CommandLineScanner

Assembly language (command lines) is always running on the system.

With cmdScanner you can control every single command line on the system - if you're insane and a glutton for punishment - or just have nothing better to do or just want to do the smart thing and really learn about your system. Doing so would be akin to getting an alert from ERP for every single command line that is executed on the system. It's not that bad - just a lot of reviews of logs.

cmdScanner provides control of command lines (assembly language). Bouncer provides control of processes by file path and\or hash. AppGuard does it by System|User Space and file path. There is overlap to an extent between Bouncer\cmdScanner and Bouncer\AppGuard. One-half dozen and six in the other type of thing.

cmdScanner provides an additional layer of protection with fine-grained control over the command lines.

 

I meant for the person that wants to control every single command line on their system.

Someone like you would implement more user friendly generic rules - like allowing command lines for C:\Program Files and C:\Program Files (x86) etcetera.

cmdScanner is useful. Believe me if you're trying to track command lines Windows' own Auditpol.exe and SysInternals' SysMon ain't no fun to setup and are both a hassle to use. Access to the cmdline Log right from the tray icon or taskbar . That's if you have need of it - which I do. That's not its purpose, but can be used as such.

 

Knowing what you are using to protect your system, I'd say it isn't for you. It's not gonna be of any benefit unless you want to take on the project of crafting the rules. It's not that difficult, just requires a little bit of time. Make rules, see what happens, review logs, make corrections, see what happens, review logs, make corrections,...

Knowing you, I know you consider such stuff a rigmarole and manageability problem. It's not as bad as you think, but it does require some work.

 

I agree with this fair statement entirely. I don't think Pete needs the extra command line protection here since he's already got solid protection from AppGuard, NVT ERP if I remember correctly, and now also MZWriteScanner as I believe I saw in the other thread.

 

I thought there for a minute Pete was thinking about doing that whole WWII "Atlantic Wall" sort of thing on his system...

 

You can control the Command-Line, and you can also control what parent process is able to execute the Command-line (before the ">" sign)

 

Is it possible to relocate log file?
See, I don't want the mini driver to keep writing to my SSD, you know to prolong drive's life.

 

Decided to give a try. My first question is, do I need to enable CLS in the cmdScannerDemo and the Windows Directory?

 

In the beginning i recommend to run it with [#LETHAL]
With "enabling" i mean CommandLineScanner is blocking processes/command-lines = [LETHAL]
If you are using [#LETHAL], it is not blocking processes and it is only logging them.

So, in the beginning i wouldn't enable it. Better leave it at [#LETHAL], create/change your rules and watch the C:\Windows\cmdscanner.log.
If you are familiar with CommandLineScanner and it is only blocking processes "as expected" according to the log-file, you can try to enable it with [LETHAL] in the C:\Windows\cmdscanner.ini

 

How to shorten these lines in order to fit in 2KB ini file ?
Currently they use around 5KB, grrr.

Code:

[WHITELIST]
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe>*C:\Windows\system32\cmd.exe /c sc query cmdScanner*
*C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe>*C:\Windows\system32\cmd.exe /c net start cmdScanner*
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" start-driver*
*C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" start-driver*
*C:\Windows\SysWOW64\cmd.exe>*\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1*
*C:\Windows\SysWOW64\cmd.exe>*sc query cmdScanner*
*C:\Windows\SysWOW64\cmd.exe>*net stop cmdScanner*
*C:\Windows\SysWOW64\cmd.exe>*net start cmdScanner*
*C:\Windows\SysWOW64\net.exe>*C:\Windows\system32\net1 stop cmdScanner*
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.log*
*C:\Windows\explorer.exe>*"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.ini*
*C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" edit-inifile*
*C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.ini*
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" edit-inifile*
*C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe>*C:\Windows\system32\cmd.exe /c net stop cmdScanner*
*C:\Windows\explorer.exe>*"C:\Program Files\Excubits\CommandLineScanner\Tray.exe"*
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" installmode-on*
*C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" installmode-on*
*C:\Program Files\Excubits\CommandLineScanner\Tray.exe> *C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" restart-driver*
*C:\Windows\System32\svchost.exe*>*"C:\Program Files\Excubits\CommandLineScanner\Admin Tool.exe" restart-driver*
*C:\Windows\System32\svchost.exe>*C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}*

