Another "permit once" suggestion - regsvr32.exe

Discussion in 'ProcessGuard' started by gottadoit, Mar 24, 2005.

Thread Status:
Not open for further replies.
  1. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Just noticed that Gavin suggested that regsvr32 is a good candidate for run once permissions, it sounds like a good idea, so I thought I'd mention it here for anyone that was interested

    The thread his comment is in is here

    Another useful thing to do from time to time is to go to the Security tab in PG and sort by "Last Run" and have a look at what has been executed recently (and the time it ran), it might reveal something unexpected (even if it isn't a security issue...)

    NB: If you have been running PG 3.x since last year you will have to ignore the date sorting bug as it doesn't take the year into account...
     
  2. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Just a quick tip related to Gavin's suggestion about setting cmd.exe to Permit Once.

    I resisted changing cmd.exe to Permit Once because it was used in numerous script files (in loops even). I later realized I could rename a copy of cmd.exe and put it in an obscure location. Now cmd.exe is set to Permit Once and my script files call the obscure copy which is set to Permit Always. An obvious solution, but it took me so long to think of it I wanted to mention it just in case...
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    FWIW,
    I also have a renamed copy of regedit with permit always (for the same reason, because I download and apply registry settings via a batch job)
     
  4. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Could you explain exactly how you did that? :doubt:
     
  5. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    First, choose (or create) the directory where you want to "hide" the cmd-clone. Let's say you've created "c:\innocent\dir". Now copy cmd.exe (from C:\WINDOWS or C:\WINNT) to c:\innocent\dir, and rename the copy to something less obvious, let's say pgCommand.exe. Next, start pgCommand.exe and tell PG to "Permit Always". Finally, change PG's Security on your original cmd.exe to be "Permit Once". That's it!

    In batch files, you can now replace:
    cmd /c doSomething.bat

    with:
    c:\innocent\dir\pgCommand /c doSomething.bat

    Since pgCommand is "Permit Always" you won't be bothered everytime a script invokes it. The advantage, of course, is that if malware tries to use cmd.exe to run a script, you will be alerted. It seems unlikely that any malware will try to run a script using c:\innocent\dir\pgCommand.exe. If you're really paranoid, you can add some extra bytes to the end of the cloned copy so that it would appear to be a different file. If you're somewhat less paranoid, you can add c:\innocent\dir to your PATH and invoke pgCommand by name only.
     
  6. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Thanks ;). Do you have any other suggestions with any other files etc.?
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
  8. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    I did all of this, replaced the batch file as instructed and it still goes through cmd.exe instead of going through the cmd-clone I made in another folder. o_O
     
  9. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Can you provide more information? Perhaps put the relevant command(s) in a code box. Anything that may help me guess what you are seeing and what might be happening.
     
  10. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Original batch file: "C:\Program Files\doSomething\DS.EXE" /tasks:abcd

    Made a new folder with the clone-cmd.exe and changed to:
    C:\innocent\pgCommand /"C:\Program Files\doSomething\DS.EXE" /tasks:abcd
     
  11. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I'm still not sure where cmd.exe was getting called before (and presumably is still getting called now). The one line from the original batch file (?) does not seem to be using cmd.exe, but is just invoking an executable.

    Also, there may be an idiom in my example that was misunderstood. The "/c" switch is used to tell cmd.exe to exit (close its console window) immediately after performing the command specified on the command line. It's often used to perform a DOS command from inside an executable or from a non-DOS script language. In this case it's used to specify your alternate version of the DOS interpeter.

    The second half of your example (maybe a typo?) looks like you have only a "slash" where I would have expected a "slash-'c'-space". It looks like the .EXE name is immediately after the "slash" as opposed to

    cmd-clone /c "EXE-name" EXE-parameters

    My best guess is that cmd.exe is being called from somewhere other than where you tried using the cmd-clone copy. If this is in a batch file, try using ECHO statements to figure out whether cmd.exe is being invoked somewhere other than where you think it is being invoked. If you're still stuck, you could put the whole batch file in a "code box" (the pound-sign icon) and explain how the batch file is called.

    HTH
     
  12. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    earth1, I sent you a PM. Thanks.
     
Thread Status:
Not open for further replies.