Script Analysis Settings

domo78 · September 14, 2021, 4:21pm

Hello,

When in

Advanced Protection Configuration,
Script Analysis Settings,
Runtime Detection,

I activate

Embedded Code Detection for cmd

this error appears systematically.

It seems that the command is not well set up.

CommodoUser2019 · September 14, 2021, 7:00pm

I don’t remember why, but I have everything turned on but cmd.

domo78 · September 14, 2021, 7:22pm

I turned them on one by one to see if it had any impact. I had no problem.

cmd.exe was the last one. I had to turn it off.

CISfan · September 14, 2021, 8:39pm

I had everything at default setting (most were turned off) and turned cmd on but I didn’t noticed any error after switching it on.

CommodoUser2019 · September 15, 2021, 6:06am

I also just turned CMD on without any errors.

domo78 · September 15, 2021, 8:12am

Could you please keep cmd on for now ?

For the moment I have only seen the error with a program from HP. I will put cmd on again and see if I have the problem with another program.

CISfan · September 15, 2021, 11:27am

I will leave it on for a while to see if I get an error too but I think the error only happens when an executable calls cmd to execute some self-created (random) unknown batch script.

When you see the error again then try to set the HP executable File Rating to Trusted and also add a HIPS application rule for the HP executable and set it to the defined rule “Windows System Application” and then check if the error occurs again.

domo78 · September 16, 2021, 7:56am

Bizarre, vous avez dit bizarre … (Louis JOUVET)

Hello,

Laptop 2 : HP - W10 Famille - 20H2 - 19042.1237/ CIS PRO : 12.2.2.8012
Embedded Code Detection is on for every program. There are no HIPS alerts.
Laptop 1 : HP - W10 Famille - 21H1 - 19043.1237 / CFW : 12.2.2.8012
When Embedded Code Detection is on for cmd.exe there are HIPS alerts quickly for only one HP program.
When I validate the first alert, there is a second one that I validate, then a third one that I validate, then a fourth one that I validate, then a fifth one and there I stopped.
It’s surprising this sequence.
HIPS rules have been created (set of predefined rules) and since then there is no more HIPS alert.

Strange, you said strange …

DecimaTech · September 17, 2021, 7:36pm

This isn’t a bug, but how embedded-code detection works for various script interpreters such as powershell and in your case the windows command prompt. You have a program that is executing system commands and CIS is turning them into script files to be intercepted by each CIS component.

domo78 · September 17, 2021, 8:28pm

The generating fact is that this file
C_cmd.exe_817780D54F80E922CA09C6BBF3C41B66141EF3FD.bat
was not recognized (screenshot HIPS1).

Why is this?
Is the file name incorrect ?
Is the content of the file incorrect ?

CISfan · September 17, 2021, 9:56pm

What was the file rating of the HP program at the time when screenshot HIPS1 was made, Trusted or Unrecognized?

domo78 · September 18, 2021, 9:05am

The rating of the HP program is “Trusted”.

The file
C_cmd.exe_817780D54F80E922CA09C6BBF3C41B66141EF3FD.bat
is in the folder \tempscrpt

CISfan · September 18, 2021, 3:47pm

Ok, thank you.

I think it is desirable to have an option to disable embedded-code detection for various script interpreters to suppress these HIPS Alerts for Trusted applications, unless there is a good reason to keep performing embedded-code detection for Trusted applications.

Maybe someone create a wish for it…

domo78 · September 18, 2021, 6:24pm

The .bat file must have something specific, because when I submit it there is a Comodo error,

but Comodo on VirusTotal does not flag it.

CISfan · September 18, 2021, 11:48pm

The real problem is that these kind of .bat files shouldn’t be created by CIS when executing Trusted applications.
I can’t think of a reason why CIS should do embedded code detection on Trusted applications and create these confusing .bat files.
Hopefully someone can shed light on this.

aim4it · September 20, 2021, 6:32am

Because then a trusted file can be used to launch/install/run file less malware, i.e cmd.exe. That’s why it has to monitor trusted files as well. Otherwise your not covering the attack vector of executing of malicious commands.

CISfan · September 20, 2021, 9:19am

I understand but how about the following.
Trusted applications are normally digitally signed so their entire code is treated as safe. Now when a Trusted application creates an own script file from within its own code for its own needs or purpose would that script file then be unsafe per definition? When CIS monitors the script and, outside the trusted application, doesn’t detect any tampering with the script then the script should execute normally without any HIPS Alerts popping up to my believe.

domo78 · September 21, 2021, 4:09pm

I submitted the file to Valkyrie (screenshot 1)
The result is “No threat found” but not “Clean” as the other files.

In my dashboard this file is defined as “Unknown file”. This may explain the CIS result (screenshot2).

CISfan · September 21, 2021, 5:20pm

Since the HP program is Trusted and so is the .bat file HIPS shouldn’t bother you with this .bat file at all.

C.O.M.O.D.O_RT · September 22, 2021, 11:35am

Hi domo78,

We are checking on this.