[SOLVED] .bat file can run without any rule !

Hi,

Although I didn’t have any rule in Defense+ to allow the file to run, and Image Execution Control Settings is SET to check *.bat files, I can run the following command without any prompt or block from Defense+ whatsoever :

C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\dr4fnr61.default\IniFox.bat

… This is a batch files which then runs sqlite3.exe in the same folder.

AND ON TOP OF THAT … sqlite runs ALSO without any rule and without any popup from Defense+ !!!

Defense+ is set in Safe Mode and there is no rule in the Defense+ Security Policy.

This looks like a real dangerous mistake by Defense+ !!! :-[

Hi
Could you check if the sqlite executable is signed by trusted vendor’s certificate? In this case Defense+ in safe mode will automatically allow it.

Probably the IniFox.bat file mentioned in the OP is the same featured at Increase Firefox 3.* Performance by Optimizing the SQLite Databases [Windows, Linux and Mac OSX] along with instructions to decompress IniFox_en.zip and manually place the IniFox batch file and a previous sqlite3 version (3.6.14.2) in firefox profile folder.

Sqlite3.exe 3.6.14.2 (MD5: 593a4e45bfffaf7726fc60f8d380ca69, SHA1: 493455c9f5a5d204b0695e9e1cf8f3e0d161be19) is not digitally signed but it is safelisted by hash.

Latest sqlite3.exe ver 3.6.21 available on the sqlite.org website is not digitally signed nor it has been safelisted by hash yet.
MD5: 8ca2509b54dab8e94418865e56607581
SHA1: 36686eeb4e7233cf96bf664f155fab4a2099e3cd

To enable “Run an executable” alerts Image Execution Control ought to be set to normal or aggressive (COMODO - Internet security configuration default to disabled)

If Image Execution Control is Enabled (D+ Safe mode) and the child application (eg sqlite3.exe) is not safelisted:

  • Invoking sqlite3.exe from a batch file (eg IniFox.bat) should trigger a “Run an executable” alert with command.com cmd.exe as parent (left side) and sqlite3.exe as child (right side)
  • If the above mentioned alert is marked to be remembered, cmd.exe policy will be updated/created and it will be possible to launch sqlite3.exe using the same batch without alets

If Image Execution Control is Enabled (D+ Safe mode) and the child application (eg sqlite3.exe) is safelisted:

  • Invoking sqlite3.exe from a batch file (eg IniFox.bat) will not trigger a “Run an executable” alert with command.com cmd.exe as parent (left side) and sqlite3.exe as child (right side)
  • cmd.exe policy will be updated/created to allow sqlite3.exe with a fully specified path without alerts

NOTE: As long sqlite.exe is safelisted and/or do not perform any action that affect protected file/folder,registry,COM objects or other according to monitored entities settings, no alert will be triggered.

If Image Execution Control is set to aggressive (not default in any CIS configuration) and *.bat is listed to the related files to check (default in any CIS configuration):

  • Invoking a batch file (eg IniFox.bat) should trigger a “Run an executable” alert (as long the action has not be marked to be remembered)

NOTE: If Image Execution Control is set to normal (COMODO - Proactive security configuration default) no “Run an executable” alert will be triggered for .bat files

PS: COMODO - Proactive security configuration Protected files features a Executables group that include *.bat to the effect that a “Protected file/folder” alert will be triggered in D+ safe mode even if a safe-listed application with will create a new .bat file.

[attachment deleted by admin]

It is indeed this one Endymion

Sqlite3.exe 3.6.14.2 (MD5: 593a4e45bfffaf7726fc60f8d380ca69, SHA1: 493455c9f5a5d204b0695e9e1cf8f3e0d161be19) is not digitally signed but it is safelisted by hash.

… But, i don’t get any popup, no rule for it, and IEC is set to Normal

What is the point of our Computer Security Policy if CIS starts allowing stuff based on hash ???
… and why didn’t I get any popup whatsoever when I ran the Inifox.bat file ??? :-\

EDIT: I downloaded the latest sqlite from the site mentionned, but once again … Not popup at all. :-\

In that D+ safe mode case there was no cmd.exe popup because that sqlite3.exe version was safelisted (a cmd.exe policy to allow firefox_profile_path\sqlite3.exe launch by cmd.exe was automatically created/modified) whereas no sqlite3.exe policy was automatically created/modified because sqlite did not carry any action monitored by the config defaults (or custom configs) you are using (otherwise a sqlite3.exe policy with default safelisted-app permission would have been generated)

In this case there is a already cmd.exe exception that allow C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\dr4fnr61.default\sqlite3.exe (run an executable\Modify… button\Allowed applications tab)

If Image Execution Control is set to aggressive (not default in any CIS configuration) and *.bat is listed to the related files to check (default in any CIS configuration) there should be also an alert for IniFox.bat assuming you double-clicked Inifox.bat from explorer file manager and the corresponding %windir%\explorer.exe policy is NOT set to “Windows System Application” predefined policy (like for COMODO - Internet security configuration) or equivalent policy.

NOTE: double-clicking IniFox.bat from explorer file manager cause explorer.exe to run IniFox.bat. If another app would attempt to run IniFox.bat the result would change according to the configurations and customization used.

(eg. using COMODO - Proactive security default configuration and changing Image Execution Control to aggressive will trigger a “Run an Executable” explorer.exe —> IniFox.bat alert when double-clicking IniFox.bat from explorer file manager)

Then I assume you would prefer running D+ in Paranoid mode. In that case Comodo hashbased safe-list (or the user-modifiable trusted vendor list used for digitally signed executables) will not be used

If you wish to receive alerts for the creation of *.bat (and other executables) you could also switch to COMODO - Proactive security configuration (which got an executable group in Protected file/folder) and thereafter set D+ to paranoid mode.

[attachment deleted by admin]

could you please tell is sqlite.exe signed with a digital signature?
Also try to do the same step with Defense+ in Paranoid mode.

As far as I see, sqlite3 is not digitally signed. See screenshot below.

I got the popups by first manually removing cmd.exe rules from Computer Security Policy. (which is quite difficult when you have a window with many rules and not a working sort function.)
Then all of a sudden I got a popup regarding sqlite3.exe

So, the problem is somehow fixed by first removing another rule, seems quite weird to me, and all of a sudden I have way less confidence in the usage of CIS.
Somehow the rule for cmd.exe must have been see to automatically allow cmd.exe to run any kind of stuff.

Anyway, thanks a lot for the prompt and really helpful responses guys. :wink:

Screenshot :

[attachment deleted by admin]

It looks like you are using “COMODO - Proactive security” configuration defaults after all (or perhaps another config with Image Execution control set to Normal) and initially tested a safelisted version of sqlite (3.6.14.2 ), thus that cmd.exe got a rule to allow Sqlite3.exe you previously placed in Firefox profile folder along with IniFox.bat

In the end deleting cmd.exe policy (just like editing such policy to remove only the FF_profile_folder\sqlite3 execution rule) and using IniFox.bat to run the more recent Sqlite3.exe (3.6.21) in Firefox profile folder yielded different results because this other Sqlite3 version has not been safelisted yet.

Glad you sorted it out. :slight_smile:

Thanks a lot guys, the problem is gone. :-TU

!ot!

I think this tool can do the same: