CommandLineScanner is a forensic analysis driver that detects if executable program files are to be started on your computer. Analyze the automatically created log file periodically to detect possible attacks at an early stage and to take appropriate countermeasures. CommandLineScanner is also able to block executables by their filename or command line parameters enforcing a classic white- and blacklist approach. With appropriate rules you are able to fully control appliactions and the command line options as they are allowed to be started with. This makes CommandLineScanner an extremely powerful tool that you can use to do forensic analysis on, and to protect your Microsoft Windows driven systems. http://excubits.com/content/en/products_commandlinescanner.html
Trying to whitelist and silent these in the log file: Code: *** excubits.com demo ***: 2017/02/15_12:06 > C:\Program Files\cmdScannerDemo\Tray.exe > C:\Windows\system32\cmd.exe /c sc query cmdScanner *** excubits.com demo ***: 2017/02/15_12:06 > C:\Windows\SysWOW64\cmd.exe > \??\C:\Windows\system32\conhost.exe 0xffffffff *** excubits.com demo ***: 2017/02/15_12:06 > C:\Windows\SysWOW64\cmd.exe > sc query cmdScanner
Is this out of beta with Microsoft co-signed driver ? Or is it the Bouncer integrated CommandLine Scanner that is still in beta ?
I've been playing with it. Remarkable. I've been running malware against it in my VM. Nothing has gotten by. Even beats Appguard to the draw. Did take me a bit to figure out what was in their example ini file and what it meant.
I think your asking so in the Whitelist add: C:\Windows\system32\cmd.exe /c sc query cmdScanner \??\C:\Windows\system32\conhost.exe 0xffffffff sc query cmdScanner[/CODE][/QUOTE] What you enter should between the carrot as shown to the carrot before the hash
You see any signs of a conflict between CL Scanner and AppGuard ? I might employ CL Scanner as a command line logger...
Hi Jeff Nope they seem happy together. By the way. I got that command line for Napster down with MZ so unless you just want the challenge, I am good to go.
A good test for this would be to see if it can detect a spawned suspended child process that is subsequently started by the owner process. A technique employed in "process hollowing."
You have to find a malware that performs hollow process. Then determine which process(es) it hollows. Next create an allow command line for the malware, but block commandlines for any hollowed processes. I would suggest playing with Poweliks in a VM. It will take quite a bit of tinkering following this: http://journeyintoir.blogspot.com/2014/12/prefetch-file-meet-process-hollowing_17.html Look for the encrypted key creation in HKCU - SUCCESS ! If CL Scanner prevents it there will be no key created.
The sample used is linked to Malwr, but Malwr has been down for over a week now. I'm not sure what's going on with those guys. Perhaps they hit the Lotto and decided "Screw you guys, we're goin' home..."
On thinking about it I am not sure this test makes sense to me. An unknown file is dropped on the system. It is detected before it can be executed and one gets an alert. It can't execute until one cleans out the log file. In real life I'd be restoring an image by then. So for the describe scenario to matter it would be a self inflicted wound.
Had to whitelist these rules for CLS to work properly, that is, to work without lag. Code: [#LETHAL] [LOGGING] [WHITELIST] *>*cmdScanner* *>*0xffffffff *>*edit-inifile [BLACKLIST] *>*desk.cpl,ScreenSaver,@ScreenSaver* [EOF] Anyone else noticed this?
The second way process hollow is employed. Your browsing away or ransomware sneaks in via e-mail. Malware injects code using reflective .dll injection, etc. into a running trusted process. My choice would be something running under svchost.exe outside of appcontainer. In Win 10, smartscreen.exe works nicely since it runs at medium integrity level. Most if not all behavior blockers do not monitor smartscreen.exe. The injected code is then used to spawn a suspended process, full payload code injected, and the process started. After infection, the original injected process terminates the spawned process with no visible trace left of the activity.
HI Itman First I don't run Win 10, so I avoid MS infection thru updates. Second since you said "Your browsing" I take that to mean me. All personal emails and all browsing is down under sandboxie. So nothing can touch the system, and I take a brutal approach about email. Aside from Sandboxie, Appguard and HMPA monitor the browsers and Outlook so that covers me against everything, except me. The key is not letting malware in in the first place. And this MZwritescanner, is another key layer as it doesn't need the sneaked in malware to start, just to be dropped. And once dropped and logged it can't run.
Had an interesting experience with a new ransomware release. Once on the desktop MZ alerted to it immediately. To see what happens I cleared the log file, and restarted it, and then the fun began. It was a persistant little nasty. MZ detected the drop and blocked it from running. But this nasty seeing it was not running kept trying to start it, and MZ kept blocking it. My disk was going nuts writing to the log file. I rebooted to kill it, and it started again with trying to run. This time I killed it with ERP. Boy this "scanner" is looking like a powerful tool.
I meant the browser. Also, I believe the discussion of Sandboxie effectives against hollow processing was done previously. Sandboxie only protects sandboxed processes; anything not sandboxed is not protected. Sandboxing is a containment strategy. Anything injected into the browser and any resultant process started by the browser would be contained.
Big Duh on my part. I saw the subject and the posts, and just realized I in my mind was thinking MZwritescanner, and just realized they are indeed two separate programs.
Then just move your posts to the new thread I dedicated for it: https://www.wilderssecurity.com/threads/mzwritescanner.392081/
