[Split]CIS Certifications, Test Results & Reviews

I don’t wanna double post, I know it’s not allowed.
But this topic is related with CIS too, so maybe someone wanna have a look

Indeed it is not allowed. Split and moved.

Do heuristic command-line analysis for certain applications

Do heuristic command-line analysis for certain applications may hold the answer.

This option instructs CIS to perform heuristic analysis on programs that are capable of executing code. Examples include Visual Basic scripts and Java applications. Example programs that are affected by enabling this option are wscript.exe, cmd.exe, java.exe and javaw.exe.

For example, the program wscipt.exe can be made to execute Visual Basic scripts (.vbs file extension) via a command similar to ‘wscript.exe c:teststest.vbs’. If this option is selected, CIS detects c:teststest.vbs from the command-line and applies all security checks based on this file. If test.vbs attempts to connect to the internet, for example, the alert will state ‘test.vbs’ is attempting to connect to the internet (Default = Enabled).

If this option is disabled, the alert would only state ‘wscript.exe’ is trying to connect to the Internet’.

I’m not an expert on this, but from my understanding the programs that can execute code, the interpreters, are intercepted by Comodo; Comodo catches the executed code. The executed code is converted to a file in C:/ProgramData/Comodo/Cis/tempscrpt and it is contained just like any other unknown file. This is why malware attacks involving interpreters have the capacity to be “fileless,” because code can be executed without dropping any files on the system.

They are also often used to deliver malware payloads. For example, wscript.exe can be instructed to download malware through a script, these scripts typically comes from a deceptive document that tries to trick the user into enabling macros in MS Office. When the macros are enabled, the script is silently executed, wscript.exe downloads the malware, and wscript.exe proceeds to execute the malware. Powershell.exe can also be used in a similar manner. So that was what that particular testing organization was talking about when it mentioned that Comodo “implemented appropriate security rules for scripts and applications run by a PowerShell interpreter.”

The containment of the executed code was introduced in v10, but I think the actual command-line analysis technology has been in Comodo for a while, ever since I first used it back in version 5.3 if I recall correctly. I believe that the containment of scripts and apps run by interpreters is a way of using that existing technology.