Comodo Security Not Detecting New MS 0-Day

See the thread here regarding the threat

I downloaded the malware sample to an endpoint running Comodo Client Security, fully updated. It doesn’t detect the sample as a threat and when I manual scan it says its clean. When turning on Windows Defender the file is detected right away and removed.

This is a concern that CCS is not detecting this potential threat even with updated definitions.

Did you open and ran the file and it was not run in containment?

No I was merely testing signature detection/real-time protection since execution is not required with this 0-day, just having Explorer file preview open is enough to trigger the exploit:

Im just surprised since this seems to be getting a lot of attention and yet Comodo has no basic signature or real-time capability yet to detect these malicious payloads prior to execution.

Remember with Comodo prevention is first, all unknown files are auto contained until there is a good or bad verdict.

I am hoping to build or get a script that deletes the ms-msdt registry key . Can someone help create this script? I have one I think might work. Can I post it here for your review?

Yes the best way to prevent an infection is to make sure your real-time protection can detect malicious code prior to it needing to executed. Containment is a great fail-safe, but no excuse to lack normal detections on a well reported 0-day especially with built in ‘free’ windows defender is detecting and quarantine them. Also will Comodo even intervene if we are talking Explorer preview pane, previewing the infected document? I don’t know I haven’t tested that, but I don’t recall Comodo running containment when previewing normal word docs in Explorer.

this is what I came up with according to MS site:

command1=r’reg export HKEY_CLASSES_ROOT\ms-msdt C:\ms-msdt_backup.reg’
command2=r’reg delete HKEY_CLASSES_ROOT\ms-msdt /f’
import ctypes
from subprocess import PIPE, Popen
def ecmd(command):
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirect ion
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirecti on
def enter(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def exit(self, type, value, traceback):
if self.success:
with disable_file_system_redirection():
obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
out, err = obj.communicate()
if ret==0:
if out:
return out.strip()
return ret
if err:
return err.strip()
return ret
print ecmd(command1)
print ecmd(command2)

Hi @minntech,

Thanks for taking the time to share your script to help other customers.

Kind Regards,