ticklemefeet

Level 23
About a week ago i started getting blocks from Appguard for wscript. I have not installed any new software. I have only got a few insider updates. Any ideas? it appears to be trying to run svhost.exe
ScreenHunter_146 Jun. 11 14.45.jpg
 

danb

From VoodooShield
Verified
Developer
My best guess would be an app update of some kind. From what I remember, you run AG and VS together, right? If so, you might be able to…

1. Disable AG for a couple of hours (or until the block would have occurred)​
2. If VS does not block this event, then it means it was auto whitelisted from a known clean parent, so you can assume it is clean. You can check the Whitelist and Command Lines later in VS settings for more info if you are curious.​
3. If VS does block this event, hopefully it will give you more info about the block… like maybe the actual script name and path, and that way you can figure out if it is malicious or not (or you can just look at the WLC and VT results).​
 

cruelsister

Level 37
Verified
Trusted
Content Creator
Hi Tickle! May not be due to an update. Actually I think that there is a chance that you may have had a run in with one of my beloved Worms. What may appear to be an actual svchost process may be instead a cloaked (don't ask) wscript. If this is indeed so it is Double Plus Ungood as it frequently will be able to connect out and proceed with various nastiness.

A further issue is that running a 2nd opinion scan with the usual suspects either will not detect the presence of the initial worm nor the cloaked svchost spawn, or if they do the persistence mechanism of the worm may not be detected so the infection will keep coming back no matter how many reboots or how many scans are done (kinda like Whack-A-Mole).

Anyway, what you can do quite easily is check for Startup Items via Task manager, looking for some wscript (like a vbs file) item. Also check ALL the running svchost processes (task Manager-Details-Properties) Any one of them not in System32 is suspect.

Easier still, download and run Kaspersky Virus Removal Tool which is a scanner that has the best chance at detecting wormy processes.

Of course there may be other theories...

M
 

danb

From VoodooShield
Verified
Developer
CS brings up some great points (it certainly could be malware)... maybe even try Autoruns to see if it can shed some light, although it probably would not be boot time malware since Tickle did not specify that the block occurred when he started his computer.


Let's hope that it is something more along the lines of something like this...


I have seen quite a few app and driver updates use scripts recently... but as we all know, malware authors seem to have a fondness for them as well.
 
Last edited:

ticklemefeet

Level 23
Would some of the script look something like this?

rem //-------------------------------------------------------------------------
rem // Revert system settings as required by payload.
rem //-------------------------------------------------------------------------

:DELETE_FIREWALL_RULES
rem //-------------------------------------------------------------------------
rem // UPnP IL.
rem //-------------------------------------------------------------------------
if %SERVICE_MANAGE_UPNP_FIREWALL_RULES% == NO goto SERVICE_DELETE_UPNP_FIREWALL_RULES_SKIP

rem //-------------------------------------------------------------------------
rem // Check if rule #1 exist.
rem //-------------------------------------------------------------------------
set COMMAND=%WINDIR%\System32\netsh.exe advfirewall firewall show rule name=!SERVICE_FIREWALL_UPNP_RULE_1_NAME!
set /A COMMANDS_COUNT=COMMANDS_COUNT+1
echo COMMAND[%COMMANDS_COUNT%][%DATE% - %TIME%]=[%COMMAND%] >> "%INSTALLER_LOG_FILE_NAME%" 2>&1
if %DEBUG% == YES echo COMMAND[%COMMANDS_COUNT%]=[%COMMAND%]
if %EXECUTE% == YES (
%COMMAND% >> "%INSTALLER_LOG_FILE_NAME%" 2>&1
)
if %ERRORLEVEL% == 0 (
 

danb

From VoodooShield
Verified
Developer
VC shows the file in whitelist as autoscript. If I am looking at the right file it is located in the programs, intel folder called installer.bat

View attachment 243279
Yeah, it is an update... and since it was checked with WLC and VT (among other checks) then auto allowed, I am certain it is safe, but you can manually drag and drop it to the VS desktop gadget just to be sure. That way the Intel haters cannot claim it is malicious ;).

