Simple Way To Tighten-Up (Windows OS Interpreter) Security

H

hjlbx

Thread author
Hello,

NOTE: If anyone sees problem with this suggestion, please let me know. It has been working fine on my system without any problems.

Quick-Guide.

Problem:

Malware writers produce some clever, malicious scripts that can use Windows interpreters (cmd.exe, wscript.exe, cscript.exe, powershell.exe, java.exe, etc.) and other files for nefarious purposes.

Typically, this involves an internet connection to download malwares.

If you use a firewall, then you can reduce some risk by setting the firewall to "Prompt/Alert/Notifiy" for connection attempts made by the following:

cmd.exe
wscript.exe
cscript.exe
java.exe
rundll32.exe
powershell.exe
powershell_ISE.exe

NOTE: On 64-bit systems need to make firewall rules for above files located in both System32 and SysWOW64 folders.

For convenience I create remote IP address specific firewall rules for these files. For example, PowerShell Help connects to various Microsoft servers to install and update the help files. So I allow connect to those Microsoft servers by inputting their IP address into rule.

Using this method I've caught sneaky network connects... plus it at least gives you notification even when the remote IP address is not in the malicious URL database.

Notable example would be the JS.Encoder\Secured.BAT Vault sample posted on MalwareTips' Malware Hub by @Petrovic.
 
Last edited by a moderator:
  • Like
Reactions: Azure, Venustus, WinXPert and 9 others
H

hjlbx

Thread author
Cats-4_Owners-2 said:
Hello @hjbx, and thank you for this important guide the doctor would certainly have ordered ..if he only knew!:D
Click to expand...

That's the problem with File-Rating systems used by AV vendors like, for example, Emsisoft, Kaspersky and ESET.

Those interpreters are "Allowed." Malware writer know this and use it to their advantage.

IMHO those files should be assigned custom rule sets by the AV vendors that use file-rating to automate rule creation in their software.

Alerting on network connect attempts enables attentive user to prevent one of scripts' primary means to get malwares onto the system.
 
  • Like
Reactions: Cats-4_Owners-2, tallorder and Moose
Rahadian Putra

Rahadian Putra

Level 9
Verified
Well-known
Jan 28, 2014
444
Great guide Hjlbx, ya I've been doing this since few months ago, it is very true most av are automatically allowed these and make an advantages for malware writers, better safe than sorry. Can't imagine if malware writers do this on our machine..he can do everything since these files are whitelisted and allowed by most av/firewall :eek:. I always set my smart firewall to always prompt/alert these :confused:
I didn't know about the optional ones till now, so Thanks :)
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2
H

hjlbx

Thread author
Rahadian Putra said:
Great guide Hjlbx, ya I've been doing this since few months ago, it is very true most av are automatically allowed these and make an advantages for malware writers, better safe than sorry. Can't imagine if malware writers do this on our machine..he can do everything since these files are whitelisted and allowed by most av/firewall :eek:. I always set my smart firewall to always prompt/alert these :confused:
I didn't know about the optional one till now, so Thanks :)
Click to expand...

The optional ones are all command line interfaces.

I am not sure if tricky malware connects via one of those interfaces whether a firewall alert would be generated by cmd.exe or the interface itself. Honestly, not sure.

But I do know all the other ones need to be watched for sneaky connects.
 
  • Like
Reactions: Cats-4_Owners-2 and Rahadian Putra
Shran

Shran

Level 5
Verified
Well-known
Jan 19, 2015
230
Hi & thanks for guide,

I cannot find powershell.exe or powershell_ISE.exe in Windows 8.1 x64 in either the System32 or the SysWOW64 folders.
 
  • Like
Reactions: Cats-4_Owners-2
H

hjlbx

Thread author
Shran said:
Hi & thanks for guide,

I cannot find powershell.exe or powershell_ISE.exe in Windows 8.1 x64 in either the System32 or the SysWOW64 folders.
Click to expand...

Just navigate to System32 and SysWOW64 folders.

Type "powershell" in the Windows Explorer search field (the one with the magnifying glass in the upper right-hand corner).

They will show up in the list.
 
  • Like
Reactions: Cats-4_Owners-2
marzametal

marzametal

Level 7
Verified
Jun 10, 2014
316
Does svchost.exe from the SysWOW64 folder ever get used? So far I have only seen System32 referenced in firewall connections log...

EDIT: creating a firewall rule for the x64 version didn't kick up a warning, but did for the x86 version... curiouser and curiouser...
 
  • Like
Reactions: Cats-4_Owners-2
H

hjlbx

Thread author
Marin Eres said:
Does svchost.exe from the SysWOW64 folder ever get used? So far I have only seen System32 referenced in firewall connections log...

EDIT: creating a firewall rule for the x64 version didn't kick up a warning, but did for the x86 version... curiouser and curiouser...
Click to expand...

I think in some cases it does... I've seen it on my system - where SysWOW64 interpreters are active.

I've been trying to get a more definitive answer.

I know NVT ERP protects all interpreters in both System32 and SysWOW64 directories. The developer would not go through the trouble if it was not necessary for complete security.
 
  • Like
Reactions: marzametal and Cats-4_Owners-2
marzametal

marzametal

Level 7
Verified
Jun 10, 2014
316
hjlbx said:
I think in some cases it does... I've seen it on my system - where SysWOW64 interpreters are active.

I've been trying to get a more definitive answer.

I know NVT ERP protects all interpreters in both System32 and SysWOW64 directories. The developer would not go through the trouble if it was not necessary for complete security.
Click to expand...
As a precaution, I added a block rule in firewall... haven't tried NVT ERP again for a while... might revisit it.
 
  • Like
Reactions: Cats-4_Owners-2
WinXPert

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
@hjlbx I only use Windows Firewall. How do you configure WF to "Prompt/Alert/Notifiy"?
 
You must log in or register to reply here.

Similar threads

Marko :)
    • Like
    • +Reputation
    • Thanks
Debloating the Brave browser — a simple guide
Replies
17
Views
1,338
Brave
Sorrento
Sorrento
Victor M
    • +Reputation
    • Like
    • Hundred Points
  • Suggestion
Setup Idea Default Deny Windows Firewall setup How To
Replies
7
Views
3,272
PC Setup Ideas
Victor M
Victor M
Lymphocyte
    • Like
    • Wow
Security News Microsoft Defender adds detection of unsecure Wi-Fi networks
Replies
0
Views
1,518
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top