Has anybody had any experience of calling AMSI from ASP.NET? I have a web application that allows users to upload files, and we want to perform a virus scan on each file before we save it to the DB and make it downloadable to other users.
I have developed against Windows AMSI, and when running locally (IISExpress from VS) on my machine it works fine (my test case is that it rejects the EICAR test string in a text file).
However, when I build the application and put it onto our test server (running IIS 10) the test file is not being picked up as malware. I get all of the right return codes when initialising the interface, and scanning the file I get a valid result (of not detected).
Anybody got any ideas? I am running Windows 10 locally and the server is 2016. One thing I have noticed is that on the website it states [desktop apps only] next to supported server. Does this just mean no UWP? Or could it mean nothing running as a service either?
https://learn.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanbuffer
Cheers,
Andy
I found the problem, after much headache. It appears that out of the box Windows Defender will automatically exclude the IIS process from malware checks. The effect of this is that the scan method doesn't reject malware.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions
The automatic exclusions can be turned off.
I confirm that turning off automatic exclusions works. On Windows server 2016, using the local group policy editor, this causes AMSI to start working from IIS. On Windows 10, under Virus & threat protection, adding an exclusion for process w3wp.exe causes AMSI to stop working. So the exclusion is the culprit.
To me it is unclear why this is the behaviour. Windows Defender should not interfere with crucial parts of the operating system, at the risk of causing corruption. Having an exclude list of parts not to be scanned is understandable. So given the standard exclude list Defender will not scan the IIS process. However our route is in the opposite direction. In IIS we want to check a user upload for malware. IIS sends the payload to AMSI. AMSI sends the payload to Windows Defender. Defender should scan the payload for malware. Why does it decide: this is a request by IIS, no need to scan the payload, just return that the payload is clean? If anyone can explain this logic I would be very grateful.
We don't want to turn off automatic exclusions. This would put the production systems at risk. Exclusions are there for a reason.
We still want to use AMSI; we like the idea of a vendor agnostic interface to the locally installed virus product. We now consider the following workaround: from IIS launch a commandline exe that in turn talks to AMSI. Send the payload from IIS to the commandline process, probably using an anonymous pipe. The commandline forwards the payload to AMSI which forwards it to Windows Defender. Defender will scan the payload, as the name of the requesting process is that of the commandline and not w3wp.exe or another name in the exclusion list.
Not too happy with this approach, but it should work. We welcome suggestions for improvement.
Related
I want to set up a system whereby anyone logged onto a machine on our local network can see what's on the screen of any other machine on the local network. This is part of a peer-monitoring programme, and is with the agreement of all users.
All machines are running Windows 7 or 10. Ideally, I would like it that someone using an iPad could also see the screens.
My initial thought was to install IIS on each machine, and have a web site that would capture the screen and return it on request. That way, a user at another machine could just browse to http://machinename/ and see the screenshots. This would work for desktop machines and iPads.
However, I discovered that you can't access the screen that way, so that idea is out. Similarly, it seems that a Windows service can't access the screen either.
What options do I have? I want something that can be installed once for all users, and show what's on the screen(s) attached to that machine.
Like a lot of similar questions out there, a simple solution requires just some basic understanding of how Windows session isolation works, detailed in posts like this.
As you want to capture screenshots, your code must run in the same user session. Then any sample code you find from search engines will work flawlessly.
Many existing screen capture solutions are built upon this simple approach, and usually have a Windows tray app that launches when a user logs in, which prepares the screen shots by calling the capture API.
You cannot use a Windows service or a web app on IIS to call the capture API, because they run in session 0, not that user session.
Behind the scene, other necessary components are there to dispatch the screen shots to a centralized backend server (so that they can then be sent to the monitoring device).
Note that for this part multiple approaches/architectures can be used, so I won't share too much to restrict your imagination.
I have developed a windows service using C#.Net which collects data and send to my server using custom APIs on a regular interval basis with the client user's permission.
It was working fine until the user installed the anti-virus software (Kaspersky). It, false positively, detected my .exes as PDM:trojan.win32.generic, thrown away into quarantine and removed its service because I am doing web requests using HTTPWebRequest and HTTPWebResponse to push and pull data.
As for temporary, I have white listed .exes and program directory under exclusions rules in anti-virus software program settings and installed service once again. As so it is working fine for now.
But as for final solution, I want to know can we fix this within program itself (programmatically). So that any anti-virus software do not detect it as trojan or any other kind of virus as soon as my program and its service get installed.
Edit - 8th, June 2015
Earlier forgotten to mention that within service .exe it downloads its own latest .exe file to update itself. I wonder if this process is making it to appear as a Trojan.
You can apply to have your program added to the Kasperky whitelist. You may also want to apply for the Kaspersky Lab Trusted Logo.
Other anti virus solutions offer similar whitelist programs, Symantec for example.
Going through these whitelists -IMHO- is the proper way here. If your users place their trust in those solutions your making an effort to be whitelisted i.e. labeled as trustworthy by these solutions should go a long way with your user base.
I want to run an exe on client system from my c# asp.net website. When I use Process.Start()
it throws an error:
The requested operation requires elevation.
How do I set permissions to run that exe?
You can't spawn processes on the client machine from server-side code.
