Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NoVirusThanks OSArmor
Message
<blockquote data-quote="AtlBo" data-source="post: 716406" data-attributes="member: 32547"><p>Below is block of legit attempt to delete a task by Revo Uninstaller uninstall (I will use portable instead) module. Excluded hoping the uninstaller would ask for the opportunity to try again but it did not. Luckily, I guess the task wasn't in Task Scheduler, because I don't see it there now. I would have just deleted it myself no problem. However, it did bring to mind another scenario. If the uninstaller had tried to create a scheduled task or perhaps a .tmp file had done so, then the task would not have been created. If the routine was a one and done, could there be a problem (rare and sounds like a bad idea I know...)? What if the task points to a delete on boot routine or something? O/C an uninstaller removes itself once it is done, and .tmp may not function as .exe after running. Maybe some boot time setting could get messed up in an unlikely scenario idk.</p><p></p><p>When you do your fine tuning, might you consider perhaps adding a disclaimer or notification of some kind to indicate when a write from a .tmp file or uninstaller of a legit application to a Windows area was blocked that could produce an undesirable result? This being an uninstall routine...removing Revo itself, don't know how this might be handled. Maybe there are other OS Armor rules that block writes to formal Windows areas that could also cause an epsode of some kind.</p><p></p><p>Personally, I certainly like to know when a scheduled event is being created. I like all the settings <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" />. Anyway, whether the scenario points to any potential risk when blocking uninstall routines and maybe any legit one run routines that delete/modify/add windows files or data too, I cannot say. If they are run from a .tmp, it might only get one chance. Because of the log, maybe the disclaimer after the block would be good enough for scheduled tasks (created by legit or legit .tmp). User can know about the problem from the log at least.</p><p></p><p>Oh, what about a pause for these (some blocks) rather than a block? Or is that happening already? Then the choice to exclude could be the allow unpause? I mean pause the parent. As I mentioned, I didn't see the task in the task scheduler so I don't know how that is handled now. Seems to me that might be useful for some of the protections though LOL idk...</p><p></p><p>Date/Time: 3/7/2018 10:32:40 AM</p><p>Process: [11780]C:\Windows\System32\schtasks.exe</p><p>Parent: [7748]C:\Users\ME USER ACCOUNT <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" />\AppData\Local\Temp\_iu14D2N.tmp</p><p>Rule: BlockSchtasksExe</p><p>Rule Name: Block execution of schtasks.exe</p><p>Command Line: "schtasks.exe" /Delete /TN "Revo Uninstaller Pro Hunter Mode" /F</p><p>Signer:</p><p>Parent Signer:</p><p></p><p>No idea how to accomplish this command line or if I need to do anything. Does it just delete a scheduled task? It's not in Task Scheduler already if that is what this does...</p></blockquote><p></p>
[QUOTE="AtlBo, post: 716406, member: 32547"] Below is block of legit attempt to delete a task by Revo Uninstaller uninstall (I will use portable instead) module. Excluded hoping the uninstaller would ask for the opportunity to try again but it did not. Luckily, I guess the task wasn't in Task Scheduler, because I don't see it there now. I would have just deleted it myself no problem. However, it did bring to mind another scenario. If the uninstaller had tried to create a scheduled task or perhaps a .tmp file had done so, then the task would not have been created. If the routine was a one and done, could there be a problem (rare and sounds like a bad idea I know...)? What if the task points to a delete on boot routine or something? O/C an uninstaller removes itself once it is done, and .tmp may not function as .exe after running. Maybe some boot time setting could get messed up in an unlikely scenario idk. When you do your fine tuning, might you consider perhaps adding a disclaimer or notification of some kind to indicate when a write from a .tmp file or uninstaller of a legit application to a Windows area was blocked that could produce an undesirable result? This being an uninstall routine...removing Revo itself, don't know how this might be handled. Maybe there are other OS Armor rules that block writes to formal Windows areas that could also cause an epsode of some kind. Personally, I certainly like to know when a scheduled event is being created. I like all the settings :). Anyway, whether the scenario points to any potential risk when blocking uninstall routines and maybe any legit one run routines that delete/modify/add windows files or data too, I cannot say. If they are run from a .tmp, it might only get one chance. Because of the log, maybe the disclaimer after the block would be good enough for scheduled tasks (created by legit or legit .tmp). User can know about the problem from the log at least. Oh, what about a pause for these (some blocks) rather than a block? Or is that happening already? Then the choice to exclude could be the allow unpause? I mean pause the parent. As I mentioned, I didn't see the task in the task scheduler so I don't know how that is handled now. Seems to me that might be useful for some of the protections though LOL idk... Date/Time: 3/7/2018 10:32:40 AM Process: [11780]C:\Windows\System32\schtasks.exe Parent: [7748]C:\Users\ME USER ACCOUNT :)\AppData\Local\Temp\_iu14D2N.tmp Rule: BlockSchtasksExe Rule Name: Block execution of schtasks.exe Command Line: "schtasks.exe" /Delete /TN "Revo Uninstaller Pro Hunter Mode" /F Signer: Parent Signer: No idea how to accomplish this command line or if I need to do anything. Does it just delete a scheduled task? It's not in Task Scheduler already if that is what this does... [/QUOTE]
Insert quotes…
Verification
Post reply
Top
