[Merged]Comodo Firewall seems to have let some malware through in this video

Look at 18:00
I say it again: Comodo should warns when app wants to go into full screen mode !
BTW Comodo did good job.
2 malware trace, 2 Temp files, 1 txt file which they don’t provide any danger.
Only 1 .exe, and it wasn’t active in memory.(by malwarebytes, other scanners found more ;D)

3 features which would improve CIS in fighting with malware:

1. “Terminate this proces” task in D+/FW alerts.
2. Blocking full screen mode for unknown apps.
3. Detecting proxy, host(already does?), and other Net settings modification.

Firewall being tested against malware… next, lets test how a video converter application protects against malware.
On top of it, even the cloud service was crippled since internet connection was deactivated. I’d like to see ANY firewall that can stop malware by itself. I mean, what did you expect anyway?

If you wanna test against malware, use the full package, or at least its part that was ment to catch them.

I think Comodo did a very good job …

It’s working only with the Firewall and no Internet access and no Antivirus ! Vs 40 nasty malwares ! , and nothing can compromise the system ! :-TU

Yes , there was some dropped Malware files , but all of them were isolated and couldn’t do any harm to the system , which is awesome.

If he wants to avoid the proxy changes , he must set his sandbox to Untrusted and try again. :-TU

sorry to say this but a comodo reviewer has done a second test on v 5.3 and it isnt looking too good.
Think theres a problem with the sandbox setting.

Yes, maybe there’s something not quite right with this latest version of CIS.

To be perfectly honest i wouldnt know as i dont pit comodo against 50 odd malwares.
Im lucky if i come across a dozen.
what i do know is that any malware i do come across is dealt with by comodo.
The video is very unlike how comodo should react.
Its very strange in my opinion.
perhaps there is a problem with the sandbox that has been overlooked.

We could assume that this particular reviewer has something personal against Comodo but I think it wouldn’t make much sense.
I’ve sent some ■■■ through YouTube to other reviewers; lets hope we’ll see other videos soon.

If its any consequence both of these videos are from the same reviewer.
The other tests ive seen have always been positive ones.
ive never seen a bad review of comodo except for these two.
But he does show you his settings prior to the test .

In this case he should press block not sanbox button !

[attachment deleted by admin]

He, and most others, seem to forget the purpose of the sandbox (especially under Partially Limited). It is not meant to stop malware from dropping files onto your computer. This is allowed. Therefore scanning for malicious files on the computer doesn’t correctly test its effectiveness.

What it should be preventing, after a restart, is any malware running on your computer. Thus checking the running processes for malware would be a good test. KillSwitch could be used for this.

Another thing that shouldn’t be allowed to work are rootkits. Thus scanning for hidden files would be a good test. Finding a dropped file that is identified as a rootkit doesn’t mean that the sandbox failed because it likely wasn’t actually acting as a rootkit at the time.

Yes i agree with you.
thats exactly what i would have done.
Defence+ stated clearly there was malware activity.
To be honest unless comodo fails like this on a wider scale i wouldnt worry about it.
Its only one reviewer and the other tests ive seen have been positive ones.

With CIS’ currently reported VB100 Proactive Rate of about 55%, and a Reactive Rate of about 62%, they brought a proverbial knife to a gun fight!

Unfortunately the video begs more questions than it answers. What were the precise strains of malware CIS was requested to mitigate?

You can’t hope their antivirus tool will mitigate all forms of malware and it’s apparent their Defense+ also needs much more maturity before it can effectively compete in the malware arena.

Perhaps the video best serves the theory that best-in-breed is still the answer for layered computer security protection.

this is from a post at the malwarebytes forum.


Yep, you are right. Those files were in the system - but they had restricted rights - so they couldn’t do any harm. But proxy settings were change :slight_smile: And this annoying malware which block the desktop. (see my ideas above).


Yep, there are still many things than Comodo needs to implement. Here are some others:

Add the ability to terminate all sandboxed files with one mouse click (posted here and here). One way of doing this is to put the option on the summary screen (“empty sandbox” button on summary screen). Also, it would be nice if CIS removed all files and registry keys that were dropped by a sandboxed file. Could you call routines from Comodo Time machine or CPM (if installed) to delete all traces of a sandboxed file and the traces it generates?

Sandboxed malware can make it impossible to use your computer and impossible to terminate the malware (because the malware runs the CPU at 100% or it goes full-screen and steals focus). It also makes it impossible to reboot (you must power down). To prevent this problem, CIS could institute the following options.

  • Empty sandbox (terminates all programs in sandbox and cleans out any files/registry entries that were dropped).
  • Suspend sandbox processes (halts them all from running or gives the sandbox minimal CPU usage)
  • Set limits on the CPU usage of the sandbox - have user predefined limit to the % CPU dedicated to the sandbox (posted here and here).

In default config proxy settings should not be changed, I haven’t seen it but this was “firewall only” test?
and with or without leak protection?

Great ideas! Exactly right!
Devs should review those ideas.

And i wrote about this here https://forums.comodo.com/wishlist-cis/some-ideas-t63083.0.html;msg459624#msg459624

But are they running? It cannot be told by the results of every scanner.

But proxy settings were change :slight_smile: And this annoying malware which block the desktop. (see my ideas above).

Firewall + D+ and automatic sandbox enabled (partially limited setting) in Proactive Mode.

Which files were actually running? I am familiar with MBAM and I only see dropped files sitting on the hd. There are no start up keys nor is there anything running in memory. In short nothing to worry about here.

With the results of Super Anti Spyware I only see dropped files and their accompanying prefetcher traces. There are no auto start keys nor is there anything indicating these files are running. Again nothing to worry about.

I am not familiar with Norton Power Eraser. Can anybody tell me if they can tell, by what the video shows, if these found executables are running in memory or just files sitting on the hd and if there are start up keys?

Similar questions for Hitman Pro as the tester did not open the details for each file.

I’ve just made a test, on about 25 malware samples (from 14.01.2011 the newest package of malware).
1.Comodo was on ProActive configuration, Sandbox on partialy limited.
2. I run all those malwares… just click sandbox button, for other alerts Block(e.g acces to protected COM interface or registry key).
3. I didn’t rebot PC… I run shadow defender, and when i would do this i would lost all test results…
4.I cleaned the “unrecognized files” (marked all files in this section and hit “Delete files”). [PLEASE!! Add “Empty the sandbox” or something to do this, it would clean all possible malware files]
5. I checked VirtualRoot folder - it was empty.
6. I run ultra-fast spyware scan - Comodo didn’t find nothing.
7. I run scan with MBAM - pretty good results( PC wasn’t infected at all :P0l)
8.Run a scan with Hitman Pro - didn’t find nothing - excepted few tracking cookies.

Comodo :Comodo110:

Sorry for language mistakes… Don’t have time for a translator, dictionary >:-D

[attachment deleted by admin]

I did the same test… with 17 newer malwares…
I removed all of unrecognized files,s scan with comodo, and then run a scan with tools.
Hitman didn’t find anything.

[attachment deleted by admin]