D+ can be bypassed by primitive batch "virus" (invalid !)

update:

Setting Image Execution Control Level to Aggressive and adding *.bat and *.cmd to “Files to check” list prevents mentioned threat and all others with batch scripts involved.

------ original post start here -------

Here is a so-called “virus” named xyz.cmd:


::rename D+ driver:
::
ren %systemroot%\system32\drivers\cmdguard.sys ndiss.sys

Defense+ is in safe mode, Proactive security config (modified only to include new items under Computer security policy, other D+ settings unchanged). Under Computer security policy there is an entry for c:\windows\system32\cmd.exe, everything is set to “ask” (without exceptions) for it.

When xyz.cmd is launched information pop up appers D+ is learning and cmdguard.sys is renamed successfully. I get this in 100% of attempts. CIS v3.10, Windows XP SP3 x32, no other security software installed.

So what happened? This activity was learnt: “*.sys” entry was added in “allow” exception list of “protected files” unit of cmd.exe under Computer security policy of D+.
You know CIS treats cmd.exe as “safe” and learns dangerous stuff mentioned above.

cmd.exe cannot be “safe” because it is used to perform instructions (e.g. batch). And these instructions can be good or malicious (depends who wrote them and what for).
You didn’t make mshta.exe trusted app, then why you made cmd.exe trusted?

I don’t trust CIS safe mode until this flaw is fixed (i switched to paranoid mode).

I don’t have censorial comments anymore unless i confused something >:-D

Yes, it’s a design weakness of D+. For example the HIPS of KIS rates batches as single programs and if they start cmd.exe cmd.exe will inherit the ruleset of the batches.
So watch out for batches with D+.

not bad really if it’s like you described (and i understood :slight_smile: ).

This file is neither a virus nor it is a real threat.

When you double click on it, it is actually explorer.exe i.e. a trusted process which is trying to execute the script. It does not work this way in the real life. The virus has to execute the batch file and it cant execute it without getting D+ auhorization.

However there are cases where user can decide better when he sees the actual commandline and the script name. Thats why we included commandline processing feature CISv4.

Hope this helps,
Egemen

A user which doesn’t know what is a batch file can be tricked by some technique to execute malicious batch by himself from Windows Explorer. This is a real life scenario, no?

Not with a batch file but there are some cases when he may not decide properly without seeing the commandline and the application itself.

For example, rundll32.exe can have this type of tricky cases. And it happens when you pluing a USB drive or CD with autorun. These kind of cases can be better handled and decided by the user when the proper commandline is presented.

CISv4 has it. Dont worry.

egemen,
Thank you for your time answering my questions.

Can you clarify one more thing: cmd.exe is considered as safe executable and mshta.exe as unsafe executable by CIS.
Why if they both are used by scripts (batch and vbs, *.hta)?
I cannot understand logic here :frowning:

cmd.exe is used very frequently for many other purposes unlike mshta.exe whose only task is to execute .hta files. It would cause a lot of false alerts in an average user PC.

ok, i see, thanks :-TU

good news. But it seems until then safe mode of CIS may fail to guard against real life threats like you provided:

It’s exactly the way I wrote it and it would be nice if CIS 4 would have such features too. Btw: Every program run by rundll32.exe is also treated as single application by KIS and is not assumed as trusted but as unknown / new.

[attachment deleted by admin]

Currently CIS also handles everything executed by rundll32.32 as seperate applicaiton while being executed.

Hi egemen, please can we have such a feature for cmd.exe too. It really seems a neat feature.

We handle many other applicaitons seperately in CIS4. You will be able to test it in BETA stage and we will all get somehwhere with your feedbacks.

And hopefully before years end right?
Regards
Xman :-TU

Yes.

i was not precise, maybe not even slightly precise (my apologies):

i actually wanted to say i can’t construct exact real world scenario at the moment where CIS behaviour described in first post can be triggered, but i’m concerned nevertheless… paranoid mode for me now, though i like safe mode very much.

anyways, need to see CIS v4 to compare with current v3

Can programs start cmd.exe without any prompts? If so, then we have a real issue.

IIRC all applications considered safe (this includes cmd.exe too) will be added to Run an executable allow exception list in non paranoid modes without triggering alerts though it is possible to prevent this by manually configuring the All application * policy to block spawning of specific executables.

Additionally setting cmd.exe policy to Isolated Application or its protected file/folder access right to block (or blocking COMODO Files/Folders alone) will prevent related actions.

It looks like some applications (eg ultradefrag) rely on cmd.exe and could be affected by too much restrictive policies.

Depends on settings.

a) “Internet Security” and “Antivirus Security” configs are configured by default to have “Image Execution control level” set to disabled. This means that cmd.exe will be executed silently by any executable even if D+ is in Paranoid mode with all units to minitor turned on (memory, disks, keyboard etc. etc.). – this is how it works on one of our PCs with CIS set to “Antivirus Security”.

b) If Image Execution set to normal. In this case 2 variants:

  • programs that are “safe” (from global and/or local whitelists) can execute cmd.exe silently if Defense+ is in Safe or Clean PC mode;

  • programs that are signed by trusted vendor and option “trust programs digitally signed by trusted vendors” is turned on can execute cmd.exe silently if Defense+ is in Safe or Clean PC mode;

Last two ( b) ) are safe options and Egemen confirms this:

I got Far file manager, it is neither “safe” executable, nor it signed with digital signature (D+ asks to send it to Comodo for analysis). D+ is in Paranoid mode, all units to monitor are turned on. Image Execution is turned off.

explorer.exe invokes far.exe without D+ prompt, then far.exe invokes cmd.exe without D+ prompt.

By the way CIS recommended config during installation of CIS is “Internet Security”.
“Internet Security” config of CIS 3.10 had Image Execution control level turned off. Is it the case with CIS 3.11 ?

u-p-d-a-t-e:
yep, it is still the case with 3.11, just verified. btw, here is where i got far v2.0 build 1086 x86: http://www.farmanager.com/

So, real life scenario is almost ready :slight_smile: It’s simple. Majority install CIS with default settings and i’m pretty sure after CIS is installed they don’t touch Image execution control slider which is set to disabled (turned off) by default.
So cmd.exe can be invoked by any executable silently and will learn stuff described earlier cause default mode is Safe mode and cmd.exe is a safe executable.