A method for alerting a user when Defense+ is disabled

MrBrian · August 14, 2010, 9:41pm

Issue: You disable Defense+, perhaps while installing software, and forget to enable Defense+ again, thus losing your Defense+ protection.
Resolution: use the method presented here.

Steps:

Using Windows Explorer, copy c:\windows\system32\write.exe to c:\windows\CISMsg.exe.
Create file c:\windows\CISMsg.txt. Put your custom message in this file that will be displayed whenever Defense+ is disabled, such as “Defense+ is disabled.”
Create a task that runs the program c:\windows\CISMsg.exe every 5 minutes, using c:\windows\CISMsg.txt as its argument (parameter). When this task is run, a window is displayed showing the custom message from step 2.
3a) If using Vista or Windows 7, you can use Task Scheduler to create this task. Use the trigger ‘At log on’. Choose option ‘Any user’. Repeat the task every 5 minutes, Indefinitely. On the Conditions tab, uncheck ‘Start the task only if the computer is on AC power’.
3b) If using XP, you can use the free System Scheduler from http://www.splinterware.com/download/index.htm to schedule the task to run every 5 minutes. I believe that you’ll have to schedule the task separately in every account that you wish this task to run.
Log out and back in. Test that the message does appear every 5 minutes in every account that you care about.
In CIS, go to Computer Security Policy. If there is no policy for file group All Applications present, add it. Make sure that this policy appears first in the list of policies, so that it’s enforced first.
Edit the All Application policy. Go to Access Rights → Modify (the one next to ‘Run an executable’) → Blocked Applications → Add → Browse. Add c:\windows\CISMsg.exe to the list then press Apply → Ok → Apply → Apply → Apply.

When Defense+ is not disabled, the custom message should be blocked from being displayed by Defense+. When Defense+ is disabled, the custom message should be displayed within 5 minutes, alerting you that Defense+ is disabled :).

brucine · August 15, 2010, 7:01am

Why do you use wordpad instead of notepad, lighter for the same result?

Speaking of xp, no need to download whatever: if the integrated AT command is not enough (because not able to run repetitively in the same day), SCHTASKS most certainly is:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx
and even the plain task scheduler probably is: set the advanced planification proprerties of the task to be repeated every n minutes for a number of hours to be 24.

The same syntax could be achieved from checking if defense+ is running as a service, only having to determine which is the said service and to write a IF condition checking for it.

But, most of all, i suppose that the executable used for warning (cismsg.exe) is version dependent: it does not exist in CIS V3, where cmdguard is probably the item doing the job.

MrBrian · August 15, 2010, 7:04am

I did try using a copy of notepad in Windows 7, but for whatever reason it would not launch.

brucine · August 15, 2010, 11:36am

That does not tell us how to do the job if cismsg.exe is absent.

Another way could be using autoit, according to this thread, altough i wasn’t successful at the time being (depends of the position of cis in your traybar, and also of your cis options for the menu order, e.g. antivvirus or not):
http://www.autohotkey.com/forum/topic41097.html&sid=8ffd84a662a98e5300b19b81cd6209cf

MrBrian · August 15, 2010, 1:24pm

CISMsg.exe isn’t part of CIS. It’s a copy of the operating system’s write.exe that’s created in step 1, and is blocked from execution when Defense+ is active in steps 5 and 6.

Tech · August 15, 2010, 7:24pm

CIS could alert that by a sign in the system tray icon.
Better if you can set what is need to be monitored (antivirus, firewall, Defense+, etc.) and if something of these monitored items change, the icon changes.

brucine · August 15, 2010, 8:17pm

So your proposition only warns of the defense+ situation without doing anything, and it would be better if it did.

It is not so easy to realize as defense+ level is neither an active windows item, neither a dedicated windows process, but a traybar option.

We need, if we want some action for it, whatever working script.

Batch is not enough, WSH probably is, but i don’t get a word of it.
Autokey does it, and i shall make thereafter a small tutorial about such a procedure.

Download Autokey at: AutoHotkey Downloads
Install, and give permanent defense+ permissions for windows message service and explorer if running it from a third-party folder.
When launching it, you are being asked to run the sample script in “My Documents”, and you have no other choice but to accept; if running later Autokey not from one of its scripts, but directly from its executable, it checks each time the existence of such a file.
The sample script actually loads 2 (harmless and manual) scripts.
If you don’t want them to run, edit this file in My Documents (Autokey.ahk) with Notepad, and comment every line (i.e., make it start with a semicolon:
Understanding the mechanism
Everything only results from my adaptations of what SKAN (to whom all credits belong) wrote at:
http://www.autohotkey.com/forum/topic41097.html&sid=286ea4860d8bb21e3a8fe9717ffa1255

Autokey fakes, for what we are concerned with, the mouse gestures, and of course as such needs to know what your menu order of cis is in the tray, it might depend of what you have installed or not (particularly antivirus).
I have know antivirus, my cis menu thus reads (in french) as follows:

and i am running defense+ in paranoid mode.