When you use Process.Start in server-side code, it is attempting to execute the process there, on the server where the website is hosted. If you wanted to create processes on the clients computer then you would need to expose a download for them (and not in employing subterfuge, like malign sites might do to install software - supply it gracefully, and normally (and with permission)), or a Silverlight application or something along those lines.
The bottom line is that the code you want to execute (even if that is just to spawn a process) must reside on the client, and be executed there.
You can't run an application from a web server like that. You will have to have the user download the application by supplying the EXE, a setup file or using ClickOnce.
Or you can develop an ActiveX control that you can have the browser automatically download from a Trusted Internet Zone.
Once downloaded, proper signing with a certificate (signed from the trusted (corporate) root certificate) will avoid the user getting a prompt to ask whether he wishes to allow the ActiveX control to install/be activated -
The ActiveX control can subsequently do anything the interactively logged on user could. This means that to actually install a program you'd need to elevate (UAC on Vista+); But if the goal was just to run a standalone executable, you should be good to go.
This all assumes white-hat purposes in a (larger) corporate setting, because it relies on PKI infrastructure and central browser policies, to name just two.**
This would, really, lead to some excellent questions on serverfault or superuser
I noticed you said you wanted to run an exe file on the client, but you didn't say explicitly that the exe is on the server and you want to push it to the client. Everyone seems to be assuming that is the case.
You CAN accomplish this fairly easily with a small JavaScript if you have a few prerequisites:
The executable is already present on the client machine.
All of your clients are running IE
You can enforce a policy to put your site in the Intranet or Trusted
Sites zone.
So basically this means it's a corporate intranet application. I am assuming this is probably the case since, well, if you were expecting to do this with a public app, I would be surprised.
For the script to accomplish this, please see my answer to this question:
How can I get a program on a client machine to run from an ASP.NET page?
I wrote a C# application that is running well on my xp development machine.
When my client is running it on different PC, it seems to freeze on both vista and 7 machines.
I would like to know if there is any issue on running dotnet applications on vista/7.
I compiled the application for both framework 2.0 and 3.5 but it didn't help.
The log file neither doesn't help.
Is there any way to know where is the application freezing (of course, the client doesn't have VS for attaching to the application) ?
Thank you in advance for any help.
Pierre.
Generally, .NET application should run the same on any Windows version with .NET framework installed. Most common problem that occur are related to the new User Account Control policy in Vista and 7, which prevents applications from accessing areas requiring elevated privileges (which would otherwise run fine under an Administrator account in XP).
For example, if your application is trying to write configuration settings to the Program Files folder (which is a really bad idea, btw), or is using some hardcoded disk or registry paths instead of environment variables provided in .NET classes, it may fail under Vista.
To quickly check if this is an UAC privilege problem, try to run the application as an administrator (have your client right click the .exe file and select Run as Administrator). If it works, then this suggests that you need to examine your code and update it to make sure you are only accessing allowed areas.
Check this link for more information: Making apps UAC aware.
As redsquare suggested, the best way to test your application in a variety of Windows systems is to run them in several virtual machines (MS Virtual PC or VMWare Player, both of them free for download).
You do not give much information in order for us to help a great deal.
I would start by trying to recreate the issue locally on a virtual machine (vista one available here) and then profiling the app with something like memprofiler.
Ask your client to capture a process dump using Windows Task Manager,
In Task Manager, find the process that hangs.
Right click and capture a memory dump.
Then you can do some analysis on the dump to see why it hangs.
If you are not familiar with dump analysis, find someone who can help or open a support case via http://support.microsoft.com
csharp applications are supposed to run on vista/win7. This is their home:)
Your problem is not the OS. its your application.
Most probably the application is looking for a file, a folder, something on the client side that is not there and its freezing. this is my experience.
Check for project independencies and make sure you have shipped to your clients everything your project needs.
and last, distribute to one client the debug version with debug messages enable and get the feedback from their system.
Environment:
win2003 running IIS6 serving asp pages that call delphi code.
Delphi code contacts a c# webservice for which it needs to login (login.asmx). Webservice logs show login is successful. Debug results show that Context.User.Identity.IsAuthenticated returns true.
After login, delphi code doublechecks if it is still authenticated. Webservice returns false -> Context.User.Identity.IsAuthenticated returns false.
Our guess: authentication cookie received by delphi code running under IIS6 credentials (network service?) does not get saved to disk, so login is lost.
Filemon shows 'C:\WINDOWS\Temp\Temporary Internet Files' access denied. Giving IIS6 user admin rights on that folder fixes the problem, but is not acceptable since cookies should work by default.
Running IIS6 in IIS5 compatibility mode fixes the problem, but is also not preferred
Wanted solution: exact cause of problem and smallest modification possible in configuration (giving admin rights to IUSR is not an option)
Cookies do work by default, but you have to have somewhere to store them. If you don't want to give access to the normal place where they are stored, then you will need to set up another directory that you can give rights to and set it up as the internet cache for the IIS6 user.
A couple quick resources that may help, given that for this type of problem you have a fairly large number of potential issues, see this.
One important difference between IIS5 and IIS6 is that Windows 2003 underwent a significant security lockdown with the SP1 update. There are a very large number of things that worked for Windows 2000 that just will not in 2003 (and should not have - they opened the door to all sorts of shenanigans). Trying to track down all the places where IIS6 locked stuff down might be challenging, instead I would use the above resource to track down the common issues people are running into with IIS6.