Hey guys, I've googled excessivly but without result. Recently I've read some articles about malware abusing task scheduler / at.exe to run/create tasks. And my simple question is how to properly protect the scheduler from malware creating, running tasks ? I haven't tested it yet but I guess that a non-admin account /UAC would prompt for admin creds ? Using SRP, it seems you can only deactivate the buttons to create/ run tasks in the task scheduler gui but not sure if malware can't create/run tasks anyway ?
Come on guys, nobody ? Correct me from wrong, but this still looks like a security issue to me. In case a malware installed unnoticed, it can add a task to autostart without prompt ?
You could install an anti-executable program like NoVirusThanks EXE Radar Pro, or AppGuard, or VoodooShield. I have at.exe marked as a vulnerable process in NVT ERP, requiring my interaction to run, and blocked in AppGuard, which also blocks schtasks.exe by default. AppGuard is relatively complex, NVT ERP is simpler to understand, and effective, but currently not being actively developed. Not sure how VS would handle these .exes but I think it would also prompt, depending on settings, and is very much under active development. There are threads for each of these products here on Wilders.
You might want to read: http://news.softpedia.com/news/windows-10-disk-cleanup-utility-abused-to-bypass-uac-506614.shtml
Malware might start but probably only in context of current user (same as writing autorun registry key in HKCU). Is at.exe running in medium integrity level allowed to create task that will run something with highest privileges? I don't think it can, but will have to test it. Also raise UAC to Always notify to prevent most bypasses.
It would prompt for credentials if a task is created for an account with higher privileges. But not if it's a task for your own account. You can monitor the execution of at.exe/schtasks.exe with some apps (as mentioned above)
I tried to create task using Task scheduler while logged in standard user. I could create task but only under my credentials. As soon as I tried to tick option to run task under highest privileges, I got asked for admin credentials. So task scheduler shouldn't be able to make system-wide changes (or schedule tasks that can do it) if not run under elevated rights. I didn't try creating tasks using at.exe but it should be the same (as long as you have UAC on max).
I also use ERP to monitor at.exe, and I believe HIPS like SpyShelter also monitors the Task Scheduler. And don't forget about tools like AutoRuns and System Explorer, who both list all active and non-active tasks.
I'm done with testing now and came to the (personal) conclusion that using an anti-executable is again highly recommended. Proactive: - If the limited user account / UAC is bypassed, it seems there is no further indication/notification about (repeated) executed tasks (running malware). Tasks, once added to the Scheduler, can apparently simply suppress UAC prompts. - I'm using Comodo IS, and access to task scheduler /execution is protected. Reactive: - SysInternals' autostart and CCleaner have the option to disable any tasks, but would need user to check periodically. > Test: I've used CIS in "paranoid mode" to find out what installing a program (known to use task scheduler) is triggering. I thought that every program would trigger any/all of schtasks.exe / taskhostw / taskeng.exe but it seems not: Example: HitmanPro AtBroker.exe sihost.exe Runtimebroker.exe backgroundtaskhost.exe Example: Google Chrome taskeng.exe