Executing cmd command through Console getting failed

Venjirra · April 2, 2018, 2:23pm

I have tried to uninstall an AV application using windows software distribution wizard.
I have pushed the file to endpoint, copied it to temp folder. Ran the application from there.
But it is removing source exe file while running the application. and getting failed.

Here is the code I’ve used. Correct the code if required pls

prefetch d3dd1fbd2e5a7cc06b7803efea842a4dca9a017e sha1:d3dd1fbd2e5a7cc06b7803efea842a4dca9a017e size:1995881 http://serverX.domain.com:52311/Uploads/d3dd1fbd2e5a7cc06b7803efea842a4dca9a017e/MFERemoval100.exe.tmp sha256:0d5dfb623033080b0b1cad9c37c803f10ed504c9920bd594367fa7e63b9555ad
extract d3dd1fbd2e5a7cc06b7803efea842a4dca9a017e


if {exist "C:\temp\MFERemoval100.exe"} 
delete C:\temp\MFERemoval100.exe
endif

dos copy __Download\MFERemoval100.exe C:\temp\MFERemoval100.exe

wait cmd.exe /C "C:\temp\MFERemoval100.exe /All /silent"

While running last line, it is removing the source file instead of running.
In actions status showing completed with exit code 0, log showing command succeeded.

Venjirra · April 3, 2018, 5:31pm

Can anyone help, if something wrong with relevance

TheCookieMonster · April 3, 2018, 6:44pm

Not sure, but what I have seen so far it should look something like this:

if {exist “C:\temp\MFERemoval100.exe”}
delete C:\temp\MFERemoval100.exe
endif

copy "__Download/MFERemoval100.exe" "C:\temp\MFERemoval100.exe"

wait cmd.exe /C “C:\temp\MFERemoval100.exe" /All /silent

I honestly dont see anything wrong. Have you ran it in the debugger?

but then again here is an example of running the command line

dmccalla · April 3, 2018, 6:51pm

Please don’t post real server names in the forums. You should sanitize things so they read like http://serverX:52311/Uploads/d3dd1fbd2e5a7cc06b7803efea842a4dca9a017e/MFERemoval100.exe.tmp1

Venjirra · April 3, 2018, 7:22pm

Thanks for reminding @dmccalla, I forgot the point.

Venjirra · April 4, 2018, 7:24pm

I have performed 2 tests.
When I ran the command which mentioned above, it is copying file from _download to C:\temp and trying to run command. At that point of time, source file “MFERemoval100.exe” getting removed from C:/ temp .

Not sure why source file was removed.

jgstew · April 4, 2018, 8:13pm

Are you sure the source file was ever placed there?

Does the folder C:\Temp exist in the first place? Generally you SHOULD NOT put files there and instead use C:\Windows\Temp or similar location in ProgramData, but also the copy operation will fail if the folder doesn’t already exist.

Have you tested to make sure this works on the command line OUTSIDE of BigFix?

Try something like:

delete "C:\windows\temp\MFERemoval100.exe"

copy "__Download\MFERemoval100.exe" "C:\windows\temp\MFERemoval100.exe"

wait cmd /C /S "C:\windows\temp\MFERemoval100.exe /All /silent"

Venjirra · April 4, 2018, 8:54pm

Yeah, the command line working when we tested manually. Let me try with C:\windows\temp folder

Venjirra · April 5, 2018, 9:05pm

It also didnot work…
I have provided the path C:\Malware , by creating that folder first. Script creating folder and copying the file but not executing the exe

JasonWalker · April 6, 2018, 1:34am

Is it a 64-bit executable? Try adding
action uses wow64 redirection false

to the action script before running the cmd.exe command.

trn · April 6, 2018, 7:26am

Try adding a few debug clauses - a continue if statement that confirms the file is where you expect it for example
You could expand it to also check file size and/or hash to be sure it has survived the upload, download, extract and move intact.

delete "C:\windows\temp\MFERemoval100.exe"

copy "__Download\MFERemoval100.exe" "C:\windows\temp\MFERemoval100.exe"

continue if {exists file "MFERemoval100.exe" of folder "temp" of windows folder}

wait cmd /C /S "C:\windows\temp\MFERemoval100.exe /All /silent"

Venjirra · April 6, 2018, 10:22am

completed with exit code 1
but no progress on server

trn · April 6, 2018, 11:40am

Are you sure you have the correct command line?

I created almost exactly this fixlet for our AV team a few months ago - the hash and size are different, meaning we were provided a slightly different version of the utility, but the command line I used is

wait __Download\MFERemoval100.exe /all /quiet /noreboot

and that was confirmed as working by the AV team - I didn’t need to move the file either, it executes perfectly will from the download folder

Venjirra · April 10, 2018, 7:49pm

I have used this on as well…
When it comes to the “wait” line, the source file (MFERemoval100.exe) is getting removed from the path. an d installation getting failed.

In my code, Im moving the file to C:\Malware and executing from there. Till copying, it is working fine.
I have used debugger to run the wait command line it is giving error "Program is expired and it will delete itself."
As console cant give the error, it was completed with exit code 0, but not ran on endpoint.

JasonWalker · April 10, 2018, 7:56pm

You’ll need to contact your antivirus vendor on that one, it is the MFERemoval100.exe deleting itself, not BigFix deleting it.

Sounds like it’s some kind of time-limited download.