Win10 Task Scheduler protection ?

Discussion in 'other security issues & news' started by gambla, Sep 11, 2016.

  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hey guys,
    I've googled excessivly but without result. Recently I've read some articles about malware abusing task scheduler / at.exe to run/create tasks. And my simple question is how to properly protect the scheduler from malware creating, running tasks ?

    I haven't tested it yet but I guess that a non-admin account /UAC would prompt for admin creds ?
    Using SRP, it seems you can only deactivate the buttons to create/ run tasks in the task scheduler gui but not sure if malware can't create/run tasks anyway ?
     
  2. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Come on guys, nobody ? Correct me from wrong, but this still looks like a security issue to me. In case a malware installed unnoticed, it can add a task to autostart without prompt ?
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,129
    Location:
    Cape Town, South Africa
    You could install an anti-executable program like NoVirusThanks EXE Radar Pro, or AppGuard, or VoodooShield.
    I have at.exe marked as a vulnerable process in NVT ERP, requiring my interaction to run, and blocked in AppGuard, which also blocks schtasks.exe by default.
    AppGuard is relatively complex, NVT ERP is simpler to understand, and effective, but currently not being actively developed.
    Not sure how VS would handle these .exes but I think it would also prompt, depending on settings, and is very much under active development.
    There are threads for each of these products here on Wilders.
     
  4. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    great, that's a good start, thanks paulderdash !
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,048
    Malware might start but probably only in context of current user (same as writing autorun registry key in HKCU). Is at.exe running in medium integrity level allowed to create task that will run something with highest privileges? I don't think it can, but will have to test it.
    Also raise UAC to Always notify to prevent most bypasses.
     
  7. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    853
    It would prompt for credentials if a task is created for an account with higher privileges.
    But not if it's a task for your own account.
    You can monitor the execution of at.exe/schtasks.exe with some apps (as mentioned above)
     
  8. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    thanks a lot guys
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,048
    I tried to create task using Task scheduler while logged in standard user. I could create task but only under my credentials. As soon as I tried to tick option to run task under highest privileges, I got asked for admin credentials. So task scheduler shouldn't be able to make system-wide changes (or schedule tasks that can do it) if not run under elevated rights. I didn't try creating tasks using at.exe but it should be the same (as long as you have UAC on max).
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I also use ERP to monitor at.exe, and I believe HIPS like SpyShelter also monitors the Task Scheduler. And don't forget about tools like AutoRuns and System Explorer, who both list all active and non-active tasks.
     
  11. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    I'm done with testing now and came to the (personal) conclusion that using an anti-executable is again highly recommended.

    Proactive:

    - If the limited user account / UAC is bypassed, it seems there is no further indication/notification about (repeated) executed tasks (running malware).
    Tasks, once added to the Scheduler, can apparently simply suppress UAC prompts.
    - I'm using Comodo IS, and access to task scheduler /execution is protected.

    Reactive:
    - SysInternals' autostart and CCleaner have the option to disable any tasks, but would need user to check periodically.


    > Test:
    I've used CIS in "paranoid mode" to find out what installing a program (known to use task scheduler) is triggering. I thought that every program would trigger any/all of schtasks.exe / taskhostw / taskeng.exe but it seems not:

    Example: HitmanPro

    AtBroker.exe
    sihost.exe
    Runtimebroker.exe
    backgroundtaskhost.exe


    Example: Google Chrome

    taskeng.exe
     
Loading...