Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 8 subscribers
  • Views 4318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Inconsistent action of Hitman.Pro when opening an HTA extension in different applications.

Pete B

An end-user was e-mailed the location to an HTA file via UNC path (\\servername\fileshare\file.HTA). When the end-user double-clicked on the link in Outlook the Hitman.Pro service prevented the action and shut down Outlook.exe and logged an alert.

When the same UNC link is sent via Skype for Business in a chat window, the end-user can click on the UNC link and Sophos will not detect it as malicious behavior.

This seems to me like inconsistent behavior. If that's not the case, I'd be open as to the 'why'.

 

~Pete



This thread was automatically locked due to age.
  • 0

    Hi Pete, 

    Thank you for pointing this out, Let me check on this and get back to you. In the meantime, this happens to a particular .HTA extension or to any such file?

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to Haridoss Sreenivasan

    I have only one example of an HTA file being used at this time.  The specific file is an instruction file for custom installing the Solidworks CAD application on a Windows system. I'm unsure if the code contents will be displayed inline to this message but it is provided below.

     

    <html>
    <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    <title>How to start the SOLIDWORKS software installation</title>
    <style type="text/css">
    body {font-size: 12px; font-family: Verdana; color: Black; background: white; margin-left: 5%; margin-right: 5%;}
    div.heading {font-weight: bold; font-size: 14px; color: #003366; font-family: Verdana}
    div.errorbox {border: 2px solid Red; display:none;}
    div.errorbox_title {color: Red;}
    div.removeheading {margin-left: 30px;}
    div.removeitem {margin-left: 40px;}
    div.removeitemdesc {margin-left: 60px;}
    </style>
    <script type="text/javascript">

    function show(id) {
    var element = document.getElementById(id);
    if (element) {
    element.style.display = "block";
    }
    }

    function hide(id) {
    var element = document.getElementById(id);
    if (element) {
    element.style.display = "none";
    }
    }

    function hideAll() {
    hide("securitywarning");
    hide("directorymissing");
    hide("sldimmissing");
    hide("startswinstallmissing");
    }

    function GetWorkingDirectory(){
    var url = document.URL;
    url = url.replace("file://", "");

    var fso = new ActiveXObject("Scripting.FileSystemObject");
    var folder = fso.GetParentFolderName(url);
    folder = folder.replace("%20", "");

    return folder;
    }

    function install() {

    hideAll();

    var shell = new ActiveXObject("WScript.Shell")
    var fso = new ActiveXObject("Scripting.FileSystemObject")
    var env = shell.Environment("SYSTEM")
    var arch = env("PROCESSOR_ARCHITECTURE")

    var folder = GetWorkingDirectory();

    var imdir = ""
    if (arch == "x86") {
    imdir = "\\32bit";
    }
    else if (arch == "AMD64") {
    imdir = "\\64bit";
    }

    var dir = folder + imdir;

    if (!fso.FolderExists(dir)) {
    var placeholder = document.getElementById("directorymissing_value");
    if(placeholder) {
    placeholder.innerHTML = dir;
    }
    show("directorymissing");
    }
    else {
    var sldim = folder + imdir + "\\sldim\\sldim.exe";
    if (!fso.FileExists(sldim)) {
    var placeholder = document.getElementById("sldimmissing_value");
    if (placeholder) {
    placeholder.innerHTML = sldim;
    }
    show("sldimmissing");
    }
    else {
    try {
    shell.CurrentDirectory = dir
    var cmd = ".\\sldim\\sldim.exe /adminclient /new /source .\\admindirector.xml /norunsw";
    shell.Run(cmd);

    window.close();
    }
    catch (err) {
    show("securitywarning");
    }
    }
    }
    }

    function uninstall()
    {
    hideAll();

    var shell = new ActiveXObject("WScript.Shell");
    var fso = new ActiveXObject("Scripting.FileSystemObject");

    var folder = GetWorkingDirectory();
    var startswinstall = folder + "\\startswinstall.exe";

    if(fso.FileExists(startswinstall)) {
    var args = "/uninstall /showui";

    var removeregistry = document.getElementById("removeregistry");
    if(removeregistry && removeregistry.checked) {
    args += " /removeregistry";
    }

    var removedata = document.getElementById("removedata");
    if(removedata && removedata.checked) {
    args += " /removedata";
    }

    var cmd = "\"" + startswinstall + "\" " + args;
    shell.Run(cmd);

    window.close();
    }
    else {
    var placeholder = document.getElementById("startswinstallmissing_value");
    if(placeholder){
    placeholder.innerHTML = startswinstall;
    }
    show("startswinstallmissing");
    }

