just found this in news update. is this something which will be considered in the new update for CIS 2026? just wanted make sure protections are in place to handle the new threats such as these. thank you for any input.
This is where the chain of preventative measures begins. Users are increasingly required to be proactive and cautious. It seems that simply installing a top-ranked security program is no longer sufficient. I hope that Comodo’s protection strategy can also ward off such threats in conjunction with user behavior online. @cruelsister also explicitly emphasizes that cybercriminals are successful when users allow intrusion attempts. The simplest example (although now very sophisticated) is phishing emails. Consider whether the demands made in the email are feasible. It’s a chain of measures that a user must take, such as activating tamper protection in Windows.
Edit: I’m probably oversimplifying the protective measures as a layperson. Perhaps deeper interventions in the system are necessary in the hope that everything still works.
1 Like
When a user downloads and executes an unknown file the executable will be contained by CIS which should stop the infection process in its tracks.
The chain of infection requires luring a user (relatively easy) to run an executable. With default Windows settings the file will be run with administrator settings which allows full access to the OS which allows the payload to be deliverd. In this case allowing for a driver to get installed.
With CIS containment unknowns are not able to run with adminstrator rights and are not able to install a driver. The infection gets stopped in its tracks keeping it from doing the scary stuff the article talks about.
1 Like
That’s in theory.
Because here on the forum there’s already malware that bypasses the sandbox containment.
There’s even a video on YouTube.
And COMODO itself said they are working to fix this flaw, but that was over a year ago.
Which flaw are you referencing? I know they did the Elevated privledges fix in the last update but maybe your referencing a different one than the one that was fixed?
I’ve seen these bypass videos including the more recent one. In each case, an unknown executable had to be downloaded or copied onto the system to be executed at some point in the chain and at that point, the executable would be stopped from infecting the system no matter what part in the chain it gets executed. Something has to start that chain reaction. I haven’t seen a real world example where it’s has successfully bypassed without users disabling security elements. I don’t know enough about measures or avenues used in these tests though a lot of them seem to copy or extract the files with the security elements disabled.
The discussion about this and the video links are on the XCitium forum; it hasn’t been resolved yet.
So your referencing old Vitaotec aka Loisant video from March 2025 which was then apparently fixed with Xcitium. I’ve scrolled through the surrounding months of Xcitium update release notes but other than a duplicate file fix in these release notes, I don’t see any other possible related fixes. He also hasn’t tested CIS again since then but it was down to an Xcitium only feature of untrusted DLLs for safe programs that is disabled by default because of the false positives.
In that user’s test, the malicious DLL is already on the computer before CIS activated but maybe @C.O.M.O.D.O_RT can check with the team to see if it was in the pipeline for the upcoming version if it’s still a bug with CIS. Most importantly, it has to get on your system in the first place. He claims Windows Defender detects it so you could always just run CFW with it, just depends on what setup you want to use.
I looked at the three videos Vitaotek made. In the last one he tested with CIS. That test looks solid and the system CIS did get breached.
That would only be the case if D+ was set to Training Mode. A user bypass is easily made by convincing a user to download an archive to a system. F.e. by posting an archive which promises a c_rack for an expensive well known paid program. The user will unpack the archive and start the executable.
There was one strange thing happening during that test. The malicious dll would only get detected when running a manual scan but did not get picked up by the on access scanner. It puzzles me and I have no explanation for this behavior. I would expect the on access scanner to also detect it.
1 Like
Thanks for the info. I’ll have to look at it again when I get a minute and I don’t have the expertise on the methods. It is odd that the detection only happened during a scan which had me thinking it was a dll of a trusted executable but perhaps I’m wrong. I do think if it was introduced to the system after protection enabled that it would have been blocked. I’ll have to research what tweaks can be made to protect against this.
Hello, the test was done again recently, this test was done in a LIVE stream to avoid any doubts, and once again, after 1 year, COMODO is still being affected by this sandbox flaw.
I look forward to watching the video. He tests just the Firewall not full CIS in this video but will be interesting to watch.
1 Like
I looked at the video and indeed CIS is still being affected.
In the final words he states it won’t stop him from using Comodo Internet Security because it always has served him well (I am paraphrasing). For those who want to hear him in his own words: https://youtu.be/al8CYChHMpM?t=6147 . That makes him a friend who will speak truth when really required.
2 Likes
Great, I liked the comment. But remember, there’s a flaw. If the Comodo team fixes this problem, then it will become an impenetrable sandbox again, but until then, the flaw remains, and it hasn’t been fixed for years.
Finally had a chance to watch through it. Just some notes I made:
- Using Firewall only, HIPS disabled, Cloud Lookup disabled initially until the containment alert popped up and then re-enabled.
- Disabled Windows Defender fully but that’s all fine. Also disabled UAC.
- Using 7zip but you don’t need 7z with Windows 11, it handles all types. 7Zip excluded from containment to work. 7Zip run as Administrator
- Starail is a github a game file What is StarRail.exe?
- DLL detected by xcitium on VT, both on 11 months ago test on VT and current 4 days ago
- DLL rated as malware on comodo verdict.valkyrie
- Another example of DLL hijacking.
Part of me initially though related to .7z extension as Antivirus only unpacks .exe & .jar by default.
Kept removing it from the file rating list and then clicked block but I don’t understand why it wasn’t contained when it ran again though might have been cloud verdict for the executable. Odd that cloud didn’t pick up the DLL as malware given that there’s a signature for it. Certainly a flaw with this DLL hijacking where they disabled that protection feature for FPs. I wonder if there’s a workaround but I’m rusty with HIPS rules.
Hello guys. Im VitãoTub.
If You guys need some more testings, just say what should be tested, like configurations, etc.
As explained on the live, I cant share the files as Loyisa didnt allowed me to do so. Im trying to contact her (or him) but with no luck. If anyone has her contact, please, provide it, or show her the video/live or this topic.
1 Like