 

Now it's 22% smaller:

Code:

[WHITELIST]
*C:\Program*\Excubits\*\Tray.exe>*C:\Windows\sys*\cmd.exe /c sc query cmdScanner*
*C:\Program*\Excubits\*\Admin Tool.exe>*C:\Windows\sys*\cmd.exe /c net start cmdScanner*
*C:\Program*\Excubits\*\Tray.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" start-driver*
*C:\Windows\Sys*\svchost.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" start-driver*
*C:\Windows\Sys*\cmd.exe>*\??\C:\Windows\sys*\conhost.exe 0xffffffff -ForceV1*
*C:\Windows\Sys*\cmd.exe>*sc query cmdScanner*
*C:\Windows\Sys*\cmd.exe>*net stop cmdScanner*
*C:\Windows\Sys*\cmd.exe>*net start cmdScanner*
*C:\Windows\Sys*\net.exe>*C:\Windows\sys*\net1 stop cmdScanner*
*C:\Program*\Excubits\*\Tray.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.log*
*C:\Windows\explorer.exe>*"C:\Windows\sys*\NOTEPAD.EXE" C:\Windows\cmdscanner.ini*
*C:\Windows\Sys*\svchost.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" edit-inifile*
*C:\Program*\Excubits\*\Admin Tool.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.ini*
*C:\Program*\Excubits\*\Tray.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" edit-inifile*
*C:\Program*\Excubits\*\Admin Tool.exe>*C:\Windows\sys*\cmd.exe /c net stop cmdScanner*
*C:\Windows\explorer.exe>*"C:\Program*\Excubits\*\Tray.exe"*
*C:\Program*\Excubits\*\Tray.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" installmode-on*
*C:\Windows\Sys*\svchost.exe>*"C:\Program*\Excubits\*\Admin Tool.exe" installmode-on*
*C:\Program*\Excubits\*\Tray.exe> *C:\Program*\Excubits\*\Admin Tool.exe" restart-driver*
*C:\Windows\Sys*\svchost.exe*>*"C:\Program*\Excubits\*\Admin Tool.exe" restart-driver*
*C:\Windows\Sys*\svchost.exe>*C:\Windows\sys*\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}*

Changes:

There is room for "improvement": the words "Excubits", "Windows", "Admin Tool.exe"

But after 35% comes a point where the .ini-file is "hard to read"

 

Great! Thank you.

Could you get to that 35% cut. Don't matter if hard to read as I'm keeping track of changes in a separate file, you know, just for reference.

 

Spoiler: 35%

Code:

[WHITELIST]
*C:\Program*\Ex*\Tray.exe>*C:\Win*\sys*\cmd.exe /c sc query cmd*
*C:\Program*\Ex*\Admin*.exe>*C:\Win*\sys*\cmd.exe /c net start cmd*
*C:\Program*\Ex*\Tray.exe>*"C:\Program*\Ex*\Admin*.exe" start-driver*
*C:\Win*\Sys*\svchost.exe>*"C:\Program*\Ex*\Admin*.exe" start-driver*
*C:\Win*\Sys*\cmd.exe>*\??\C:\Win*\sys*\conhost.exe 0xffffffff -ForceV1*
*C:\Win*\Sys*\cmd.exe>*sc query cmd*
*C:\Win*\Sys*\cmd.exe>*net stop cmd*
*C:\Win*\Sys*\cmd.exe>*net start cmd*
*C:\Win*\Sys*\net.exe>*C:\Win*\sys*\net1 stop cmd*
*C:\Program*\Ex*\*\Tray.exe>*C:\Win*\notepad.exe C:\Win*\cmd*.log*
*C:\Win*\explorer.exe>*"C:\Win*\sys*\NOTEPAD.EXE" C:\Win*\cmd*.ini*
*C:\Win*\Sys*\svchost.exe>*"C:\Program*\Ex*\*\Admin*.exe" edit-inifile*
*C:\Program*\Ex*\*\Admin*.exe>*C:\Win*\notepad.exe C:\Win*\cmd*.ini*
*C:\Program*\Ex*\*\Tray.exe>*"C:\Program*\Ex*\*\Admin*.exe" edit-inifile*
*C:\Program*\Ex*\*\Admin*.exe>*C:\Win*\sys*\cmd.exe /c net stop cmd*
*C:\Win*\explorer.exe>*"C:\Program*\Ex*\*\Tray.exe"*
*C:\Program*\Ex*\*\Tray.exe>*"C:\Program*\Ex*\*\Admin*.exe" installmode-on*
*C:\Win*\Sys*\svchost.exe>*"C:\Program*\Ex*\*\Admin*.exe" installmode-on*
*C:\Program*\Ex*\*\Tray.exe> *C:\Program*\Ex*\*\Admin*.exe" restart-driver*
*C:\Win*\Sys*\svchost.exe*>*"C:\Program*\Ex*\*\Admin*.exe" restart-driver*
*C:\Win*\Sys*\svchost.exe>*C:\Win*\sys*\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}*

