Wscript.exe and RPC control/spoolss

Gotta say I love this comodo firewall, a solid non bloated program.

I’m testing some stuff on my workstation. When I reboot Comodo Defense + flags C:\windows\system32\wscript.exe with action Access Com Interface target of \RPC Control\spoolss. I just cancel it and move on but I’m curious if this is something I can allow or if I should investigate deeper.

I’ve run a number of virus scans (Symantec Endpoint, Live Scan, F-secure, etc). And a couple rootkit scanners (F-secure blacklight, Panada, and the one from Symantec Endpoint). As well as malware scanners. No suspicious network traffic either.

Hrm maybe I should have stuck this thread in the CIS forum. My apologies if it is misplaced. I should also mention that I do have a login script on my home domain that mounts the printer and network shares.

If you use a script to mount the printer, then that is probably what the Defense+ alert is about. I am no expert, but the target: \RPC Control\spoolss looks like the print spooler to me. I believe that wscript.exe is the windows script interpreter, but I am not sure since I avoid scripting like the plague.

Yep. It should be the case, like AnotherOne mentioned, that the script is triggering that spoolss alert.

If you had not mentioned you were willingly running a logon script the next step would have been to track down the script to check if it was malicious.

All D+ Access Com Interfaces provided by delault in CIS config have security sideeffects.

Although I don’t know the malicious way \RPC Control\spoolss could be used I would like to explicitly suggest you to use a custom policy with wscript.exe and mark to be rebembered only the alerts strictly needed to run your logon script.

Although wscript.exe, mshta.exe, cscript.exe, cmd.exe are legitimate Microsoft apps they are not safelisted and granting too much permissive policies to these executable can lower the overall system protection.

You people seem to know a lot about scripting in this thread. Here is my situation:

I am running Vista Home Premium, SP1, 64 bit, and I have Comodo v.3.5.57173.439. I have been getting Comodo telling me that wscript.exe wants to modify a Registry Key. Because Comodo tells me that this is an unsafe application, I kept blocking it ,and checking “remember my answer,” however, it still pops up anyway about 5 more times. I don’t have any infection whatsoever (I am sure of that), however, because Comodo tells me it is an unsafe application, I keep denying it. I Googled it and found that it is a process relating to Microsoft Windows operating system which allows additional functions to scripting. It also says that you should not disable it. Did I do something wrong by continuously blocking it? I cannot find in the Task Manager where it is running. What should I do? By blocking it, did I turn the process off? Could I have harmed my system? Could you tell me your thoughts? Thanks.

What I did do already is go to Defense+>Advanced>Computer Security Policy, and remove wscript.exe. Was that the correct thing to do? I just started using Comodo, and had used Zone Alarm for the past 5 or 6 years, and Zone Alarm never asked you about allowing things such as scripting. If removing wscript.exe was not the right thing to do, how do I put it back in Computer Security Policy?

Two more questions…I am set on “Safe Mode,” and in reading some of the posts I have seen that some people set it on “Train” in Safe Mode. Is that the best thing to do? If so, how do you do it?

I am just a regular Internet surfer and do not do anything too extravagant. Are there any other settings that I should do with Comodo that you would recommend? Again, I am so used to Zone Alarm, and there was not much you could do with it regarding settings, unlike Comodo. The only other thing that I did, which you could tell me if I was correct in doing, was to use ipconfig and then put in my I Pv4 Address that came up in “My Network Zones,” which is now under “Loopback Zone.” Also, I have just one computer wired to a wireless router, and I believe that i initially set up a" Home Network" which shows up under “My Network Zones.” However, I also somehow created a “Local Area Network # 2” and and a "Local Area Network # 3 which both have a different IP address than my “Home Network.” I think that I created these other 2 by accident when I was switching some cables around and a Comodo prompt came up to create a network. With my setup, do I need these other 2 LAN Networks in Comodo, or should I just remove them? Sorry about the length of this post. Thanks.

When such alert is shown it would be possible to use Process Explorer v11.31 to right click on wscript.exe and choose Properties….

It will appear a dialog with wscript.exe properties. Clicking on the Image tab. it will be possible to check wscript command line.

