Jump to content
Nono

Run Command task filename is now randomized

Recommended Posts

Hi there, 

We're using ESMC (previously ERA from version 6.x or so), recently updated to :

ESET Security Management Center (Server), Version 7.1 (7.1.503.0)
ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)

and our client to :

ESET Management Agent 7.1.717.0    
ESET Endpoint Security 7.2.2055.0

It seems that since this update, the task "Run Command" is executing a file C:\Windows\Temp\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat where the hash is not always the same (as per the random "xxx" part of the name I guess).

As we have a Application whitelisting software aside ESET to block unkown hash/file, would it be possible to keep the same file as previously (ra-run-command.bat) without the random part in the name ?

Share this post


Link to post
Share on other sites

Unfortunately there is currently no plan to revert back to original naming of script. Change has been introduced as part "security hardening" which should improve protection against LPE (local privileges escalation) type of attacks in case other layers of protection would fail.

Share this post


Link to post
Share on other sites

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

Edited by Nono

Share this post


Link to post
Share on other sites
52 minutes ago, Nono said:

Thanks @MartinK,

Could you then confirm it will always have the same pattern (for regex style whitelisting) ?

C:\Windows\Temp\ra-run-command-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.bat

where the X are following the pattern: group of 8, group of 4, group of 4, group of 4, group of 12 letters/digits ?

There is currently no plan to change this behavior, so for now it has this format.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...