Spoiler: 38%

Code:

[WHITELIST]
*C:\Pro*\Ex*\Tray.exe>*C:\Win*\sys*\cmd.exe /c sc query cmd*
*C:\Pro*\Ex*\Admin*.exe>*C:\Win*\sys*\cmd.exe /c net start cmd*
*C:\Pro*\Ex*\Tray.exe>*"C:\Pro*\Ex*\Admin*.exe" start-driver*
*C:\Win*\Sys*\svchost.exe>*"C:\Pro*\Ex*\Admin*.exe" start-driver*
*C:\Win*\Sys*\cmd.exe>*\??\C:\Win*\sys*\conhost.exe 0xffffffff -ForceV1*
*C:\Win*\Sys*\cmd.exe>*sc query cmd*
*C:\Win*\Sys*\cmd.exe>*net stop cmd*
*C:\Win*\Sys*\cmd.exe>*net start cmd*
*C:\Win*\Sys*\net.exe>*C:\Win*\sys*\net1 stop cmd*
*C:\Pro*\Ex*\*\Tray.exe>*C:\Win*\notepad.exe C:\Win*\cmd*.log*
*C:\Win*\explorer.exe>*"C:\Win*\sys*\NOTEPAD.EXE" C:\Win*\cmd*.ini*
*C:\Win*\Sys*\svchost.exe>*"C:\Pro*\Ex*\*\Admin*.exe" edit-inifile*
*C:\Pro*\Ex*\*\Admin*.exe>*C:\Win*\notepad.exe C:\Win*\cmd*.ini*
*C:\Pro*\Ex*\*\Tray.exe>*"C:\Pro*\Ex*\*\Admin*.exe" edit-inifile*
*C:\Pro*\Ex*\*\Admin*.exe>*C:\Win*\sys*\cmd.exe /c net stop cmd*
*C:\Win*\explorer.exe>*"C:\Pro*\Ex*\*\Tray.exe"*
*C:\Pro*\Ex*\*\Tray.exe>*"C:\Pro*\Ex*\*\Admin*.exe" installmode-on*
*C:\Win*\Sys*\svchost.exe>*"C:\Pro*\Ex*\*\Admin*.exe" installmode-on*
*C:\Pro*\Ex*\*\Tray.exe> *C:\Pro*\Ex*\*\Admin*.exe" restart-driver*
*C:\Win*\Sys*\svchost.exe*>*"C:\Pro*\Ex*\*\Admin*.exe" restart-driver*
*C:\Win*\Sys*\svchost.exe>*C:\Win*\sys*\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}*

 

Spoiler

Speechless.
You are so kind. I appreciate a lot your help @mood

:worthy:

Gonna try these shortened lines later on today...

 

Oh! Just copied 38% reduced ini lines and file is still 2.79 KB, grrrr.

See, what I am trying to accomplish is for cmdscanner to work smoothly. @Lockdown passed me the original ones but not quite sure if they all are needed.

I'm just using this mini driver for logging purposes only.

