how to make D+ alert me when .bat file is about to run

Hi folks I used to have my configuration on proactive security … the story begins when I go to D+ and then advanced setting and to computer security policy … I looked for explorer.exe and I put it in custom policy with every thing allowed except when it attempts to run executable it should alert me … however when I open any .bat file it doesn’t give me any alert :o … How can I make D+ alert me when any executable file is being executed ! ?

thanks in advance …

regards …

I tested this. It turns out you need to notch up to Paranoid mode for D+ settings. Is safe mode I think it assumes cmd.exe is a safe application and it allows to run the .bat file. Do keep in mind that D+ is the nanny of the programs that interact with programs. It is not the nanny of the user; so it will do as the user tells it when the user tells it to start a .bat file.

thanks for the replay and by the way I liked your nanny statement ;D

1 more thing …If I ran .bat file and this file is about to execute another file , put in mind that cmd.exe is set to a custom policy and I should be prompted for everything it does , am I going to have an alert from D+ ?

thanks again …

Rather than go up to Paranoid mode, you might want to try this…

By default install, D+ / Advanced / Image Execution Control Settings / General is set to Disabled. Turn it on (move slider to Normal).

Go to Files to Check tab. I think you should have .exe, .bat, and .com listed. If not, Add / File Group / Executables. Apply to save the settings.

I have not changed any settings for any Windows app (like explorer.exe), and if an executable of any sort kicks off, I get alerted. Somebody “tried” (they didn’t mean to) pass me a trojan on a thumb drive a while back, that no matter how you tried to access the thumb drive (even with autoruns disabled), would launch its autorun.inf file which would then call a hidden .com file to infect the host. CIS caught it and pimp-slapped it into next week… :wink:

The malware really was a nice piece of work, and showed that those who think “explore” is different than “open” are wrong - it still calls explorer.exe and will cause the malware waiting for it to launch. Kaspersky detected it but could stop it (not all of it, and it still went through), McAfee didn’t even know what was happening. Comodo AV didn’t catch it, but D+ sure did.

Anyway, sorry to digress, but you might try that.

HTH,

LM

Edit: PS: Yes (in answer to your question above) - if you run the .bat, and it tries to launch another executable, you will be alerted (unless you tell CIS to treat as a Trusted Application and remember).

what’s your configuration here …/ ? and what are the rules for explorer.exe ??

do you mean I have to set explorer as windows application ?

yeah and recalling your story … I did the same configuration by intuition , ;D

D+ is in Safe Mode, set to Monitor everything (keyboard, disk, monitor, etc). Image Execution is Normal, with Executable Group added.

Explorer.exe by default is placed into the Windows System Application group by Comodo; I have not changed that, nor modified its settings in any way. If I browse to and launch any executable-type file (com, bat, exe, etc), this means that explorer.exe (the shell) has to control that file. Thus, I get an alert which has to be allowed. It will be something like, “Explorer.exe is trying to access killmycomputer.com. Do you want to allow this?” (not exact quote, just to give you the idea)

You shouldn’t have to make any changes to explorer.exe from the default. If you already have, I don’t know that you would need to change it back to original, but you can try it both ways.

LM

but that would let explorer runs anything in the first place ??? I mean when I download kissmypc.exe >:-D

I don’t see any alert when it runs so it creates the process but if this program tries by a way or another to put anything on the pc it will then alert and will say " kissmypc.exe is trying to put killmypc.exe into C:\windows\etc… " otherwise it will say nothing … correct me if I got you wrong :wink: < or of course any other suspicious behaviour listed in D+ … :slight_smile:

to set best defence against batch files (*.bat , *.cmd) in safe mode (same should be true for clean pc mode) you can do following:

  • check if Image execution control is turned on (like advised earlier in this thread);
  • check if cmd.exe is NOT set to “windows system application” OR has custom policy with allow rights to run all executables (“run executable” → allow ; or “run executable” → ask, exceptions → *);
  • for explorer.exe similar check like for cmd.exe;

results after settings applied:

  • if you run malicious batch by yourself clicking on it in Windows explorer, than it can destruct system even by not calling any executables;
    following learning pop-ups may be shown by D+ : “explorer.exe executes cmd.exe”, “cmd.exe modifies drivername.sys” etc.;
    but if malicious batch file would try to call e.g. virus.exe, you would get similar alert: “cmd.exe tries to execute virus.exe; cmd.exe is a safe executable, but virus.exe could not be recognized”;

  • if malicious executable (virus etc.) would want to call batch file you would get D+ warning, something like: “virus.exe tries to execute cmd.exe; cmd.exe is a safe executable, but virus.exe could not be recognized”;


paranoid mode of D+ allows to protect completely from malicious batch files (*.bat , *.cmd), but using experience is not so good.

1st way is to treat cmd.exe as unsafe executable manually: do not let D+ remember anything for cmd.exe ever… maybe except calling your safe programs;

2nd way is to treat calls for cmd.exe from explorer.exe and rundll32.exe as unsafe, hence do not let D+ remember these calls.

of course, Image execution control must be turned on.

thanks but here explorer should not be a windows system application otherwise I won’t control it’s execution …

again … I repeat my respect to all those who responded to this topic … thanks guys and have wonderful days … you can mark it as resolved if u like 88)