Author Topic: How Do I stop.. this ...  (Read 217 times)

Offline DePhoegon

  • Newbie
  • *
  • Posts: 6
How Do I stop.. this ...
« on: December 13, 2017, 03:49:24 PM »
I'm having a hell of a time with Comodo doing the temporary scripts.
I can't seem to whitelist, it ANYWHERE in the settings to prevent it, and  The logic here, is blowing my mind.. in the .. ... 'frustrating ways'
Example 
I use scripts to autotmate moving, naming a load of WTV files around.

Here is my script
------
[at]echo off

set Fo=C:\wmcTEMP\
set Fi=*.wtv
set Fd=E:\wmc2

if EXIST %Fo%In_Use_By_DEL-CABLECARD.txt ( Goto INUSE )

for %%a in (%Fo%%Fi%) do (
::echo Copying, Verifying, Moving %%a
powershell.exe -file Base.ps1 "%%a" %Fd%
cls
)
Goto:EOF
:INUSE
echo Transfer In Use
pause
Goto:EOF
-----------------

Now.. The crazy part I've trusted both that *bat file, & the Base.ps1 file.   Have windows protect every folder that holds the WTV files (so that not even comodo can access them), and allowed access to that bat file (and 2 others)... 

What's in the temporary script...  (this is the part that when I looked.. blew my mind and I am honestly VERY lost as to how the hell to stop it from doing something this stupid)
-------
Base.ps1 "C:\wmcTEMP\Teen Titans_TOONH_2017_12_13_06_57_00.wtv" E:\wmc2
----------

It has no problem ..  with the custom Ps1 file.. what so ever.  It dives into files reads deeply embeded meta data, writes into protected folders, changes the system date & time ... 

How do I stop it from .. basically Creating a script to call the exact same PS1 file I was going to call, and allow the bat file to use esablished permishions, instead of having to REDO THEM WITH EVERY SINGLE FILE, because...  it litterally creates a new Tempscript each pass through... & ..  if it's not to obvious...  I tend to go through.. ALOT of them.

Offline umesh

  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 2756
    • COMODO
Re: How Do I stop.. this ...
« Reply #1 on: December 13, 2017, 04:01:35 PM »
Hi DePhoegon,
Sorry about that experience.

This is due to protection against file-less malware feature.
It creates temporary file out of every distinct command passed to powershell.

Yes this feature is bit frustrating for cases where application could be running for genuine cases; we are going to make it more intelligent in next CCAV release and will then port same solution to CIS in subsequent releases.

For now, if you want to get rid of it, please de-select "Embedded Code Detection" option against powershell.exe as shown in enclosed snap.
You can access above option via: Settings-->Advanced Protection-->Miscellaneous-->"Do heuristic command-line...." related "certain applications"

It will lower security for exploits based on powershell, so over to you.

We will be solving it, please bear with us.

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline DePhoegon

  • Newbie
  • *
  • Posts: 6
Re: How Do I stop.. this ...
« Reply #2 on: December 13, 2017, 04:20:26 PM »
....  ..... 

Please .. understand me when I ask this..   How in the world ... How in the world.. do I CALL for a PS1 file... without it self being a script that's caught?   

I may not understand advanced coding & all that.. but, this is busting my brain how calling for a ps1 file hasn't been given a method of ignoring.

Perhaps.. Maybe...  Just perhaps...   

Create exclusions based on patterned inputs, that can utilize pattern matching like "Powershell -file *" & then suddenly allow the indepth scanning for malicious intent there. 

I'm a noob.. I know I am.. but This truly looks like an oversight X.x

I'll do what ya suggested (mostly because I can sign my ps1 files, and restrict powershell to execute only certain signed files matching a signature)...   


My Head hurts.  I hope you understand why.

Offline umesh

  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 2756
    • COMODO
Re: How Do I stop.. this ...
« Reply #3 on: December 13, 2017, 06:02:03 PM »
There are two things:
1. Executing Script:
You can mark a script file as safe and pass that as command line arguments and you won't get alert as whole file is treated safe. e.g. you can have set of DOS commands inside a batch file, mark it safe and execute, you won't get alert.

2. Passing Command Line Params:
You are passing certain commands to interpreter, in your case powershell, considering an exploit can also call powershell with certain commands, it becomes suspicious case. At the moment we don't analyze contents of file.

In your case, you are having a batch file, even if you mark safe, you won't see sandboxing of batch file, but it is using powershell with variable commands passed to it. So even though batch file is safe, but it is using another application and passing commands. As you know the way batch files are processed, they are one line at a time so unless you analyze contents of file, you don't know the source, they simply end up seen as isolated executions with variable commands.

So you have mixed situation, a batch file, that uses powershell with variable command line options. Unless, we analyze file contents and control execution out of it, you will see the problem.

Yes, it's not very intelligent at the moment, but we are working on to improve it further.

Thanks
-umesh

....  ..... 

Please .. understand me when I ask this..   How in the world ... How in the world.. do I CALL for a PS1 file... without it self being a script that's caught?   

I may not understand advanced coding & all that.. but, this is busting my brain how calling for a ps1 file hasn't been given a method of ignoring.

Perhaps.. Maybe...  Just perhaps...   

Create exclusions based on patterned inputs, that can utilize pattern matching like "Powershell -file *" & then suddenly allow the indepth scanning for malicious intent there. 

I'm a noob.. I know I am.. but This truly looks like an oversight X.x

I'll do what ya suggested (mostly because I can sign my ps1 files, and restrict powershell to execute only certain signed files matching a signature)...   


My Head hurts.  I hope you understand why.
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek