3 Replies Latest reply on Jul 30, 2010 4:15 PM by RobertM

    File Execution Question

      I am working on creating images for machines with solid core to protect the systems from allowing the execution of non-authorized executables.  Recently my company hired a security consultant to look over the systems.  Unfortunately the first executable he copied to the system executed just fine.  While all the executable does is print some text to the screen, it does raise a concern that the file can execute at all.

       

      The program he used is the virus test program located at: http://www.eicar.org/anti_virus_test_file.htm

       

      He copied the text into a file named notepad.exe, opened a command prompt to the directory, and executed the file. My expectation is that this file is not in the inventory and thus it should have received the usual "The system cannot execute the specified program."  All of my other test programs were successfully blocked by Solidcore.

       

      Is this an exceptional case due to the nature of the file or is there some configuration that I need to perform to prohibit these types of files from executing?

       

      Thanks for your help!

       

      Tim

        • 1. Re: File Execution Question

          Would it be possible that this file was authenticated by any means? A few things that i would check

           

          sadmin status (should be enabled and not Update/disabled)

          sadmin updaters list | findstr notepad

          sadmin aef list

          sadmin ls | findstr notepad

          sadmin attr list | findstr notepad

          sadmin auth -l and check vs. the hash of the bogus notepad.exe

           

          Your file should not show up in any of these lists. The directory where it was executed from should not show up under sadmin trusted -l

          • 2. Re: File Execution Question

            I recreated the consultants procedure on my test system:

              1. I created a directory C:\testdir

              2. I copied the original notepad.exe from C:\Windows into this directory.

              3. I executed .\notepad.exe and received the expected result of:

                  "The system cannot execute the specified program."

              4. I erased notepad.exe.

              5. I created the replacement notepad executable file using the string from the website.

              6. I executed the new .\notepad.exe and ran and output the EICAR test string.

              7. Just to be sure that it is not related to the name I renamed the file from notepad.exe to eicar-test.exe.  It still executes.

             

            As for your questions here are the results:

             

            S3> sadmin status

             

            McAfee Solidifier:              Enabled

            McAfee Solidifier on reboot:    Enabled

             

            System Controller:              Disconnected

            Local CLI access:               Recovered

             

              [fstype]      [status]        [driver status] [volume]

            * NTFS          Solidified      Attached        C:\

             

             

            S3> sadmin updaters list | findstr notepad

             

            ** No results returned **

             

             

            S3> sadmin aef list

             

               "file begins "C:\ProgramData\McAfee\Common Framework\AgentEvents" and process ends "scsrvc.exe""

               "user equals "Remote Administrator" and event equals "COMMAND_EXECUTED""

               "file begins "C:\ProgramData\McAfee\Common Framework\AgentEvents" and process ends "naprdmgr.exe""

             

             

            S3> sadmin ls | findstr notepad

             

            C:\Windows\en-US\notepad.exe.mui

            C:\Windows\notepad.exe

            C:\Windows\System32\en-US\notepad.exe.mui

            C:\Windows\System32\notepad.exe

             

             

            S3> sadmin attr list | findstr notepad

             

              ** No results returned **

             

             

            S3> sadmin trusted -l

             

              ** No results returned **

             

             

            S3> sadmin auth -l

             

              ** No results returned **

             

             

            S3> sadmin check

            Checking volume C:\ ...

             

              ** No results returned **

             

            Hope this helps diagnose the issue.

             

            Thanks!

            • 3. Re: File Execution Question
              RobertM

              From the site:

               

              The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

               

              You should check cmd.exe is the parent application since this is a DOS program.

               

              RobertM