Need help configuring CIS to allow a bash script execution

reddy.shyam · August 17, 2017, 6:17am

Hi,

Good day! I need help configuring CIS to allow a bash script to reboot my router over http using CURL.

I am using Latest CIS with default settings and am on Windows 10 Pro 64bit.

The script itself works fine without CIS.

Many thanks in advance.

Regards
Shyam

futuretech · August 17, 2017, 2:59pm

Just unblock the script from the unblock applications task.

reddy.shyam · August 17, 2017, 3:14pm

Hi futuretech,

Thanks for getting back. The script itself is not blocked but when I execute it, Login fails. Like I have mentioned, script uses CURL to access the local http://localhost/… to login to the router. This bit fails.

Without CIS, I can login successfully and reboot the router.

Regards
Shyam

futuretech · August 18, 2017, 1:24pm

Have you tried disabling the firewall, hips, auto-containment, and web-filter instead of uninstalling to see if it works? What OS are you using and for curl are you using it through Cygwin?

reddy.shyam · August 18, 2017, 3:33pm

Hi futuretech,

Thanks again for getting back. I just tried disabling the above and also antivirus, still no joy! I am on Windows 10 Pro 64 bit. I am using CURL through GIT.

futuretech · August 18, 2017, 7:57pm

Add cURL and/or git to the exclusions of detect shellcode injections.

reddy.shyam · August 19, 2017, 5:28am

Thanks futuretech. I did try excluding my script itself and also couple of executables including what you have mentioned bash, ssh, curl, perl, etc… but no joy!

But then I thought why not exclude the entire GIT folder. When I tried it, Voila! It worked. Later I drilled down to isolate executables and it boiled down to just bash.exe in a different subfolder. Please see attached.

Thanks for all your help. I really appreciate it!

The above does help my cause but on a broader prospective it is dangerous to let go an executable which can be exploited. Isnt it? Can there be no simple solution like just excluding my script under shell code injections? This way it will be a lot safer. Please let me know if this is a possibility.

futuretech · August 19, 2017, 5:28pm

It will be fine as many exploits just attempt to download and execute malware or run embedded commands which will still be caught by HIPS, VirusScope, and auto-containment depending on how you have CIS configured. Also the name if that setting is misleading as CIS no longer detects shellcode injections from buffer overflow exploits. All this setting does is tell CIS not to inject the guard.dll into the listed applications. Also a script is just a normal file that contains commands to be processed by an interpreter which is the actual executable that carries out the commands.

reddy.shyam · August 20, 2017, 12:52pm

Thanks Futuretech. Thats reassuring! I am at peace now. Greatly appreciate your help!

Have a good day!