Heur Cmd-Line Analysis Fails When Cmd-Line Contains Multiple Commands [M1020]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Yes, I can

  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1:Install CIS fresh without importing any old configuration.
    2:Change CIS to Proactive Security configuration and restart computer. Do not change any other settings.
    3:Put 4 files in the same folder (e.g. C:\test). These files are attached to this post.
    4:Double-click on the file called threat.bat and note that you receive an alert (“TOTALCMD.EXE is trying to execute threat.bat”) and chose: “not remember”, “block only”. This is correct.
    5:Then run Shortcut1.lnk and you will receive an alert (“TOTALCMD.EXE is trying to execute threat.bat”) and chose: “not remember”, “block only”. This is correct, as the Heuristic command-line analysis is working correctly for the file.
    6:Then run Shortcut2.lnk, and note that ProtectedFile.bat was deleted with no alerts.
    7:Shortcut2.lnk is therefore able to bypass Defense+ Heuristic command-line analysis protection and execute any malicious batch file…

  • If not obvious, what U expected to happen:
    Defense+ should be able to use Heuristic command-line analysis to protect against samples such as Shortcut2.Ink.

  • If a software compatibility problem have U tried the conflict FAQ?:
    NA

  • Any software except CIS/OS involved? If so - name, & exact version:
    NA

  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Both shortcuts run “cmd.exe” to try commands in the command-line. However, in “Shortcut1.lnk” the command “threat.bat” is the first and in “Shortcut2.lnk” the command “threat.bat” is the second.
    Thus, heuristic command-line analysis doesn’t work for “cmd.exe” when command-line contains multiple commands.
    [/ol]

B. YOUR SETUP
[ol]- Exact CIS version & configuration:
CIS 7.0.317799.4142 in Proactive Security
Additionally I have found this same issue on:
CIS 5.10.228257.2253 on WinXP (VMware)
CIS 6.3.302093.2976 on WinXP (VMware)

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    All modules enabled
  • Have U made any other changes to the default config? (egs here.):
    Just changing it to Proactive Security configuration
  • Have U updated (without uninstall) from a CIS 5?:
    No
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    I have done a clean install, on a fresh OS, and the same problem continues.
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows7 x86 SP1 real computer
    UAC: “Notify me only when programs try to make changes to my computer (do not dim my desktop)”
    Administrator
  • Other security/s’box software a) currently installed b) installed since OS:
    a=None b=None
    [/ol]

[attachment deleted by admin]

Thank you for reporting this issue. I have a few questions.

Did you disable the option to “Do not show antivirus alerts” for the AV component?
Also, can you please post a screenshot of your AV Realtime settings, as shown on this page?

Thanks.

Thank you too
I wonder that AV-settings can matter to this issue… But I have tried various options, and the result is the same
I have attached 2 screenshots: for config “Proactive Security” by default, and for my usual config (based on “Internet Security”)

[attachment deleted by admin]

Which of the two configurations you posted screenshots of are you experiencing this issue with, or does it happen the same with both?

The same with both

Please try this. First, back up your configuration for later.

Then, reinstall CIS by following the advice I give in this topic. Then, after it’s reinstalled, switch to proactive mode and restart the computer.

Then test by following the steps you noted in your first post and let me know what happens.

Thanks.

Would it better, when I try to install Windows7 over again (but without drivers), install CIS and test it?
Then I can restore curent OS from back-up

That would of course be the most robust option, which if there is an underlying problem with your system causing this behavior would almost certainly solve it. However, it may be a lot of work, and I’m not sure it is necessary. Reinstalling CIS by following the advice I give in that topic should be enough. However, if you would rather reinstall Windows 7, assuming you have other reasons for doing that as well, then it would certainly serve this purpose.

Thanks.

Done.
Happened all the same.