 

I shortened them quite enough to get a logfile 55% smaller
Now its size is 1.87 KB

Code:

[WHITELIST]
*Tray.exe>*cmd.exe /c sc query cmd*
*Tray.exe>*Admin*.exe" start-driver*
*Tray.exe>*Admin*.exe" stop-driver*
*Tray.exe>*Admin*.exe" restart-driver*
*Tray.exe>*Admin*.exe" edit-inifile*
*Tray.exe>*C:\Win*\notepad.exe C:\W*\cmd*.log*
*Admin*.exe>*cmd.exe /c net start cmd*
*Admin*.exe>*cmd.exe /c net stop cmd*
*Admin*.exe>*C:\Win*\notepad.exe C:\W*\cmd*.ini*
*cmd.exe>*\??\*conhost.exe 0xffffffff*
*cmd.exe>*sc  query cmd*
*cmd.exe>*net  stop cmd*
*cmd.exe>*net  start cmd*
*net.exe>*net1  stop cmd*
*net.exe>*net1  start cmd*
*svchost.exe>*Admin*.exe" start-driver*
*svchost.exe>*Admin*.exe" stop-driver*
*svchost.exe>*Admin*.exe" edit-inifile*
*svchost.exe>*Admin*.exe" restart-driver*
*svchost.exe>*DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}*
*C:\W*\explorer.exe>*NOTEPAD.EXE" C:\W*\cmd*.ini*
*C:\W*\explorer.exe>*Tray.exe*

Now cmdscanner is quiet for those ones LOL
Otherwise the log file was growing and getting quite obese

 

Also I did a symbolic link for cmdScanner.ini, placing the logfile under D:\Documents\CommandLineScanner but the symlink not survives a reboot and using tray tool to manage the driver.

Guess using a hard link will solve the problem but it can't exist across different drives/volumes/partitions/filesystems

I just hope Florian could make one day, relocation of the log file a reality. For all his drivers I mean to say.

 

Pay attention to the command lines below... I have cmdScanner installed to

C:\Program Files\Excubits\cmdScanner

If yours is different you can adjust it using the actual explicit path or just use the * wildcard.

Here is complete list of cmdScanner exclusions (Florian provided it):

[#INSTALLMODE]
[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files\Excubits\cmdScanner\Admin Tool.exe>C:\Windows\notepad.exe C:\Windows\cmdScanner.ini*
C:\Program Files\Excubits\cmdScanner\Admin Tool.exe>C:\Windows\system32\cmd.exe /c net start cmdScanner*
C:\Program Files\Excubits\cmdScanner\Admin Tool.exe>C:\Windows\system32\cmd.exe /c net stop cmdScanner*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" restart-driver*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" edit-inifile*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-on*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" start-driver*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" stop-driver*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-on*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-off*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" clear-log*
C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" change-config*
C:\Program Files\Excubits\cmdScanner\Tray.exe>C:\Windows\notepad.exe C:\Windows\cmdScanner.log*
C:\Program Files\Excubits\cmdScanner\Tray.exe>C:\Windows\system32\cmd.exe /c sc query cmdScanner*
C:\Windows\explorer.exe>"C:\Program Files\Excubits\cmdScanner\Tray.exe"*
C:\Windows\explorer.exe>"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.ini*
C:\Windows\explorer.exe>"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.log*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" restart-driver*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" edit-inifile*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-on*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" start-driver*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" stop-driver*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-on*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" installmode-off*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" clear-log*
C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" change-config*
C:\Windows\*cmd.exe>sc query cmdScanner
C:\Windows\*cmd.exe>\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\*cmd.exe>net start cmdScanner*
C:\Windows\*cmd.exe>net stop cmdScanner*
C:\Windows\*cmd.exe>sc query cmdScanner*
C:\Windows\*net.exe>C:\Windows\system32\net1 stop cmdScanner*
C:\Program Files\Windows Defender\MsMpEng.exe>"c:\windows\system32\\svchost.exe"
[BLACKLIST]
[EOF]

 

Thanks Jeff. Unfortunately such amount of lines surpasses the 2 KB limit.

 

Did you try placing the log onto the Task Bar ? This is what I do for SpyShelter's command line log.

Anyways,... I just occasionally use the cmdScanner tray icon and clear the log.

 

OK, now I see...

Try smallest font... LOL...

Just place * at end of the Admin Tool command lines - that should mean you only need two command lines in the .ini for Tray.exe > Admin Tool and svchost.exe > Admin Tool

C:\Program Files\Excubits\cmdScanner\Tray.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" *

C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe" *

* * * * *

Good grief... I still have yet to figure out his wildcard syntax...