. It sound very much as though it’s not CIS that’s the security risk, it’s the way in which you have implemented it (ie. on an already infected system).

liosant · February 25, 2019, 12:48pm

It is trying to say that processes like svchost, when it is not in the default configuration, can allow external connections as demonstrated here (an error of my svchost configuration).

ifurn0 · February 25, 2019, 4:42pm

Comodo is usually the first thing i install. Its been a very long time since ive had issues, or installed cracks, or my very first use of comodo not sure which wins.
Other peoples computers though…

I have been slowly pruning and working on featrue request thread, making hundreds of edits and spending massive amounts of time on it, while fighting though todays migraine from yesterdays bouts of dazed and confused. im trying, i should be doing much more digging than replying on forums.

Ill hardware stress tests passed.

With a bit more clear head, thinking of recent technical posts and being reminded of the original tldr
made me think, no they went side steeping the majority of comodos defaces by using nox/memu being using obsolete buggy, leaky and modified android/virtual-box to directly attack comodo and applications somehow

I now know comodo is also virtualized at a deeper layer has withstood over 4 years and over 10.000 hours of essentially nested virtualization abuse.
Without any issue outside of the emulator running. Even when they were it was pretty minor.
As astounding as that seems it really depends on how regularly low level comodo components are updated.
Still comdo corruption was inevitable and it seems to explain so so so so many strange little memory issues i noticed.

Dynamic ips on cdn’s across their entire enormous sets of ranges?
Nah, At lest not for cloudflare, akamai, and while not a cdn google or amazon either.
Single ips an sets of ranges within their main allocate ranges.

At first i got confused and thought you meant cdn leasing ip ranges from other companies would explain what i saw.
well …maybe? bgp routing table propagation aside, wouldn’t that come with heavy geographical restrictions because of asn, state etc?
im pretty murky on that let alone how up to

but then also coding that as a place to look for updates? unlikely.

thought of a new sane way to filter ip after sleep ill take a look
no longer focused on outside of process, instead of damage im doing to others with said compromised process.

DecimaTech · February 25, 2019, 5:46pm

For the suspicious IPs that you found comodo connecting to, comodo does have cdn.download.comodo.com which uses cloudflare. Also cmdagnet performs OCSPchecks for applications that are digitally signed when they are executed.

For UI corruption it sounds like you have a dual/hybrid graphics setup which means you need to go into your graphics settings and set cis.exe to use one of them, you might need to do this with other applications if you notice such graphic corruption. Here is a link to this issue.

Metheni · February 28, 2019, 4:10pm

Hi ifurn0,

I’m trying to follow all your problems and suggestions. I really appreciate your great effort and I can understand your intention to help Comodo to improve.
Let me say this, Comodo will never allow malicious application to enter in to your system when it is on default settings.

You stated in your post that :

“It all started a while back, with an obsolete video divers from necessity, it turned into a keylogger, had a pile of graphical glitches affecting comodo, pornhub, website logins.”

If I’m not wrong, you might have changed Comodo settings or disabled CIS when this happened.

If you feel that Comodo failed to block malicious application, then please post it here with the details of files you suspect.

Btw: I have notified all your suggestions listed here to the right person.
https://forums.comodo.com/wishlist-cis/comodo-could-be-quite-formidable-t123837.0.html;msg885542#msg885542

Thanks,

ifurn0 · March 1, 2019, 8:07am

Thanks, its greatly appreciated
I could not help myself but obsess over that feature list. Instead off running more tests.
Sorry about that, i want them really badly!

I am continuing to investigate, and try and find more specifics.
That i can directly point my finger at isolate and investigate further.
If i get stuck ill ask for help ty, its just better to learn the hard way. Learn more, remember more.
I need to be careful about my stress levels
This may cause more inflammation
So i may end up just formatting out of frustration

At this point i need to clarify and confirm:

My head is real atm fuzzy sorry bear with me, trying to find the right way to ask.
Comodo does have a deeper secondary virtualization layer as part of itself protection module kind of like how Denuvo - Wikipedia protects itself?
Or is that just the sandbox for unsigned applications and wont affect known, signed executables unless told to do so?
Did i cause nested virtualization by not putting android emulator inside comodo sandbox for that reason?

Recent updates and comodo hardening have muddied the waters
Thought up a solution for pasting ip will post when head clear.

It has been a gradual process over many months and i have been quite sick.
During install you might be right, it could of been incorrect assumptions about hips permissions at the time i cant remember.
bad win update Intel video driver push, tried clean install both, no win Intel was incompatible, tried install NVIDIA , dependency hell.

what would you like to do about this thread its quite a mess!
let it die? go and edit main chunk? remove it?

a short overview, any if interested.
I didn’t isolate the apparent keylogger only notice change in porn-hub flickering mini snapshots after applying firewall rules, its not back with none.
Nvidia clean install fixed comodo graphics glitches, and possibly login portal (latter less common) but openvpn suddenly forgot my password.
Removing dell diagnostic/updater junk fixed strange cpu apparent 100% use not showing up in various taskmangers. according to it, tests were not being run.
Latest nvidia fixed log-file accessing registry but took some painful hips registry allows to remove.
router had to be hard reset, isp re-flashed, it died compleatley. Mitm suspected.
misinterpreted various comodo bugs, now updated.
enormous amount of anti virus, and hardware checks, were done prior to initial post, looked good that way.
pile of other to strange and intermittent to mention, but simply something not quite right in memory.
risks were taken, mistakes were made, hardening overlooked, hips and installs were rare, im clearly out of practice.

