cancel
Showing results for 
Search instead for 
Did you mean: 
visigoth
Level 7

File Execution Question

I am working on creating images for machines with solid core to protect the systems from allowing the execution of non-authorized executables.  Recently my company hired a security consultant to look over the systems.  Unfortunately the first executable he copied to the system executed just fine.  While all the executable does is print some text to the screen, it does raise a concern that the file can execute at all.

The program he used is the virus test program located at: http://www.eicar.org/anti_virus_test_file.htm

He copied the text into a file named notepad.exe, opened a command prompt to the directory, and executed the file. My expectation is that this file is not in the inventory and thus it should have received the usual "The system cannot execute the specified program."  All of my other test programs were successfully blocked by Solidcore.

Is this an exceptional case due to the nature of the file or is there some configuration that I need to perform to prohibit these types of files from executing?

Thanks for your help!

Tim

0 Kudos
3 Replies
Dschatz
Level 7

Re: File Execution Question

Would it be possible that this file was authenticated by any means? A few things that i would check

sadmin status (should be enabled and not Update/disabled)

sadmin updaters list | findstr notepad

sadmin aef list

sadmin ls | findstr notepad

sadmin attr list | findstr notepad

sadmin auth -l and check vs. the hash of the bogus notepad.exe

Your file should not show up in any of these lists. The directory where it was executed from should not show up under sadmin trusted -l

0 Kudos
visigoth
Level 7

Re: File Execution Question

I recreated the consultants procedure on my test system:

  1. I created a directory C:\testdir

  2. I copied the original notepad.exe from C:\Windows into this directory.

  3. I executed .\notepad.exe and received the expected result of:

      "The system cannot execute the specified program."

  4. I erased notepad.exe.

  5. I created the replacement notepad executable file using the string from the website.

  6. I executed the new .\notepad.exe and ran and output the EICAR test string.

  7. Just to be sure that it is not related to the name I renamed the file from notepad.exe to eicar-test.exe.  It still executes.

As for your questions here are the results:

S3> sadmin status

McAfee Solidifier:              Enabled

McAfee Solidifier on reboot:    Enabled

System Controller:              Disconnected

Local CLI access:               Recovered

  [fstype]      [status]        [driver status] [volume]

* NTFS          Solidified      Attached        C:\

S3> sadmin updaters list | findstr notepad

** No results returned **

S3> sadmin aef list

   "file begins "C:\ProgramData\McAfee\Common Framework\AgentEvents" and process ends "scsrvc.exe""

   "user equals "Remote Administrator" and event equals "COMMAND_EXECUTED""

   "file begins "C:\ProgramData\McAfee\Common Framework\AgentEvents" and process ends "naprdmgr.exe""

S3> sadmin ls | findstr notepad

C:\Windows\en-US\notepad.exe.mui

C:\Windows\notepad.exe

C:\Windows\System32\en-US\notepad.exe.mui

C:\Windows\System32\notepad.exe

S3> sadmin attr list | findstr notepad

  ** No results returned **

S3> sadmin trusted -l

  ** No results returned **

S3> sadmin auth -l

  ** No results returned **

S3> sadmin check

Checking volume C:\ ...

  ** No results returned **

Hope this helps diagnose the issue.

Thanks!

0 Kudos
McAfee Employee

Re: File Execution Question

From the site:

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

You should check cmd.exe is the parent application since this is a DOS program.

RobertM

0 Kudos