On occasion, applications will pass inline commands that contain a randomly generated path or batch filename. As an example, for demonstration purposes, this command will open a prompt to start camplay.exe in a ‘random’ location
cmd /c C:\temp\Random014\camplay.exe
With Secure run enabled, the following message is displayed:
To allow this process to work and CamPlay to run, it’s not camplay.exe that must be allowed in this example, it’s cmd.exe.
To that end, there are two options that you could take:
-
Create an “Allow and Log” rule to allow cmd.exe and everything that is called to run through it (possibly dangerous and not recommended)
-
Create an “Allow and Log” rule with conditions to limit the scope (recommended)
Focusing on #2, below is a common example of how to set up a policy to allow the inline command to run with a random path.
-
Add a New Executable Policy
-
Select Combo Rule
-
Select Path, Command line and at least one other Condition to guard against a fraudulent parent process (cmd.exe in this case)
Note 1: Either Hash or File Info may be used in addition to, or instead of Signature, but it is recommended at least one or more conditions be used in addition to the command-line arguments.
Note 2: “Apply to child processes” may or may not be required, but removing this checkbox limits the scope further. For this example, however, it was required.
-
Set up your Path Condition: be as specific as possible
-
Set your secondary conditions: Signature in this example
-
Set your Command-line Condition: Use strict Equality and set the Arguments using the wildcard character “*” to replace any randomized, or user-specific sections of the path or filename. Be as specific as possible while still allowing for any variation that may come up in the path. In this example, \Random014\ was replaced by \Random*\
Note: “*” is the only supported wildcard character
Note: “Ignore arguments case” should be checked by default
-
Set action as needed: Generally, either “Allow and Log” (this example) or “Run with elevated Privileges” (if needed)
Note: for security and compatibility reasons, only elevate if necessary to do so.