    }

    </script>
    </head>
    <body>
    <h2>SOLIDWORKS 2017 SP4.1</h2>
    <p>
    <div>
    <div class="heading">Click <i>Install SOLIDWORKS products now</i> to start the installation of SOLIDWORKS on the local computer:</div>
    <div><input type="button" value="Install SOLIDWORKS products now" onclick="install()" /></div>
    </div>
    </p>
    <p>
    <div>
    <div class="heading">Click <i>Uninstall SOLIDWORKS products now</i> to start the uninstall of SOLIDWORKS on the local computer:</div>
    <p>
    <div class="removeheading">Select the types of items to remove from the client computer. Unselected items will remain on the computer.</div>
    <div class="removeitem"><input type="checkbox" disabled checked />Program Files and Folder</div>
    <div class="removeitemdesc">Program Files and folders are removed by the standard uninstall.</div>
    <div class="removeitem"><input type="checkbox" id="removeregistry" />Registry Entries</div>
    <div class="removeitemdesc">This will remove serial numbers and custom settings from the registry.</div>
    <div class="removeitem"><input type="checkbox" id="removedata" />Data Files and Folders</div>
    <div class="removeitemdesc">This will delete custom files stored in the data folders on the client computer, such as Toolbox. It will not delete and files or folders from other folders, other computers, or network locations.</div>
    </p>
    <div><input type="button" value="Uninstall SOLIDWORKS products now" onclick="uninstall()" /></div>
    </div>
    </p>
    <p>
    <div id="securitywarning" class="errorbox">
    <div id="securitywarning_title" class="errorbox_title">Security Warning</div>
    <p>Internet Explorer requires specific settings to install the SOLIDWORKS software.</p>
    <p>On the Internet Explorer menu, select <strong>Tools</strong>, <strong>Internet Options</strong>.</p>
    <p>On the <strong>Security</strong> tab:</p>
    <ol>
    <li>Under <strong>Select a Web content zone to specify its security settings</strong>, select <strong>Local intranet</strong></li>
    <li>Under <strong>Security level for this zone</strong>, select <strong>Custom Level</strong>.</li>
    </ol>
    <p>In the <strong>Security Settings</strong> dialog box, under <strong>ActiveX controls and plug-ins</strong>, go to:</p>
    <ul>
    <li>Set <strong>Initialize and script ActiveX controls not marked as safe</strong> to <strong>Enable</strong></li>
    <li>Set <strong>Run ActiveX controls and plug-ins</strong> to <strong>Enable</strong>.</li>
    </ul>
    <p>On the Internet Explorer menu, select <strong>View</strong>, <strong>Refresh</strong>.</p>
    <p><u>After SOLIDWORKS is installed, you can reset the internet settings to their previous values</u></p>
    </div>

    <div id="directorymissing" class="errorbox">
    <div id="directorymissing_title" class="errorbox_title">Directory Missing</div>
    <p>Failed to locate: <span id="directorymissing_value">PLACEHOLDER</span></p>
    </div>

    <div id="sldimmissing" class="errorbox">
    <div id="sldimmissing_title" class="errorbox_title">Installation Manager Missing</div>
    <p>Failed to locate: <span id="sldimmissing_value">PLACEHOLDER</span></p>
    </div>
    <div id="startswinstallmissing" class="errorbox">
    <div id="startswinstallmissing_title" class="errorbox_title">StartSWInstall Missing</div>
    <p>Failed to locate: <span id="startswinstallmissing_value">PLACEHOLDER</span></p>
    </div>
    </p>
    </body>
    </html>

  • 0 in reply to Haridoss Sreenivasan

    I'd like to also note that I believe the Sophos action is valid and as expected. My concern is that Sophos isn't consistent in regards to how it reacts when the HTA file is accessed between different Windows applications (Outlook vs. Skype for Business or other untested collaboration applications).

     

    Cheers,

     

    ~Pete

  • 0 in reply to Pete B

    Hi Pete, 

    Thank you for the detailed information.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML