Jump to content

Run Command task filename is now randomized


Recommended Posts

Hi there, 

We're using ESMC (previously ERA from version 6.x or so), recently updated to :

ESET Security Management Center (Server), Version 7.1 (7.1.503.0)
ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)

and our client to :

ESET Management Agent 7.1.717.0    
ESET Endpoint Security 7.2.2055.0

It seems that since this update, the task "Run Command" is executing a file C:\Windows\Temp\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat where the hash is not always the same (as per the random "xxx" part of the name I guess).

As we have a Application whitelisting software aside ESET to block unkown hash/file, would it be possible to keep the same file as previously (ra-run-command.bat) without the random part in the name ?

Link to comment
Share on other sites

  • ESET Staff

Unfortunately there is currently no plan to revert back to original naming of script. Change has been introduced as part "security hardening" which should improve protection against LPE (local privileges escalation) type of attacks in case other layers of protection would fail.

Link to comment
Share on other sites

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

Edited by Nono
Link to comment
Share on other sites

  • ESET Staff
52 minutes ago, Nono said:

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

There is currently no plan to change this behavior, so for now it has this format.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...