What is command line whitelisting?

Daniel Keller

Level 2
Thread author
Verified
Dec 28, 2016
86
Hi everybody,

in terms of anti exe tools like Bouncer or ERP I see people talking about importance of "command line white-listing". I did some research but did not find any useful information on what this exactly means nor in which circumstances it is useful / necessary.

I guess that a tool that is not white-listed by path also can't run if started using the command line. So "command line white-listing" means, that an already white-listed program could only run using certain command line parameters?

I´m bit confused about the topic. Could you help me out?
 
  • Like
Reactions: Sunshine-boy

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
In my understanding, the specified program can execute only whitelisted command lines. So, instead of whitelisitng the whole process, and therefore all of its command lines are whitelisted, the command lines of this process are selectively whitelisted. This avoids malware from readily using the vulnerable process to execute unrestrained. This gives more security. :)
 
D

Deleted member 178

in terms of anti exe tools like Bouncer or ERP I see people talking about importance of "command line white-listing".
I guess that a tool that is not white-listed by path also can't run if started using the command line. So "command line white-listing" means, that an already white-listed program could only run using certain command line parameters?
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
I guess that a tool that is not white-listed by path also can't run if started using the command line.
From what I've understand, you can add to the whitelist all the trusted commandline strings frequently used from processes listed in the vulnerable processes list.
So technically, Windows uses an array of strings, passing to a program (anti-exe in our case) a series of parameters, listed in the command line.
This is because a program written in C++ can be launched from the operating system as a command, and may be accompanied by parameters.
C++ (like C) transforms these parameters in the arguments passed to the function "main", so that the program can process them.

This is what I remember about C/C++ programming, correct me if I'm wrong.
 

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
Yes, you are talking about that I think ?
Code:
#include <stdio.h>
#include <conio.h>
int main( int argc, char *argv[] )
{
  int i;
  if( argc >= 2 )
   {
   printf("The arguments supplied are:\n");
   for(i=1;i< argc;i++)
   {
    printf("%s\t",argv[i]);
   }
   }
   else
   {
    printf("argument list is empty.\n");
   }
 getch();
 return 0;
}
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
In ERP, you usually talk about command lines in connection with vulnerable processes.
Because if you don't whitelist specific command line strings, you will keep getting prompts all the time, even if you allowed it before.
 
  • Like
Reactions: AtlBo and XhenEd

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Yes, you are talking about that I think ?
Code:
#include <stdio.h>
#include <conio.h>
int main( int argc, char *argv[] )
{
  int i;
  if( argc >= 2 )
   {
   printf("The arguments supplied are:\n");
   for(i=1;i< argc;i++)
   {
    printf("%s\t",argv[i]);
   }
   }
   else
   {
    printf("argument list is empty.\n");
   }
 getch();
 return 0;
}
Yes, it takes parametres and then it processes them along with cycles (if, while, for, etc.).
 

Daniel Keller

Level 2
Thread author
Verified
Dec 28, 2016
86
Thank you everybody for clarification.
To use an example: we speak about thinks like svchost or regsrv32 which could be used to load services or dll files by using command line, right?
So command line white-listing could be used to restrict what these parent services could be used for?!
 
  • Like
Reactions: AtlBo and XhenEd

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.

Precisely so !
Excellent post , thank you .

From what I've understand, you can add to the whitelist all the trusted commandline strings frequently used from processes listed in the vulnerable processes list.
So technically, Windows uses an array of strings, passing to a program (anti-exe in our case) a series of parameters, listed in the command line.
This is because a program written in C++ can be launched from the operating system as a command, and may be accompanied by parameters.
C++ (like C) transforms these parameters in the arguments passed to the function "main", so that the program can process them.

This is what I remember about C/C++ programming, correct me if I'm wrong.

My C/C++ coding skills are gathering dust and cobwebs in a corner of my mind :)

But that is how I recall things also .... thanks !
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
This is mostly about "Parent-Child" processes relationship.
A command line usually signifythat Parent Process A try to execute Child Process B
if you whitelist A to only execute B , so only B will be executed , not C, D, etc... opposed to just whitelisting A , which means you allowed A to execute anything it want.

I wonder if AppLocker will ever support a "Parent-Child" relationship like Bouncer?
 
  • Like
Reactions: AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top