North America
  • North America
  • Europe
  • United Kingdom
  • Asia & Pacific
  • Australia
  • South America
  • Africa

How to configure code detection for suspicious autorun in the 'Script analysis' section

Release Time
02/14/2019
Views
234 times


Introduction

  • There are two types of executable programs:
     
    • Compiled – These programs can execute on their own. Examples include .exe and .dll files.
       
    • Non-compiled – These are scripts which require an interpreter program to execute them. For example, Powershell scripts (.ps1) are interpreted and executed by the Powershell program.
       
  • Non-compiled programs are also known as 'file-less' programs. A file-less malware attack, therefore, allows malicious actors to directly execute Powershell commands on your system. These attacks can be used to take control of endpoints, install ransomware, steal confidential data and more.
     
  • Comodo Client Security can inspect all paths and commands passed to interpreters on your endpoints, protecting you against this type of attack. You need to add a 'Script Analysis' section to a Windows profile to enable the feature, and configure the following areas:
     
    • Runtime Detection - Performs script analysis before the execution of an application.
       
    • Autoruns Scan - Scans default autorun items, scheduled tasks and other windows services.

This protects you against malicious code triggered by Windows start-up and auto-run items.

  • The following tutorial explains how to add a script analysis section and enable file-less malware protection.
     

Process in brief 

  • In ‘Endpoint Manager' Click 'Configuration Templates' > 'Profiles'
     
  • Click on the profile to which you add the new section
     
  • Click 'Add Profile Section' > 'Script Analysis'
     
  • In General Settings tick the 'Perform Script Analysis' checkbox and also enter the size of scripts which should be analyzed.
     
  • Click 'Runtime Detection' to choose the interpreters you want to monitor. You can implement two types of protection per interpreter:
     
    • Heuristic command-line analysis – CCS will analyze file paths sent to protected interpreters.
       
    • Embedded code detection – CCS will analyze commands sent to interpreters via a command line.
       
  • Click 'Autoruns Scan' and choose "Heuristic command-line analysis" or "Embedded code detection" analysis for autrun items.


Process in detail

Step 1:

  • Open Endpoint Manager
     
  • Click 'Configuration Templates' > 'Profiles'
     
  • Click the 'Profiles' tab above the list of available profiles.

 

Step 2 :

  • Click the name of a profile to open its details page
     
  • Click 'Add Profile Section' > 'Script Analysis'

 

Step 3:

  • Click the 'General Settings' tab
     
  • Enable the checkbox 'Perform Script Analysis' and enter the total size for scripts analysis logs.

 

Step 4:

  • Click Runtime Detection--->This manages the list of applications for which you would like to perform script analysis before execution.
     
  • Select 'Add' to implement protection to a new application.

 

Step 5:

  • Click Autoruns Scan --->This manages the list of applications for which you would like to perform script analysis to protect Windows services, autostart items and scheduled tasks.
     
  • To implement protection to a autorun application Select 'Add' and repeat as shown in Step 4.
  • Click 'Save'.