No, I had never had cmdScanner installed on this system prior. This was a fresh install of the driver. Extracted, copied cmdscanner.ini and cmdscanner.log to C:\Windows first then followed up by right-clicking the cmdscanner.inf and choosing Install. No issues with installation or logging here on latest Windows 10 with current updates. Correct, the tray tool does not auto-start by default. Bouncer has a proper installation program that deals with everything, but unfortunately the other drivers do not have installation programs and must be done manually. The main initial users of Florian's drivers have been academics such as educational use within US-CERT over the past year or so, many forensics guys/gals, but also custom built drivers specifically for organizations.
To have a better overview, all Excubits-tools can be extracted to C:\Program Files\Excubits\ Now it looks like this: Code: C:\Program Files\Excubits\MemProtect\ C:\Program Files\Excubits\MZWwriteScanner\ C:\Program Files\Excubits\CommandLineScanner\ They are digitally signed from MS ("Microsoft Windows Hardware Compatibility Publisher")
For autorun, I just create a shortcut and drop it into ths startup folder. Works fine. I do love the way MS has hidden the startup folder
It doesn't matter who the initial users were. Without documentation explaining the product, these sorts of things are unexpected behaviors - unless a user happens to be a mind reader. Those initial users needed a set of instructions.
Hi Jeff You know how you really have to get your mind wrapped around Appguard. Well guess what. Same thing is true for Florians drivers. Whole new experience. BUT once yu figure it out. Wowser.
It's installed. It's working. It's logging. The whitelist is already created. All I need it for is logging - for some testing purposes - like Herr Napster. That initial "no instructions" thingy is a pain - and the install quirk requiring a specific order. Oh well, it's typical dumb stuff that we all run into sooner or later. LOL... after getting it all sorted out, it might not even give me the results that I am looking for...
Yes, I saw it after I posted. Many thanks @WildByDesign . Actually, Florian's driver does capture boot-time. Using Dbg just gives extended infos.
@Lockdown You're welcome, my pleasure. I personally have not used the kernel Dbg to view extended logging information prior but I do recall Florian mentioning to me a while back that it was added to each of his drivers. Do you know if there are any tutorials that I could follow to get started with DbgView for viewing this additional kernel level logging? Thanks!
There's stuff scattered online. Using most of it is sort of like I had to do here today with CLS -- slug your way through the mountains to get to the other side.
Wow back in the day when windows always crashed /I used that to see what driver was causing the problem. It has been so long ago, not sure I I remember how to use it anymore.
I doubt this product can block that because you can bypass static analysis from it very easily and unless it is monitoring API calls it cannot identify the process hollowing attack unless it's for x86 only and uses kernel-mode patching but even then I doubt it'll block dynamic forking. I can always test it for you on my host/VM and let you know if it was able to block it though.
ok now I can't remember which one I used. https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit or https://technet.microsoft.com/en-us/sysinternals/debugview.aspx I think it was Russ's though
Please PM me a download link when finished. Fork something more interesting - like TabTip.exe or TaskMgr.exe.
Here's the long version of Excubits cmdScanner command lines that should be whitelisted (it will eliminate any cmdScanner lags): I give the full arguments so you can see for yourself what is happening. In the form below these command lines will not appear in the Log in the Demo version only. With the paid product, I assume the cmdScannerDemo will change to cmdScanner - but seeing as the product is a bit unpredictable, perhaps not... *C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.ini* *C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe>*C:\Windows\system32\cmd.exe /c net start cmdScanner* *C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe>*C:\Windows\system32\cmd.exe /c net stop cmdScanner* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" restart-driver* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" edit-inifile* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" installmode-on* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" start-driver* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*C:\Windows\notepad.exe C:\Windows\cmdScanner.log* *C:\Program Files\Excubits\cmdScannerDemo\Tray.exe>*C:\Windows\system32\cmd.exe /c sc query cmdScanner* *C:\Windows\explorer.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Tray.exe"* *C:\Windows\explorer.exe>*"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.ini* *C:\Windows\explorer.exe>*"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.log* *C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" restart-driver* *C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" edit-inifile* *C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" installmode-on* *C:\Windows\System32\svchost.exe>*"C:\Program Files\Excubits\cmdScannerDemo\Admin Tool.exe" start-driver* *C:\Windows\System32\svchost.exe>*C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}* *C:\Windows\SysWOW64\cmd.exe>*\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1* *C:\Windows\SysWOW64\cmd.exe>*net start cmdScanner* *C:\Windows\SysWOW64\cmd.exe>*net stop cmdScanner* *C:\Windows\SysWOW64\cmd.exe>*sc query cmdScanner* *C:\Windows\SysWOW64\net.exe>*C:\Windows\system32\net1 stop cmdScanner*
I discovered that during uninstall the catalog remnants must also be deleted before reinstalling. Florian says that all the processes that show up under Tray.exe in the Task Manager are the result of way he designed the product.
not tested this driver for very long time but are you added $ in the beginning of each rules? that's make them silent,also note that if you added priority rules sign: ! ,that rules must be top of other rules Tray.exe in all other driver have same bad behavior.that's eat system resource and slow down system.i think after each event that loged it try re-read and re-write complete log file again.
Thanks for pointing to this link, good read. It's good to see that Bouncer (and cmdScanner) can easily mitigate this recent fileless attack which Kaspersky had blogged about. I can see several ways in which Bouncer can mitigate this but also good to see that monitoring and blocking command lines can also provide solid protection. Personally, I whitelist only some common command lines while logging (and blocking) anything out of the ordinary. I assume that MemProtect would also block this. MZWriteScanner, not so much though due to the lack of MZ/PE header.