You know, I always knew file insight was absolutely vital to the end user... but I never realized that it is absolutely vital to admins as well.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Would some of the script look something like this?

rem //-------------------------------------------------------------------------
rem // Revert system settings as required by payload.
rem //-------------------------------------------------------------------------

:DELETE_FIREWALL_RULES
rem //-------------------------------------------------------------------------
rem // UPnP IL.
rem //-------------------------------------------------------------------------
if %SERVICE_MANAGE_UPNP_FIREWALL_RULES% == NO goto SERVICE_DELETE_UPNP_FIREWALL_RULES_SKIP

rem //-------------------------------------------------------------------------
rem // Check if rule #1 exist.
rem //-------------------------------------------------------------------------
set COMMAND=%WINDIR%\System32\netsh.exe advfirewall firewall show rule name=!SERVICE_FIREWALL_UPNP_RULE_1_NAME!
set /A COMMANDS_COUNT=COMMANDS_COUNT+1
echo COMMAND[%COMMANDS_COUNT%][%DATE% - %TIME%]=[%COMMAND%] >> "%INSTALLER_LOG_FILE_NAME%" 2>&1
if %DEBUG% == YES echo COMMAND[%COMMANDS_COUNT%]=[%COMMAND%]
if %EXECUTE% == YES (
%COMMAND% >> "%INSTALLER_LOG_FILE_NAME%" 2>&1
)
if %ERRORLEVEL% == 0 (
A bat file will launch cmd.exe, otherwise known as the Windows command prompt. But your log from AppGuard is showing wscript. The code you posted does not look like it calls wscript.

I would be surprised if a standard Intel update calls cscript. There a billions of computers running Intel, so we would have heard about this, if it was happening.
 

ticklemefeet

Level 23
A bat file will launch cmd.exe, otherwise known as the Windows command prompt. But your log from AppGuard is showing wscript. The code you posted does not look like it calls wscript.

I would be surprised if a standard Intel update calls cscript. There a billions of computers running Intel, so we would have heard about this, if it was happening.

i did not post the entire info from the bat file. in the bat file wscript is called. What I dont understand is why it would be messing with my firewall. It has code to do things with the firewall but it must be the Windows firewall because I use Fort Knox Firewall. I could maybe send the entire file via personal message as a text file if someone wants me too. At this point, I am not sure the bat file called the block I am getting from Appguard or not but it keeps trying to run after a certian period of time. I guess I could delete the batch file and see if the AG block stops.
 
Last edited:

danb

From VoodooShield
Verified
Developer
A bat file will launch cmd.exe, otherwise known as the Windows command prompt. But your log from AppGuard is showing wscript. The code you posted does not look like it calls wscript.

I would be surprised if a standard Intel update calls cscript. There a billions of computers running Intel, so we would have heard about this, if it was happening.
I see stuff like this all of the time.
 

danb

From VoodooShield
Verified
Developer
At this point, I am not sure the bat file called the block I am getting from Appguard or not but it keeps trying to run after a certian period of time. I guess I could delete the batch file and see if the AG block stops.
That is a great idea. Just a thought, you might want to delete the item from the VS whitelist first and see if it magically reappears later. That way we can determine whether or not this is a script that needs to run more than once. If you find that it only needs to run once, then obviously you should be able to delete it.

Either way, this is a perfect example of why permanently disabling vital Windows interpreters / sponsors should not be considered "real security". Sure, your computer is potentially more secure, but it is at the expense of it not being able to call the code it needs to run properly and securely.
 

danb

From VoodooShield
Verified
Developer
Cool, thank you for letting me know. Shadow Defender, right? VS probably tried to write to the whitelist.db and it was blocked or something. Please let me know if it is Shadow Defender so I can install it and fix that bug. Do you notice any other bugs while running in shadow mode? I probably should debug VS in shadow mode for a while, it is something I have never done before and would be a great "double check" for bugs.
 

ticklemefeet

Level 23
Cool, thank you for letting me know. Shadow Defender, right? VS probably tried to write to the whitelist.db and it was blocked or something. Please let me know if it is Shadow Defender so I can install it and fix that bug. Do you notice any other bugs while running in shadow mode? I probably should debug VS in shadow mode for a while, it is something I have never done before and would be a great "double check" for bugs.

Yes Shadow Defender. I have not deleted the bat file yet but i did remove it from VS White List and it has no come back. Appguard logged two blocks today so far of the script. One at 9:57 AM and one at 12:57 PM.
 

danb

From VoodooShield
Verified
Developer
Cool... yeah, AG has a lower allocated driver altitude than VS, so if it blocks the file, VS will not even see it (so it won't come back).


So then we have no idea if the script only needs to run once to completion or not, especially since I have no idea if you are in shadow mode or not ;).

It almost sounds like a scheduled task to me... did you check Autoruns? If you still have questions or concerns I would be happy to take a look at the scripts, if so just email me.
 

ticklemefeet

Level 23
Interesting. Well, we are in a pickle if we do not know the path of the script. Did you check Autoruns to see if it can find anything, specifically the scheduled tasks? Does the batch file automatically reappear at some point after you delete it?

I never saw anything with autoruns and if i delete the batch file it does not reappear. The batch file is not calling the script because I had deleted it. I guess I will just have to live with the block.
 
Top