possibly something to whitelist

Question

possibly something to whitelist

Closed this issue 15 years ago · 3 comments

Got this on my VM not derived from the Agent-Master series. Probably should be turned into a whitelist entry, but I'm doing other things right now...somewhat interesting just because Flash is setting a big ol chunk of XML/HTML in the registry

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click

here.

Updating takes under a minute on broadband; no restart is required.

</fon
t>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe

Answer 1 · 2010-01-07T20:34:39.000Z

Author: xkovah
let's try this again as raw

{{{
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click

here.

Updating takes under a minute on broadband; no restart is required.

</fon
t>
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate
description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Macromedia\FlashPlayerUpdate description REG_SZ mshtml:

An update to your Adobe Flash Player is available

Flash Player enhances your Web browsing experience.
This update includes:

Security e nhancements described in Security Bulletin APSB08-11

Read more about this update and the End User License Agreement. To change or disable your update notifications, click .

Updating takes under a minute on broadband; no restart is required.

registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe }}}

Answer 2 · 2010-01-07T20:34:42.000Z

Author: kindlund
So r1679 partially fixes this issue.

The major problem is this entry:

{{{
registry SetValueKey PID:1748 C:\Program Files\Internet Explorer\iexplore.exe HKCU\Software\Microsoft\Windows\CurrentVer
sion\RunOnce FlashPlayerUpdate REG_SZ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
}}}

Remember, we have the RunOnce registry subkey flagged as changes are ALWAYS considered malicious (i.e., it's on our 'minus' list). So it doesn't matter how many times we add in exclusions, it will always get flagged as bad stuff.

This is the corresponding minus entry:

{{{

SetValueKey .* HLKM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.*
}}}

To that end, I think a more pragmatic view is:

Turn OFF Flash Auto Updating
-OR-
Always keep your Flash version up-to-date inside the master VM

To solve this problem in our production environment, I've opted for option 1.

-- Darien

Answer 3 · 2010-01-07T20:34:44.000Z

Author: xkovah
I agree that 1 is the better option. But as this will hit other people eventually, it should be documented on the UserGuide somewhere. Maybe as a subpage with optional tips and tricks. Things like this, but also things like the updating the exclusion lists, so that you don't have to rewrite what you just put in that other ticket at some point in the future (since we had seen it previously due to the different international versions of windows and such).

Xeno