Really strange: application using OLE automation to hijack itself!

This is the strangest OLE automation “hijacking” event I have seen: it may perhaps tell the developers something useful. Windows Defender has a command line utility called MpCmdRun.exe. I do not have any idea what it does. However, this morning CFP alerted me that MpCmdRun.exe was using OLE automation to manipulate MpCmdRun.exe! I allowed this, since it would seem that “self-hijacking” is no crime, at least in private.

As a result, this application is now listed in the CFP Application Monitor as allowed (UDP Out). Most interestingly, its parent is listed as MpCmdRun.exe! Reminds me of the guy who eventually figured out that he was his own grandpa.

I know the OLE automation things are tricky, especially those where both applications are allowed items, but this one is pretty far out!

You’re not in Arkansas, are you? :wink:

Seriously, tho, that is certainly an odd one. An app hijacking itself. ???

LM

There could be multiple copies of the same named executable. Were both in the same location?

@Little Mac:

No, not in Arkansas, but close: Tennessee! ;D

@ Soyabeaner:

No, both applications are the same one, located in C:\Program Files\Windows Defender on my machine.
I still have no clue as to what it is supposed to do, nor do I know why it ran at all.

Perhaps because it’s a Windows application… :wink:

Do you have the log entry for this alert?

Have you submitted a ticket to Support?

LM

Have you scanned it for malware? ;D

Maybe these were 2 instances (processes) of same executable? Many apps are known to launch or manipulate instances of themselves, e.g., Firefox. CFP throws warnings in such cases. There should be an option to disable such detection. I wonder, how an app could launch an evil instance of itself. ;D

Just look at svchost.exe. I disabled as many XP services as I can, yet there are 3 instances of it according to Task Manager.

First, some replies:

To soyabeaner: I know about multiple svchost instances; in fact, at the moment there are 4. 1 is for the required DCOM launcher service, 1 for RPC service, 1 for WIA; and 1 for a bundle of others. I have many services disabled. That’s not the issue here, I believe. Also, I ran thorough malware scans over the weekend. Clean system! (aren’t they all? :smiley: ).

To djet: you may be right about this being analogous to the Firefox/Firefox (and also to Thunderbird/Thunderbird) which is what happemd when you restart Firefox from within it.

To Little Mac: there is, in fact, no log entry! This might be because I was at the console and responded very quickly? or because CFP was a little embarrassed by what it had done? I have not filed a support ticket on it…maybe the developers will pick it up here.

But now, some details about C:\Program Files\Windows Defender\MpCmdRun.exe: by opening a command prompt (“dos”) window in the parent folder and typing (without the quotes) “mpcmdrun.exe /? > MyNotes.txt”, one can produce a printable list of what this application can do. It is intended to automate and troubleshoot Windows Defender operations. It is alleged on various sites that it runs whenever WD is updating signatures. I have never actually seen it run, but its logs are present (see the “/?” output for where), so I suppose it does. One thought is that it runs and finishes before CFP is fully awake, so that I rarely see it, but that today it was sluggish and got caught??

Finally, I realize that this is a presumably innocuous application, even though many people regard Microsoft as the biggest malware purveyor around.

Hmm, CFP embarrassed; there’s a thought… ;D It wouldn’t matter how quickly you responded; it should have created an entry when it happened, unless you’ve disable logging for Behavior Analysis. You can check that by right-clicking a log entry, and selecting “Log Events From” - make sure the ABA Monitor (bottom option) is checked. Either that or if your logs were cleared (manually, or by changing the logfile to a read-only which clears it on reboot, or by some other weird occurrence).

I am trying to think of some way to possibly justify the OLE message in this scenario, which I probably cannot. OLE is used for legitimate communication between applications; for example if you link a table from Excel into a Word doc, this creates an OLE scenario (not necessarily connected to the internet). If MpCmdRun.exe did in fact have two instances running for different purposes, and one wanted to utilize the other to connect, perhaps this would do it. Or, if it had been open, and closed, then was activated again, that might get it going. We see this if we close (for instance, Word) an app then update our browser, that the closed app “hijacks” the browser thru OLE, even tho it’s closed. Has to do with the way they communicate within the system. Maybe… :THNK

LM