Another "permit once" suggestion - regsvr32.exe

Just noticed that Gavin suggested that regsvr32 is a good candidate for run once permissions, it sounds like a good idea, so I thought I'd mention it here for anyone that was interested

The thread his comment is in is here

Another useful thing to do from time to time is to go to the Security tab in PG and sort by "Last Run" and have a look at what has been executed recently (and the time it ran), it might reveal something unexpected (even if it isn't a security issue...)

NB: If you have been running PG 3.x since last year you will have to ignore the date sorting bug as it doesn't take the year into account...

 

Just a quick tip related to Gavin's suggestion about setting cmd.exe to Permit Once.

I resisted changing cmd.exe to Permit Once because it was used in numerous script files (in loops even). I later realized I could rename a copy of cmd.exe and put it in an obscure location. Now cmd.exe is set to Permit Once and my script files call the obscure copy which is set to Permit Always. An obvious solution, but it took me so long to think of it I wanted to mention it just in case...

 

FWIW,
I also have a renamed copy of regedit with permit always (for the same reason, because I download and apply registry settings via a batch job)

 

Could you explain exactly how you did that?

 

First, choose (or create) the directory where you want to "hide" the cmd-clone. Let's say you've created "c:\innocent\dir". Now copy cmd.exe (from C:\WINDOWS or C:\WINNT) to c:\innocent\dir, and rename the copy to something less obvious, let's say pgCommand.exe. Next, start pgCommand.exe and tell PG to "Permit Always". Finally, change PG's Security on your original cmd.exe to be "Permit Once". That's it!

In batch files, you can now replace:
cmd /c doSomething.bat

with:
c:\innocent\dir\pgCommand /c doSomething.bat

Since pgCommand is "Permit Always" you won't be bothered everytime a script invokes it. The advantage, of course, is that if malware tries to use cmd.exe to run a script, you will be alerted. It seems unlikely that any malware will try to run a script using c:\innocent\dir\pgCommand.exe. If you're really paranoid, you can add some extra bytes to the end of the cloned copy so that it would appear to be a different file. If you're somewhat less paranoid, you can add c:\innocent\dir to your PATH and invoke pgCommand by name only.

 

Thanks . Do you have any other suggestions with any other files etc.?

 

Most if not all of the other suggestions have been included in Andreas1's writeup, its certainly worth a read

See A detailed discussion paper on ProcessGuard by Andreas

 

I did all of this, replaced the batch file as instructed and it still goes through cmd.exe instead of going through the cmd-clone I made in another folder.

 

Can you provide more information? Perhaps put the relevant command(s) in a code box. Anything that may help me guess what you are seeing and what might be happening.

 

Original batch file: "C:\Program Files\doSomething\DS.EXE" /tasks:abcd

Made a new folder with the clone-cmd.exe and changed to:
C:\innocent\pgCommand /"C:\Program Files\doSomething\DS.EXE" /tasks:abcd

 

I'm still not sure where cmd.exe was getting called before (and presumably is still getting called now). The one line from the original batch file (?) does not seem to be using cmd.exe, but is just invoking an executable.

Also, there may be an idiom in my example that was misunderstood. The "/c" switch is used to tell cmd.exe to exit (close its console window) immediately after performing the command specified on the command line. It's often used to perform a DOS command from inside an executable or from a non-DOS script language. In this case it's used to specify your alternate version of the DOS interpeter.

The second half of your example (maybe a typo?) looks like you have only a "slash" where I would have expected a "slash-'c'-space". It looks like the .EXE name is immediately after the "slash" as opposed to

cmd-clone /c "EXE-name" EXE-parameters

My best guess is that cmd.exe is being called from somewhere other than where you tried using the cmd-clone copy. If this is in a batch file, try using ECHO statements to figure out whether cmd.exe is being invoked somewhere other than where you think it is being invoked. If you're still stuck, you could put the whole batch file in a "code box" (the pound-sign icon) and explain how the batch file is called.

HTH

 

earth1, I sent you a PM. Thanks.