malware's bypasses Defence+ easily without alerts

so you belive that Clipper and winprefs were able to run with out alert by the way winprefs is run from temp folder when test14 and winpre is executed and all the files are detected you may waant to check your temp files for conformation though and if it runs without any alert isn’t it a bypass then ?

yea true the file deletevolume hides partition from the windows explorer but did u get any alert when it did that ?

Here is the leaktest that do the same, Comodo is not able to prevent that

The idea with using the sandbox is that you shouldn’t get any alerts for actions. Either the file is allowed to perform an action or it’s blocked. There is no user interaction.

In the sandbox files are allowed to be dropped to certain folders. I would only consider it a bypass if changes were made to the system or the files were still running after a restart.

Can someone please correct me if I’m wrong.

I tested this “leaktest” myself, Akk my partitions execp C; were gone without a single move from CIS (I use Panda Cloud av and it detected the malware). Very nasty program to accidentally pop into!

Comodo succesfully blocked\sandboxed all 4 malwares you sent me.

No harm has been done here: Windows XP SP3.

Quite many of these new D+/Sandbox problems seems to happen only in Win 7 64-bit.

It’s important wether “Enable enhanced protection mode” is enabled or not under X64.

yes im aware that the av should never be the first line of defense but if you actually read my post i said that comodo is always working to improve ALL aspects of CIS. idk where you thought i said the av is the most importnat. since they do have an AV component might as well make it as best as they can. They point of the av detecting stuff is to remove them because they are malicious. if they user downloads the file and it is known to be bad it should be removed and its unknown the sandbox will isolate it.

Yes i know this i never said they werent working on the cloud. all i said was they are improving everything including the av.

no matter what people say no security suite will be 100% so its good when people find holes so comodo can fix them.

In my machine this advanced security made any diffence, only “detect installers” helped but deletevolume did byppass D+ without any actions from CIS (D+ part)

No, that’s not the cause of problem, you should read the link below for a better understanding of this problem.

I don’t know why the above link is moved to the help section. That is a CRITICAL bug. Not someone who don’t understand how to use/configure D+.

We have confirmations of them working on the Cloud AV. But no confirmation in the fixes we are mentioning.
There are no fixes for many bypasses. This should by priority, instead of working on the Cloud AV.

But well, its not my responsability because COMODO its not my company.

Im justsaying…

agree. some x64 systems(mine included) seem to be totally unprotected at times by D+ and sandbox ???

I didnt see any problems. Everything is sandboxed and protected. Unless ofcourse what you think you are reporting and the links you submited are different.

You can upload the samples you tested and let me test.

yes sure why not i will pm with download link

same here

this should be a priority

did any one check since the file also creates a startup entry from temp folder and try restarting your system and see if there is a startup entry or not

i am trying to make a video out of it as soon as possible to show that how it bypasses security in windows x64 on real computer not vmware
I now think that Windows xp is more secured than windows 7 cause it tested it on windows xp (vmware) and it all got sandbox but the files still got copied in temp folder and the startup entry was also created and did exist even after reboot

Are you saying that the trick of unticking “detect installers” works for you too?

It has helped this far to get D+ back in line again, but this deletevolumes could do whatever it wanted freely. All my AV-programs were disabled.

Would you please state clearly what are the real issues in your case?
1. D+ is not functioning properly in your Win7X64 computer (hence many malwares can infect your PC but not the other PC with a normal functioning D+
2. D+ is functioning properly but the Malware samples are still able to bypassing D+ and infected your PC.
3. both.

I find people mixing up the discussion here.

For case 1, tests should be done mainly on D+ in Win7x64 PCs (not the malware samples) to improve the stability of D+ for Win7x64. It will prove nothing by trying out the samples in a PC with normal functioning D+.

For case 2, tests should be done on the specific malware samples and investigate how it bypass D+.

For case 3, I suggest splitting up this in two posts. 1 for case 1 and 1 for case 2 such that efforts can be spend in the right directions.


In my case it must be 1. All executables including malware are treated as safe and not restricted. And I saw at lest one was treated like an installer, maybe all.