Win7 x86 SP1, CIS 7.0.317799.4142 (installation: all by default → restart → Proactive Security → restart)

Okay, now that we have ruled that out I think it’s a good idea to get some more information about these 4 files. From your steps for replication, I assume you can copy “Shortcut1.lnk”, “Shortcut2.lnk”, “ProtectedFile.bat”, and “threat.bat” to the downloads folder and these results will replicate. Is this correct?

If that is correct then can you please provide some more information about exactly what these files are and what they do. I do not entirely understand what you meant by the following in your first post:

1. "Shortcut1.lnk": path: %windir%\System32\cmd.exe /c threat.bat working directory: none
  1. “Shortcut2.lnk”:
    path: %windir%\System32\cmd.exe /c cd . & threat.bat
    working directory: none

  2. “ProtectedFile.bat” (or any of protected by default files)

  3. “threat.bat”:

del ProtectedFile.bat


Can you please explain exactly what these files are and what they do?

Thanks.

The problem: a shortcut like “Shortcut2.lnk” can launch any untrusted bat-file, and this bat-file can be executed without restrictions (as cmd.exe)
Eg. the file “threat.bat” removes the protected (by CIS) file “ProtectedFile.bat”.

But CIS restricts this untrusted bat-file, when it is launched via “Shortcut1.lnk”.
So works “Heuristic command-line analysis”

The difference between “Shortcut1.lnk” and “Shortcut2.lnk” is that:
Both shortcuts run “cmd.exe” to try commands in the command-line.
But in “Shortcut1.lnk” the command “threat.bat” is the first;
and in “Shortcut2.lnk” the command “threat.bat” is the second

Thus, heuristic command-line analysis doesn’t work for “cmd.exe” when command-line contains multiple commands

So lnk-file can imitate a folder and be used to run a malicious bat-file.

Besides, CIS doesn’t protect from the commands which are directly contained in the lnk-files (eg. “%windir%\System32\cmd.exe /c del C:\Data* /s /f /q” )

I have attached files for the test.

[attachment deleted by admin]

Thank you for the clarification. I have updated the first post. Please look it over and let me know if everything looks correct.

Also, what do you mean when you say that

CIS doesn't protect from the commands which are directly contained in the lnk-files (eg. "%windir%\System32\cmd.exe /c del C:\Data\* /s /f /q" )

Would this not be protected against by heuristic command line analysis if it were done in the same way as Shortcut1.lnk?

Thanks.

All is correct. Thank you.
I’d just like to say at greater length: “Shortcut2.lnk is therefore able to bypass Defense+ Heuristic command-line analysis protection and execute any malicious batch file.”

Also, what do you mean when you say that
CIS doesn't protect from the commands which are directly contained in the lnk-files (eg. "%windir%\System32\cmd.exe /c del C:\Data\* /s /f /q" )

Would this not be protected against by heuristic command line analysis if it were done in the same way as Shortcut1.lnk?


This is really another problem, but I decided to describe it too (because the problems are interlinked)
Heart of the 2dn problem: “Heuristic command-line analysis” controls only sending a script-file to the interpreter. But the command-line for “cmd.exe” can by itself contain some commands; and these commands can be malicious; CIS doesn’t control them.
The solution of this problem might be that feature: recognize .lnk files with path to “cmd.exe” (only that .lnk files!) and control them similarly to .bat files (depending of “File Rating”, HIPS rules for these .lnk files etc.). By the way, this feature might be a partially solution of the 1st problem (with .bat files)

Perhaps the sentention “Also running lnk-files with the path like “%windir%\System32\cmd.exe /c del C:\Data* /s /f /q” can’t be prevented” should be deleted…
Shall I write another bug report about that?

Please do create a new bug report for the issue some command line commands are not correctly analyzed. I think it’s best that is tracked separately so the second issue is not confused or lost.

Thanks.

Ok, I do it a little later

Thanks. Meanwhile I will forward this to the devs.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

This is not fixed with the version 8.0.0.4337.

Thank you for checking this. I’ve updated the tracker.

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.