This post is part of a series about the new uberAgent Endpoint Security Analytics (ESA) product. uberAgent ESA aims to provide deep security visibility. It is complemented by uberAgent UXM, our user experience monitoring solution, which adds rich context and metadata.
Scheduled tasks are fantastic for hiding malware. There are multiple reasons for that: every Windows PC has a huge number of tasks, all of which are completely undocumented, there is no authentication mechanism for “good” tasks, and essential information is not available in the UI. Let us explore those caveats in more detail.
The machine I am writing this on has a total number of 221 scheduled tasks spread across 127 folders. Most of these tasks came with the Windows operating system, but some were added by applications or drivers. Microsoft Office 365, for example, installs the following tasks:
- Office Automatic Updates 2.0
- Office ClickToRun Service Monitor
- Office Feature Updates
- Office Feature Updates Logon
- Office Subscription Maintenance
We can deduce from the names of these tasks that most of them are related to application updates and telemetry. Each task’s description field contains rudimentary information, but apart from that, these tasks are undocumented. The same is true for basically all scheduled tasks.
Unlike executables, scheduled tasks cannot be digitally signed. As a consequence, there is no way to verify if a task is genuine. Tasks do have an author field, but its contents can be set to anything, making it worthless for security purposes.
Nothing demonstrates that better than the Office tasks mentioned earlier. As you can see in the screenshot below, some of those tasks do not even have an author configured at all!
Scheduled tasks are all about doing something: running a tool, starting a script, invoking a component. Without any such action, a task is useless. In other words, a task’s action is by far its most important property. All the more alarming that the Task Scheduler UI in many cases does not display this essential information:
More specifically, Task Scheduler neither shows details for COM actions nor does it list properties of custom triggers. The same is true for command-line tools like
schtasks.exe. Essentially, Windows turns a blind eye to scheduled tasks.
The only solution to dealing with the weaknesses of Windows scheduled tasks is careful monitoring. uberAgent Endpoint Security Analytics (ESA) puts you in control again.
uberAgent ESA automatically detects the relevant events in a scheduled task’s lifecycle: task creation, task change/update, and task deletion.
Scheduled tasks have a complex architecture: each task may have several, even different triggers. A task could be triggered at machine boot, user logon, according to a schedule, or any combination of the above. There is also a huge number of undocumented custom triggers. uberAgent ESA lists all of these triggers in full detail.
As with triggers, tasks can be configured with more than one action. Some actions, like starting a process, or sending an email are straightforward. Instantiating a COM object is not. All the more important to clearly understand exactly what is being executed.
For each COM action, uberAgent ESA not only lists the component’s CLSID but also resolves it to the actual executable hosting the component.
See our blog post announcing uberAgent Endpoint Security Analytics for more information about uberAgent ESA. Also, follow this blog – we have more to share soon!