Ticket #181 (closed issue: fixed)

Opened 3 months ago

Last modified 3 months ago

possibly something to whitelist

Reported by: xkovah Assigned to: kindlund
Priority: lowest Milestone: 1.1
Component: Unknown Version: none
Severity: trivial Keywords:
Cc:

Description

Got this on my VM not derived from the Agent-Master series. Probably should be turned into a whitelist entry, but I'm doing other things right now…somewhat interesting just because Flash is setting a big ol chunk of XML/HTML in the registry

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate

description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666

" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}"> <p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666"> Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/ "><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"

here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon

t></description></update></XML> registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate

description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666

" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}"> <p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666"> Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/ "><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"

here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon

t></description></update></XML> registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate

description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666

" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}"> <p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666"> Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/ "><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"

here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon

t></description></update></XML> registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate

description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666

" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}"> <p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666"> Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/ "><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"

here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon

t></description></update></XML> registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe

Attachments

Change History

07/10/08 13:43:55 changed by xkovah

let's try this again as raw 

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
 description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666
" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}">
<p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e
nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666">
Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo
nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/
"><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a
href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"
>here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon
t></description></update></XML>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
 description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666
" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}">
<p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e
nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666">
Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo
nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/
"><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a
href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"
>here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon
t></description></update></XML>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
 description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666
" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}">
<p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e
nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666">
Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo
nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/
"><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a
href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"
>here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon
t></description></update></XML>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
 description REG_SZ <XML><update version="9,0,124,0"><description>mshtml:<font face="sans-serif"><p><font color="#666666
" style="{font-size: 18px}">An update to your Adobe Flash Player is available</font></p><font style="{font-size: 10px}">
<p><strong>Flash Player enhances your Web browsing experience.<br />This update includes:</strong></p><ul><li>Security e
nhancements described in <a href="http://www.adobe.com/support/security/bulletins/apsb08-11.html"><font color="#666666">
Security Bulletin APSB08-11</font></a></li></ul>Read <a href="http://www.macromedia.com/go/flashplayer_releasenotes"><fo
nt color="#666666">more about this update</font></a> and the <a href="http://www.adobe.com/products/eulas/players/flash/
"><font color="#666666">End User License Agreement</font></a>. To change or disable your update notifications, click <a
href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html"><font color="#666666"
>here</font></a>.<p><strong>Updating takes under a minute on broadband; no restart is required.</strong></p></font></fon
t></description></update></XML>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe

07/10/08 14:12:57 changed by kindlund

So r1679 partially fixes this issue.

The major problem is this entry: 

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe

Remember, we have the RunOnce registry subkey flagged as changes are ALWAYS considered malicious (i.e., it's on our 'minus' list). So it doesn't matter how many times we add in exclusions, it will always get flagged as bad stuff.

This is the corresponding minus entry: 

-   SetValueKey .*  HLKM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*

To that end, I think a more pragmatic view is:

  1. Turn OFF Flash Auto Updating

-OR-

  1. Always keep your Flash version up-to-date inside the master VM

To solve this problem in our production environment, I've opted for option 1.

— Darien

07/10/08 15:45:17 changed by xkovah

  • status changed from new to closed.
  • resolution set to fixed.

I agree that 1 is the better option. But as this will hit other people eventually, it should be documented on the UserGuide somewhere. Maybe as a subpage with optional tips and tricks. Things like this, but also things like the updating the exclusion lists, so that you don't have to rewrite what you just put in that other ticket at some point in the future (since we had seen it previously due to the different international versions of windows and such).

Xeno

Add/Change #181 (possibly something to whitelist)




Change Properties
Action