Faking cis defense+ level is realized by creating a new txt file, e.g. on your desktop.
Copy verbatim the following code:

DetectHiddenWindows, On

^F5::  ; Defense+ Security Level: Paranoia
ShowComodoTrayMenu()
Sleep 50
Send {Down 2}{Right}{Up 5}{Enter}
TrayTip, Defense+ Security Level, Paranoia
Return

^F6::  ; Defense+ Security Level: Désactivé
ShowComodoTrayMenu()
Sleep 50
Send {Down 2}{Right}{Up 1}{Enter}
TrayTip, Defense+ Security Level, Désactivé
Return

ShowComodoTrayMenu() {
 WinGet, W, List, ahk_class Afx:00400000:0
 ;hWnd := W%W%
 hWnd := 66200
 PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down
 PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up

and save as cfp.ahk (ahk is the Autokey file extension).
Comments:
21) the ^F6/^F5 syntax fakes the Windows combination “Ctrl-F6” (or F5): use whatever combination you want as long as it is not used by a running program.
22) Afx, hWnd and number following “PostMessage” identify cfp in the tray (and not another tray application).
Your system might have different values notably for hWnd.
Run AU3 spy in the Autokey folder, right click cfp in the tray, go do the defense+ level, check the one you want…, but note the values and amend them if needed.
23) The “Send {Down 2}{Right}{Up 5}{Enter}” sentence tells Autokey how many levels it should go up or down: i am going down 2 (1st is firewall level), right in defense+ level and, as i wasn’t able to make down to work, moving from 5 levels “the other way around” ensures i check “paranoid” when starting from “disabled” (same with Up 1 if i want to go from “paranoid” to “disabled”).
You must amend these values if your menu is diferent.

Now test by double clicking your cfp.ahk file, and successively hitting “Ctrl-F6”, and “Ctrl-F5”, checking in each instance if the defense+ level is accordingly modified; if not, modify these settings until you succeed.

You now have achieved a perfectly useless thing, allowing you to do exactly what the defense+ level choice does, but you actually want to modify these levels outside of cis.

Working scripts
Again, copy verbatim:

-save as cfpenable.ahk:

DetectHiddenWindows, On

ShowComodoTrayMenu()
Sleep 50
Send {Down 2}{Right}{Up 5}{Enter}
TrayTip, Defense+ Security Level, Paranoia
Return

ShowComodoTrayMenu() {
 WinGet, W, List, ahk_class Afx:00400000:0
 ;hWnd := W%W%
 hWnd := 66200
 PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down
 PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up
}

-save as cfpdisable.ahk:

DetectHiddenWindows, On

ShowComodoTrayMenu()
Sleep 50
Send {Down 2}{Right}{Up 1}{Enter}
TrayTip, Defense+ Security Level, Désactivé
Return

ShowComodoTrayMenu() {
 WinGet, W, List, ahk_class Afx:00400000:0
 ;hWnd := W%W%
 hWnd := 66200
 PostMessage, 10045, 335,0x206,, ahk_id %hWnd% ; Right Click down
 PostMessage, 10045, 335,0x205,, ahk_id %hWnd% ; Right Click Up
}

Now, the first script moves the level from disabled to paranoid, and the second one the opposite (again, and if you didn’t do it before, edit with notepad if needed to amend the defense+ level of your choice, e.g. if you want safe instead of paranoid).

What to do with these scripts against software installation alerts?
Assuming, it was the initial question, that you disable defense+ before the installation, the easiest way is of course to keep both scripts on your desktop, reminding you to disable before installation, and to enable after.

The automation is not so easy as it depends upon what your are installing.
You can’t make a global script associating it with whatever software installation, because no software has the same installation routine and that, even if most actually use the 2 or 3 same installing softwares, they shall still run something else (and thus alert defense+) before running these installers themselves.

If your program installs from the command line, it is very easy:
write a batch, launch cfpdisable head of it, start “your installation path”, make a sufficient temporisation (pause, or better choice/t/n), launch cfp enable.

If your program does not need to reboot, do it yourself, it always is a good thing after a new installation, and write cfpenable in your start menu.

If the program both needs to reboot and write new executables when doing so, you have no solution.

An alternative would be, like suggested by the OP, to schedule cfpenable at frequent times, but if the frequency is high enough to occur during your program installation, it would be of no use: the solution would then be to run such a scheduled task checking the defense+ level status, and asking to enable it if it is disabled.
It would still make an alert (but not many like defense+), but the main turnabout is that i have not found, at the time speaking, some script able to report me the disabled status and run a “IF” condition if true.

Thank you for your feedback.

brucine · August 15, 2010, 8:25pm

Tech, when doing any of my scripts, you are popped up with the corresponding message:

“TrayTip, Defense+ Security Level, Paranoia
Return”

pops “Defense+ Security Level: Paranoia” from the traybar, you can’t miss it, but only does it as a litteral message.

It is very easy to pop such a message, and it would indeed be very convenient, but it requires, as i said before, a control condition of the level status.
I am sure that Autokey can do it, but i am no expert with it, and i have not found (or even searched) the appropriate syntax at the time speaking.

Tech · August 15, 2010, 8:37pm

Well, if the user disabled it, it wants it disabled. The visual warning will tell him/her the need to turn it on again. For me, it’s enough.

For us, yes. For them, the programmers, it won’t be that hard. It’s just to check an internal option of the program.
I’ll post an avast control panel for it.

[attachment deleted by admin]