Nono 3 Posted February 14, 2020 Share Posted February 14, 2020 Hi there, We're using ESMC (previously ERA from version 6.x or so), recently updated to : ESET Security Management Center (Server), Version 7.1 (7.1.503.0) ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0) and our client to : ESET Management Agent 7.1.717.0 ESET Endpoint Security 7.2.2055.0 It seems that since this update, the task "Run Command" is executing a file C:\Windows\Temp\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat where the hash is not always the same (as per the random "xxx" part of the name I guess). As we have a Application whitelisting software aside ESET to block unkown hash/file, would it be possible to keep the same file as previously (ra-run-command.bat) without the random part in the name ? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 14, 2020 ESET Staff Share Posted February 14, 2020 Unfortunately there is currently no plan to revert back to original naming of script. Change has been introduced as part "security hardening" which should improve protection against LPE (local privileges escalation) type of attacks in case other layers of protection would fail. Link to comment Share on other sites More sharing options...
Nono 3 Posted February 17, 2020 Author Share Posted February 17, 2020 (edited) Thanks @MartinK, Could you then confirm it will always have the same pattern (for regex style whitelisting) ? C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ? Edited February 17, 2020 by Nono Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted February 17, 2020 ESET Staff Share Posted February 17, 2020 52 minutes ago, Nono said: Thanks @MartinK, Could you then confirm it will always have the same pattern (for regex style whitelisting) ? C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ? There is currently no plan to change this behavior, so for now it has this format. Link to comment Share on other sites More sharing options...
Recommended Posts