Comodo Scans CMD.exe instead of LNK file


It scans actual path instead of LNK file.

1 Like

One question, but would that be good?

1 Like

Although most lnk files are benign (like shortcut links to applications on the desktop), some can be abused to initiate a malicious process.

This in invariably done by embedding code within the lnk file. When the lnk is clicked, findstr will be initially called up (to find the embedded malicious code string) which then will go to the command line (cmd.exe), normally then resulting in a powershell script to infect the system (this sort of thing is typically seen in stealers such as Emotet and Astaroth).

Note that the benign lnk file (like a app shortcut) will not have an embedded string it will not call up cmd.exe, whereas a malicious file will. For the malware lnk files comodo can detect and delete if it has the file ID, and if not will check out that string (via cmd.exe) with any Powershell scripts contained and any network access would result in a FW alert (or blocked entirely).

Although things can get a bit more complicated (arguments, creation time, etc), the above covers the basic functionality.

m

1 Like