Jump to content

Windows task scheduler protection


Recommended Posts

Hi,

 

runnning windows 7 x64bit & ESET trial

 

I'm testing ESEt because I was hoping ESET offered windows task scheduler protection

I basically need protection from google, opera and any app ftm enabling task without my permission.

 

the ESET HIPS rule editor seems promising as a way to be prompted.

but I'm not sure how to make this work

do I prevent apps writing to the %SystemRoot%\Tasks folder

or what?

 

and if so how?

 

has ESET vets played with this?

 

or can offer assistance / solution ?

 

tia

Link to comment
Share on other sites

  • Administrators

Try creating a blocking rule with "Write to file" selected in the "Target files" tab and "C:\WINDOWS\Tasks\*.*" selected in the "Over these files" section.

Link to comment
Share on other sites

AFAIK in Windows Vista and above Windows doesn't use C:\WINDOWS\Tasks anymore.

You could try blocking the access to "C:\Windows\System32\schtasks.exe" (so that it can't be run), however this would only block the commando line tool and this wouldn't help very much as there are other ways to modify tasks.

 

Edit: No they are still stored in the file system but mostly under C:\Windows\System32\Tasks in Windows 7.

Source: hxxp://stackoverflow.com/questions/2913816/how-to-discover-the-location-of-the-scheduled-tasks-folder

So this way if you block access to both directories C:\Windows\Tasks and C:\Windows\System32\Tasks you should be able to protect the tasks from changes.

Edit2: If you're running a 64bit version of Windows then you may also block access to C:\Windows\SysWOW64\Tasks.

Edited by rugk
Link to comment
Share on other sites

Thanks for the info guys!

 

I'll try that

cause the task scheduler service uses "C:\Windows\system32\svchost.exe -k netsvcs"

could'nt figure how to make that would work in a rule set

 

I'll post back the results

 

Thanks again

Link to comment
Share on other sites

Well... you're right the "Schedule" running as "C:\Windows\system32\svchost.exe -k netsvcs". However I highly assume this service must run otherwise scheduled tasks can't run.
So I don't understand what you want to make.
 
As we said you must block access to some directories.
E.g. create a rule this way:
post-3952-0-38221800-1428420520_thumb.png
 
So I have done this and tested it by trying to create a new rule in the schedule manager:
post-3952-0-67575300-1428420519_thumb.png
 
As you can see it doesn't work and was blocked by ESS.
 
So finally I exported the configuration and trimmed it a bit so you can easily import it into ESS and you'll have this rule.
Here you can download it:
 
Block rule
Download
(alternative download link)
 
Ask rule
Download
(alternative download link)

I configured it to notify the user and to log all tries of all programs.
I hope this will fit your needs. :)
 
But keep one thing in mind: If you want to edit the tasks by yourself you of course need to disable the rule temporarily.

 

Edit: Updated XML files, added ask rule.

Edited by rugk
Link to comment
Share on other sites

@rugk

 

Thanks

 

I hadn't had a chance to try the approaches mentioned

and was only trying to relay how I was thinking before posting to this fine forum

but what you have done is exactly what I had in mind

I will change block to ask so I can control the rule enforcement on a case by case

but you nailed it.

 

"There's a long line forming to sing your praises!" :D  :D  :D 

 

Thanks again!

Edited by pcuser64
Link to comment
Share on other sites

Yeah, useful idea to set it to "Ask".

I did it too and added the corresponding rule.

I also made some small changes to the other rule file, but this were only some cosmetic changes. :)

Edited by rugk
Link to comment
Share on other sites

@rugk

 

can't get new rules, address blocked my eset :(

"The web page is on the list of websites with potentially dangerous content."

no worries

original works great

 

cheers!

Link to comment
Share on other sites

@pcuser64

Ahh yeah. It seems someone has uploaded malicious files on workupload.com. As it's a free filehoster anyone can upload anything.

So just try the bug green download link. It links to mega.co.nz and it should work.

 

But besides this I think you don't need to import the new rules file as you already adapted the rule like I did in a similar way. Only some other cosmetic changes.

 

@all

However I noticed that in some situation you might see many block or ask messages at startup. This is because of some triggers in some tasks which e.g. ran at startup or specific times and update itself.

If you don't always want to allow the update every startup you can create permanent allow rules for these specific tasks.

Edited by rugk
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...