Comodo cant prevent reboot computer

Comodo cant prevent this line batch code :


shutdown.exe -s -f -t 30 -c "Reboot..."

why?

Why you need Comodo when you can
1: CTRL+ALT+DEL
2: File → New Task (Run…)
3: shutdown -a

:smiley: >:-D >:-D

I have XP Pro SP3 I’ve setup my shortcut icon like this but I’m not sure this might work in the same way for W7 see attachment

[attachment deleted by admin]

or you could just type shutdown -a in the run dialog box, don’t need to go to task manager.

That was just in case if he has no desktop and there was a message authority dialog box something and a countdown of one minute… :wink:

http://upload.wikimedia.org/wikipedia/en/1/17/Windows_XP_Emergency_Shutdown.png

This one…

hi all,

Rootkit TDL4 use reboot to infect W7 x64 (and others). Comodo will prevent this TDL4 reboot or not??? Someone have try it with the last TDL4 sample?

IMHO should.

Maybe because shutdown.exe is safe and trusted.

Comodo cant prevent this line batch code :

shutdown.exe -s -f -t 30 -c “Reboot…”

why?

There’s more then a process involved when undertaking such an action:

-running cmd.exe
-allowing cmd.exe to open batch files (bat or cmd extensions)
-then allowing a specific application (here shutdown.exe) inside the batch.

If you have some scheduled tasks on your computer using bat/cmd files, you have no other choice then to globally allow cmd.exe, altough potentially very unsafe.

The same goes with its usual extensions bat and cmd.

One could customize both of these actions, but then of course no way to schedule whatever (assuming that the scheduler is also trusted).

Last, the executable: shutdown.exe describes several applications, some of them extending the standard windows application with other local or remote features, not even speaking of similar applications bearing different names.

But i assume that the one involved here is the standard windows application , so, what happens?
you ask cis to run a system extension from a system application itself running another system application: if the hash and/or location of all of these things are checked by CIS, it has no reason whatsoever to do anything else but to keep its peace forever.

I presently have a lot of work with CIS5 french translation, but i reported my CIS5 to be fully customized (with some difficulties achieving that…): i shall test from it the issue you are reporting, using the standard xp shutdown, and also a third-party one, i think i still have one somewhere.

But if i forget, don’t hesitate of course to remind me to do so.

For sure if there’s no desktop that’s the way to do it. But since he never said there was no desktop, then much easier to press start then choose run an type in shutdown -a

I remember a discussion a couple of years ago between egemen, the head developer, and a user about whether CIS should intercept a shutdown. The user thought it should as that could be needed to seal the deal for the installation of certain malwares where egemen did not see it as a safety risk.

Running CIS in full custom mode (including system applications and services) as i do correctly reports 3 alerts:

http://brucine.hostoi.com/online/zone1.jpg

http://brucine.hostoi.com/online/zone2.jpg

http://brucine.hostoi.com/online/zone3.jpg

Note that CIS knows standard windows shutdown.exe as a safe application, i shall make the next test with a third-party shutdown.exe as soon as as i find it in my backup disks, and both with this shutdown under the system32 path and another one.

In order to schedule or automate this batch, i would have to add the name i gave to my cmd file to trusted files (altough a more efficient behavior is to use a dedicated folder for home-made batches), and fullly allow the rules in pictures 2 and 3, but this would of course not protect me from a hooked shutdown.exe if cis does not look for hash values.

It is therefore needed to do the same test after having replaced the standard xp shutdown.exe with a diiferent application with the same name.

I made the same test after substituting the vanilla xp shutdown.exe in system32 by a third-party shtudown.exe (RJL Software - Software - Utility - Shutdown).

Now, in picture 3, cis alerts me that shutdown.exe is not recognized and hence a possible malware.

This seems to solve the problem: if rules are allowed, legit xp shutdown shall be run either only prompting for the batch launching it if the said batch is not itself trusted, either fully quiet in a scheduled task, whereas some malware application having fooled shutdown.exe shall not.

If TDL4 were in play…it would not do a shutdown.exe operation. It works with a function called “ExitWindowsEx”

Okay how do you create a shortcut icon using “ExitWindowsEx”

You cannot do a shortcut like that. The function is part of code embedded in to a file or MBR.

Read here: ExitWindowsEx function (winuser.h) - Win32 apps | Microsoft Learn