In this case the command line will look like C:\windows\system32\wscript.exe "C:\test\script.vbs"

The next step would be to find the script named for example script.vbs in the folder C:\test

and then examine it or submit it to virustotal.

Anyway this description is only meant for a general scenario where a script is executed out of nowhere or, for example, after installing a new unknown application and rebooting.

Since you mentioned that you have a login script that mounts network printer and shares it is unlikely that these alerts are malicious. edit sorry lordpuffer since you posted in this topic I mistook you for the OP (in this case eod).

In order to have these alerts to be remembered you need to check the box “Remember my answer”. If you click cancel the same alert can appear even multiple times in a row.

In case you get multiple consecutive alerts for the same access right (eg \RPC Control\spoolss) even if you marked that alert/action to be remembered, please report back.

Thank you gibran…I will do that if it pops up again…I can’t imagine that I have any nasties in my system, for I just got it about one week ago, and I am very careful what I do and run lots of scans with multiple scanners…Just to let you know, when mscript.exe wanted to modify the Registry, since Comodo said it was an unsafe application, I denied it about 5 times, each time checking “Remember my answer”, but it still kept coming up…That seemed real strange.

did these alter pertain the same registry key?

eg: one could have been HKLM\software\test and another could have been HKLM\software\test\settings or HKLM\software\test2

Oh…You know, I didn’t look that closely. It may have popped up that many times regarding different registry keys. I’ll have to see if it happens again and then take a closer look. If it was a legitimate application, which I am pretty sure it was, could I have caused any potential problem with my computer by removing it from Computer Security Policy?

Also, do you mind looking at my first post in this thread and seeing if you don’t mind answering the other questions I had about what I did with “My Network Zones” and the basic settings of Comodo (other than about mscript.exe)? Thanks.

Removing that wscript.exe policy will only make D+ ask again.

You could likely remove all policies exluding the ones bundled by default without any hassle othen than eventually being alerted again according to yout D+ mode.

Sorry Lordpuffer as you posted in this topic I replied to your posts assuming you were the same member who started this thread.

Please follow these steps:

When such alert is shown it would be possible to use Process Explorer v11.31 to right click on wscript.exe and choose Properties….

It will appear a dialog with wscript.exe properties. Clicking on the Image tab. it will be possible to check wscript command line.

In this case the command line will look like C:\windows\system32\wscript.exe "C:\test\script.vbs"

The next step would be to find the script named for example script.vbs in the folder C:\test

and then examine it or submit it to virustotal.

You can have it also examined by Comodo researcher by following the suspicious files submission procedure.

If you wish you can open that script with notepad and copy its text to send me a PM so I can have a look at it.

It is not unlikely that the script is entirely legitimate anyway if you don’t know what that script was installed for on your machine I cannot help but to suggest you to check it.

Thank you

Hi gilbran…I found out what it is…wscript.exe pops up about 5 times with 5 different paths when the built in software program called “HP Health Check” (obviously I have an HP) wants to run a scan every 10 days…It still says that it is an unsafe app, but I guess it is a FP…Thanks for all your help.

You’re welcome.

You could either mark those alerts to be remembered or run that wsrcipt.exe using treat as trusted application (without marking it to be remembered) when it is launched soon after running HP Health Check.

If ever another wscript.exe is launched under other circumstances it will prove useful to repeat the above steps to locate and identify what script executed by wscript.exe at that time.

Thanks again…I really love your avatar…very cool

I bet you’ll like these avatars from ganda ;D (not me):

http://1jjc6w.bay.livefilestore.com/y1pLJfdZ0MdwMP9vtX1-F8NMypzUv7IBKBHJOvuyxmqKDi7vUXR9PLzu0tZr5u3YcArBM0w12BD1WM/index.php.gif

http://amymyq.bay.livefilestore.com/y1pGMdW8qYXDG22JjPGb8O-41JDBydxyWcbl6PlQU1VNNYb75aNUa4aKiaplPVzzD6IEZApuKH3YdE/crazy.gif

http://amymyq.bay.livefilestore.com/y1ptYfjbRLZvXhrNrXg83NlMK9ffEvCFakdkSFpyyNiq_NQxwDvIn69ubyY0cNuTi2rinEsum3Qtdk/index.php.gif