It will take time for problems to bubble up to the surface

Post hardened comodo settings.
Keyboard, sound, not fixed.
Svhost update, 23:35:00 [at] 13% cpu, so if [at]100% over 2 hours, new record but plausible.
Strange on its reboot didn’t watch full automatic shutdown just came back to open web browser, then did full restart.
No deep memory errors yet, now know how to look up whats in said memory address.
trusted installer occasional recent activity but looks legit.
The other strange flavors but one consistent minor graphical glitch not apparent yet.
openvpn appears to be remembering its other, internal password for gui to its service internal login on boot. for now.

working on wireshark lan atm, will capture vpn next filter and find all suspicious ip on safe again.
and go from there.

Citizen_K · March 2, 2019, 6:55pm

Svchost.exe is not used by CIS. Any activity of svchost.exe is called by another program Often it is called by Windows to execute OS related tasks. Sometimes it is called by applications.

I will repeat myself. Your testimonial style of writing does not work. It is needlessly tiring, it is clouding everything: it gets in the way. We are not interested in your journaling your process.

We’re only interested in separate topics with questions, wishes (separated wish topic for each wish), bug reports (separated reports for each suspected bug) if you suspect something is a bug. When it comes to reporting bugs it is a highly structured procedure in which a strict format will have to followed. Only format verified bug reports are guaranteed to be read by Comodo staff. Non verified might draw attention but most likely go to the bin of history.

If you wish to contribute, and I believe you do, you will have to clean up your act. You have to step back from the processes of investigation that you follow and check if hypothesis you are using are explaining what see or not. It is a process of learning to doubt and check.

When it comes to bugs reproduction is key. It means you figure out what a recurring issue is and by following what steps will reproduce the issue without journaling about your ego trials and tribulations. They are like our ■■■■■■ organs; we all have one but it is not something we talk about.

Sometimes you need to take your minds of things and redirect it by doing something else to clear your head. Your mind seems to be making overtime.

ifurn0 · March 3, 2019, 2:49am

i still need to confirm this:
Comodo does have a deeper secondary virtualization layer as part of itself protection module kind of like how Denuvo - Wikipedia protects itself?
Or is that just the sandbox for unsigned applications and wont affect known, signed executable unless told to do so?
Did i cause nested virtualization by not putting android emulator inside comodo sandbox for that reason?

Once i got that figured out:
What would you like to do about this thread?
let it die? go and edit main chunk? remove it?
Not sure i can nuke the whole thread, would like to after confirmation.

I did start on cleaning up the main.
Head just got real hazy real fast.
Then it started to drop down the ranks so i just let it go.

Wire-shark really annoying to whois and filter down taking forever.
I think im just gonna give up on the rest, i need requested features, and wire-shark filter exports.

Edit:
Yes here to help, just messed up in the head atm, they cant fix when they don’t know the cause.
Trying to be better…

Citizen_K · March 3, 2019, 4:06am

CIS does not use virtualization to protect its executables. It uses HIPS techniques like denying memory access to CIS processes by all applications both trusted and untrusted ones.

Running an emulator in a sandbox has the potential to be an interesting experience. It is something to try and see if they work together nicely or they don’t.

clockwork · March 29, 2019, 3:24pm

You waste so much time, for the typing alone. Dont want to know how much time you spend checking ips and so.

If a computer is infected, format and reinstall.

From then on load only known things, allow them to connect outgoing.
I used paranoid mode with comodo. Because it was so easy to use. I made rules for games, and when i started a game, i gave them the needed rights with 2 clicks. Done.

An infected computer is never safe with certainity.

The thing that i wonder about, what elaborated malware you might have that stays undetected for that long, and isnt shown.
But this shows: Antivirus is only good to notify you about a known infection or pattern. They might not save you with detection already, so dont expect them to save you from an existing infection.

Sandboxes are a nice thing, when you decide what can phone running in them.

Conclusion: Start fresh, make needed pre defined rules. Use them. Use paranoid mode.

jay2007tech · April 10, 2019, 6:46am

i got something for you to play with and learn at the same time
its called mj watcher

MJ Registry Watcher is a simple registry, file and directory ■■■■■■/poller, that safeguards the most important startup files, registry keys and values, and other more exotic registry locations commonly attacked by trojans. It has very low resource usage, and is set to poll every 30 seconds by default, although you can adjust this to anywhere between 0 and 9999. A configuration file stores all your settings for future use. MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets I supply with MJRW will cover most standard PCs.

https://jacobsm.com/mjsoft.htm#rgwtchr

This will help you fine tune on what the system is doing