Jump to content

Run Command task filename is now randomized


Nono

Recommended Posts

Hi there, 

We're using ESMC (previously ERA from version 6.x or so), recently updated to :

ESET Security Management Center (Server), Version 7.1 (7.1.503.0)
ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)

and our client to :

ESET Management Agent 7.1.717.0    
ESET Endpoint Security 7.2.2055.0

It seems that since this update, the task "Run Command" is executing a file C:\Windows\Temp\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat where the hash is not always the same (as per the random "xxx" part of the name I guess).

As we have a Application whitelisting software aside ESET to block unkown hash/file, would it be possible to keep the same file as previously (ra-run-command.bat) without the random part in the name ?

Link to post
Share on other sites
  • ESET Staff

Unfortunately there is currently no plan to revert back to original naming of script. Change has been introduced as part "security hardening" which should improve protection against LPE (local privileges escalation) type of attacks in case other layers of protection would fail.

Link to post
Share on other sites

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

Link to post
Share on other sites
  • ESET Staff
52 minutes ago, Nono said:

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

There is currently no plan to change this behavior, so for now it has this format.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...