I was also released new version of AntivirusDefender with Comodo bypass which makes computer into recovery mode, but you can destroy computer instead of making new service GitHub - Siradankullanici/AntivirusDefender: Very Destructive Batch File Source Code old code with bootkits AntivirusDefender 2.1 now 3.2 available look the antivirusdefender11.7z
1 Like
Bravo for your excellent work and your perseverance.
Try to rally people around you.
You could consider replacing Comodo CIS in Open Source mode, and everyone would be happy!
1 Like
So with this fix thereās no need to disable UAC anymore ?
2 Likes
Thatās correct. The update solved this issue.
2 Likes
The problem that still exists in this poc is that if you disable ANTIVIRUS and HIPs, containment cannot be secured, and the ransomware continues to encrypt all files.
Dear New_Style_xd, if you can go into more detail āin more detailā
Thereās not much to explain, what the Comodo team did was just block the DLL for this POC.
The problem is that if you disable the antivirus and HIPs, this problem still persists. There are videos on YouTube showing that the exe file was created, executing this DLL, with the CIS disabled the antivirus and HIPs module, thus only leaving the CONTAINMENT working, and the Comodo containment fails.
What the Comodo team did was just block this malware in the cloud. It didnāt solve the problem with the containment.
There are videos on YouTube showing this, videos made recently.
And if I have all the security features enabled: HIPS, Viruscope, Comodo Antivirus, Firewall, Auto Container, then what?
I always have everything on and the settings are as high as possible.
There are people who only use Comodoās Firewall with containment. Thatās why it needs to be fixed.
Since COMODOās product has good containment, it fails in this POC.
If you disable any element of any antivirus product, you are leaving yourself vulnerable. What would happen if you disable key features of other AVs e.g. Esetās HIPS or the Behaviour protection of Bitdefender? You wonāt get full protection just like you wouldnāt with of CIS/CFW if you disable security features. The rule of thumb here is take these tests with a pinchof salt if they are disabling features or lowering security settings. As Cruelsister has stated many times CFW works best when you donāt mess with it beyond her recommended tweaks.
2 Likes
I understand everything you said.
But Comodoās self-containment test fails with this POC, since Comodoās product is known for its self-containment.
Unfortunately, it fails.
If this is about the original āPOCā at the top of this thread, then please note that Comodo 8162 does not fail in any way. The text box does not drop, and Comodo is never disabled. Also the other files on this thread (HydraDragon and Rmibab111a) are also contained without system changes.
I even dumbed things down and just used Containment at the default Partially Limited level.
4 Likes
Theyāre back to barking, but thanks for proving them wrong once again.
4 Likes
For me, the answer is simple: Then you, or rather, Iāve been protected. Iām not surprised that some user have to deal with malware, Trojans, etc.
1 Like
Dear prodex, I respect your opinion and completely agree with it!!!
Actually this is very AV specific.
Leo from the PC Security Channel (YouTube) and some experts on his Discord channel tested it for few AVs to assess behavioral / 0-Day / Exploit protection that does not rely on signature.
BitDefender does the best and blocked malwares at their roots.
Kaspersky slightly behind, because it restored encrypted files by reverted back a started encryption in progress (if I understood well what happened in the video) before blocking everything.
Eset is unbelievably bad because all modules rely on each other so if you disable one, the other does not work, and nothing tells you that.
Sophos rely mostly on mitigation and ASR rules (I may be wrong on this one).
I would rather trust an AV with a better behavioral detection rather than one thatās signature based ; other way Windows Defender would have been the best AV out there, as they litterally has billions of samples / metadatas more than the second most AV has.
Still, its behavioral engine is one of the worst.
1 Like
Greetings Angelarme. What about COMODO, what is your conclusion?
I donāt like his testing methodology for a number of reasons but pick what works for you. Comodo has very little to do with AV as itās a firewall, a blocker and container of unknown files where they are blocked or contained until trusted by Comodo following analysis (true 0-day). Itās analysis tools e.g. Valkyrie check a file including itās behaviour before itās allowed. The AV element is just to identify what it has signatures for but not the front end protection like other products.
Emsisoft was a favourite of mine for awhile and that has decent behaviour detection.
My question is though. How long does an infection have to take place before the behaviour is picked up and in the meantime itās downloaded a payload, executed a simple cmd script and gained read/right permission to an ambiguous folder. In likelihood probably not going to get that far but Iād rather have something contained without infecting my system before itās vetted and safe to run. MD is actually pretty top notch in detection including behaviour analysis though much improved if you tweak it some. I still find it funny you have to whitelist Leoās python script to run though the automated malware test 
2 Likes
Whatās MD?
Iām also not taking his methodology for granted, and he deliberately orienting things up a some points, but unfortunately sources are few and his seems to bring much of AVs result differences among tests.
I like how Comodo operates and its prevention approach, so everything is already picked on my side 
3 Likes