For the past year, I’ve been tight with Comodo Internet Security Pro. I have it on just about every box I own, including my wife’s computer and my parents’ computers. It’s done a fairly good job so far and has some well-rounded features (stateful antivirus for better performance, behavior-based protection, auto-sandboxing of new and untrusted apps, a comprehensive default list of trusted software publishers, a firewall, etc…). Like pretty much all security software, it does the whole “Do you want to allow X to do Y?” messages that are sometimes cryptic, but the “Trusted Vendors” list keeps those messages to a minimum, which makes it a good option for keeping my less-technical parents safe.
Real-World Example of Ass-Saving
I don’t have a lot of risky behavior online and I keep Java and Flash patched, but I do get a LOT of spam, many of which are laden with viruses. I know that all it takes is a thoughtless double-click to open something I didn’t intend to open and be flooded with additional malware. After about a year of virtually no incidents, that’s exactly what I did two days ago. I was sorting all the junk into the spam folder and had one of those moments where the computer freezes up for just a few seconds but “remembers” your mouse clicks, so I ended up opening a CLEARLY malicious executable on a spam message.
I saw an AutoIt (a generic automation / macro package that’s frequently used for malware) icon appear in my system tray and in a panic, right-clicked it and chose “Exit” in the context menu. The icon went away, and for about 3 hours, I was in panic mode, reviewing every process, running Security Task Manager, checking Process Monitor for any strange disk activity, and so on, but nothing seemed strange, which was strange in itself. Comodo had not thrown up any warnings about anything, so I opened it up and saw that it had detected the unsigned application’s attempt to execute and had sandboxed, effectively neutering it.
Interestingly enough, it didn’t detect any viruses (probably because it was a packed executable / trojan dropper), even when I saved the file separately and ran it through the scanner. I then ran the file through VirusTotal and only a dozen or so of the scanners picked up anything wrong with it (including Kaspersky, which may be my next choice for 2016 protection, given its high detection ratios).
I grabbed a few more virus samples from my spam folder and ran them all through Comodo’s antivirus, and it didn’t pick up ANY of them, although virtually all of them were detected by other scanners in the VirusTotal results, several of them Locky variants of ransomware installers. I submitted each of them to Comodo, and the next day, I got a Comodo definition update that detected the files.
So on the bright side, the auto-sandboxing feature is likely to be effective against many zero-day threats, but I don’t like that Comodo didn’t at least RECOGNIZE the various pieces of malware, and I really don’t want to be the person that’s blazing the way for Comodo’s definition updates.
Trusted Vendors and Auto-Sandboxing = Bane of Software Developers
Given that I develop a lot of software and I don’t normally digitally sign any of the executables, Comodo ends up auto-sandboxing my programs every time I update them, which is REALLY annoying (it’s only a good thing when it sandboxes BAD programs). Each time, I have to open up a new options window, change the file to “Trusted” and click on OK, which takes a good 15-20 seconds before it saves, and then I have to restart my program. So I figured I would simply use my own certificate authority to generate a code-signing certificate and I’d add it to the “Trusted Vendors” list in the Comodo program (they have a feature to do this).
Apparently, that process is just broken and HAS been for years (based on what I’ve seen in the Comodo forums). So even after I added a completely legitimate digital signature to my application, Comodo still didn’t recognize it as a signed executable.
Comodo has a “GeekBuddy” live support option and a community forum (with the WORST Captcha implementation EVER – I’m surprised ANYONE was able to register), so I asked their “GeekBuddy” reps about it. I ended up getting canned, moronic responses. Here’s the gist of the entire conversation (leaving out stuff like account verification):
01:13:15 AM client : Every time I try to add the file to the trusted vendors list, it says it’s an invalid file
01:14:51 AM Derrick : Thank you, please give me a moment to check your account information..
01:15:45 AM Derrick : In the comodo settings under file rating please add the files to trusted
01:18:30 AM Derrick : I understand that you need help in adding file in comodo as trusted. Do not worry, I am here to help.
01:23:35 AM Derrick : Please wait
01:27:15 AM Derrick : Please send an email to email@example.com so that they will analye the file and they will add the file to trusted
… <ensuing explanation that it signed via my personal CA, not a public CA, but he doesn’t seem to understand> …
01:27:54 AM client : I just want my own digital signature only on this computer to be recognized by Comodo
01:28:58 AM Derrick : Thats will not be possible
01:29:35 AM client : why not? The certificate is trusted on my computer
01:29:51 AM Derrick : Thats the only option can be done (referring to sending in my application via email)
01:32:12 AM Derrick : See if it does not digital signature you will not be able to add the file
01:32:19 AM client : it does have a digital signature
01:32:23 AM client : I can show you the digital signature
01:32:44 AM client : you can see it on my screen right now (screen-sharing session)
01:33:30 AM Derrick : Send the file to that email so comodo will analyze will add the file to trusted …
01:34:57 AM client : I am supposed to be able to add a digitally-signed executable to the trusted vendor list, right?
01:35:36 AM Derrick : But the file says its not digitally signed
01:35:43 AM client : it IS digitally signed
01:35:49 AM client : look at my screen
01:35:58 AM client : the digital signature is on my screen right now
<at this point, he takes control and looks at the digital signature dialog box and fumbles around, at one point clicking on the Install Certificate button, pausing, and then backing out of it, and then abruptly stops>
01:39:10 AM Derrick : Please stay connected let me transfer you to one of my technician since my shift has ended
His shift ended at 1:39 AM? At this point, Derrick just abruptly disconnects and I’m connected to a different agent, Ken.
01:39:30 AM client : really?
01:39:35 AM Ken : Welcome! This is your buddy Ken. I will be assisting you today!
01:39:59 AM client : Hi Ken …
01:40:58 AM client : I have a digitally-signed executable
01:41:13 AM client : the signature comes from an internal certificate / internal CA
01:41:22 AM client : my computer has all the proper trusts set up
01:41:40 AM client : but when I try to add the executable to the Trusted Vendor list, it says it is not a valid signed executable
01:41:59 AM Ken : I understand that
01:42:05 AM client : I have the digital signature window up on my screen
01:42:36 AM Ken : I do understand this, you need to send this file to us, our developers will validate this file
At this point, I just gave up, but that’s what you can expect from Comodo’s GeekBuddy service. Not really impressive.
To be fair, there are a variety of ways of classifying certain folders as “trusted” so I could theoretically add a folder for each of my programs, but that’s just a pain and doesn’t really make a whole lot of sense when there’s a feature that would work better IF it worked as it should. Unfortunately, the folder-trusting mechanism isn’t recursive, so it won’t automatically trust files that are in sub-folders. Most developers are aware that development work often leads to elaborate folder structures for projects, compiled output, source control, etc…
Plus, if malware got its way into one of those folders, then it would incorrectly be trusted, which would be a Really Bad Thing. So relying on digital signatures is far better, but only if it actually lets you import your own.
The Final Word
The auto-sandboxing thing is really great for protecting everyday users, since those users are less likely to stay updated. That alone makes this product great for a lot of people. However, if you’re a more technical user (e.g. software developer, or a person that runs a lot of unsigned tools), CIS might make things harder than you need them to be.
Based on various reviews, I’ll be trying WebRoot’s SecureAnywhere next (seems effective and lightweight since it’s based on behavior), along with Kaspersky (which I’ve tried before, but we’ll see if it’s made any good progress in the past few years).