Should I worry about this?

[Andrew B.]

Hi.

When I was installing DiamondCS RegistryProt, it announced startup points to me and asked me whether to allow them. I understood all of them except this one, and I'm wondering if this is something I should not have approved.

HKEY=HKEY_CLASSES_ROOT
PATH=vbsfile\shell\open\command
NAME=
DATA=%SystemRoot%\System32\WScript.exe "%1" %*

[DolfTraanberg]

http://www.jsiinc.com/SUBF/TIP2600/rh2605.htm

[Andrew B.]

Hi Dollefie.

Thanks for the link. It shows how to remove the ability for any script to run. DiamondCS RegistryProt only took issue with one line of the many lines I see on that page. So I can only guess that maybe that one line is normal, but worse than others, and maybe I should disable it. Is that the idea behind sending me there?

[Gavin - DiamondCS]

Not many home users have legitimate need to have VBS files run in the Windows Scripting Host, so you can eliminate the whole VBS class of worms and trojans by changing it to notepad.exe %1

The current version of Wormguard will be suspicious of any VBS worm or trojan due to their nature, im sure script checkers included in antivirus software have long since caught up, although they might not be as careful/agressive as Wormguard 3 in their protection..

[DolfTraanberg]

You have to decide whether or not you want to be able to run vbs/js. there are some handy tools around that uses them. If you don't use these ore you don't have any protection against the misuse of scripts (like a lot of worms/trojans do) then delete them. I don't know how you use your computer. I only wanted you to know why that line exists.
Dolf

[Andrew B.]

Thank you Gavin and Dollefie. I just went in and switched VBS to notepad. I'll have to think about Java Script, though. I think that might be something I need.

[DolfTraanberg]

Quote:

quoting: Andrew B. link=board=30;threadid=11657;start=0#msg75920 date=1059212823]
I'll have to think about Java Script, though. I think that might be something I need.

Well, you always can consider using Wormguard

[Andrew B.]

I'm looking into wormguard, but I worry about having two scanners hitting the same area. I actually witnessed two AV scanners let eicar open when they both detected it at the same time.

[DolfTraanberg]

Wormguard is NOT an AV, it doesn't use any def updates. It just analyzes code BEFORE it is loaded in memory, so it doesn't interfere with any other AV, it is just an addition to an AV where an AV could fail.
I wonder though why WG jumped in on the eicar testfile
Dolf

[Dan Perez]

was curious about this myself so after disabling KAV I doubleclicked on eicar.com and WG poped up with

Quote:

Risk Assessment: Medium

*> Suspicious strings detected.
WormGuard has found a few strings in this file that are suspicious.

*> Contains suspicious string: virus
LINE=......

Running strings on the com file shows the following ascii string

Quote:

EICAR-STANDARD-ANTIVIRUS-TEST-FILE

[DolfTraanberg]

thanks Dan
I've always mixed feelings about the need to detect testfiles,
although now I think it's the VIRUS part of ANTIVIRUS where WG jumped in, which is logic.
Hmm, I wonder how many malware writers put the string 'virus' in their code...
Dolf

[Gavin - DiamondCS]

Amazingly many ! A large percentage of worms are tagged with the author name, and with things like

W32/Hello.b by nErdBurger[cheese] (I made this up )

We have amassed a large list of trojan/virus author names - and groups like [cheese] so Wormguard 4 and TDS-4 will look for some things like that as well.. exact details unsure yet, there has to be measures to make these things less sensitive

[Mr.Blaze]

Blaze worm comeing soon lol all will miss spell like me lol author by blaze aka little baby budah lol