Windows Scripting Host -Should it be disabled to prevent malware?

[freakish]

If the Windows Scripting Host is disabled in the registry ( http://www.microsoft.com/technet/scr..._sbp_lhak.mspx ), will this cause programs to not run at all or have some of their functionality disabled? Or will the advantages of disabling WSH outweigh the cons (disable all Windows Script-based malware from running at all)?

Edit: Added URL on how to disable WSH (not just changing the default handler).

[Mrkvonic]

Hello,

Not sure how this would affect your everyday work.

You could try changing the default handler from run to edit for common files like .js, .vbs. You could also use an anti-virus or a script-monitoring software - like Script Defender, for example.

Myself, I don't think this is really important. What are the chances you will run some stand-alone script - unknown to you, btw? As to the browser attacks and exploits, just go with non-IE browser.

If you do programming, use scripts etc, disabling the WSH might cause troubles.

Mrk

[Longboard]

@Bunkface

interesting question really: is disabling scripts still relevant.?

I have WSH disabled in registry ( Dword change or at least check it)
http://www.microsoft.com/technet/scr....mspx?mfr=true

Here is an older write-up from Symantec, and a link to NoScript
http://service1.symantec.com/sarc/sa...t.hosting.html

Script Defender is here:
http://www.analogx.com/CONTENTS/down...em/sdefend.htm

Change the settings in options as per MrK

There may be other options.

In the not to distant past, disabling scripts was sine qua non.

A recent security test from the now defunct "Green Border" http://www.wilderssecurity.com/showt...t=Green+Border
Elicited this interesting response from developer of BOClean
http://www.wilderssecurity.com/showp...7&postcount=62
Not entirely sure if this is relevant to you, interesting post nonetheless.

EHowes and spyware warrior were always beating on about scripts in the past and there were some advices from him/them on their older pages.

FWIW I have had both the reg change and Symantec NoScript in place for years and never had issues with any routine runnings. No issues with updates of any kind from anywhere.

AFAICR, dont most AV and "hips" disable scripts one way or another now?

In terms of potential malware the file options could be set to run .vbs in Notepad to see what interesting objects you might otherwise have clicked on.

As per Mrk maybe essential to have both enabled for specific programming needs and some specialised files.

HTH

PS dont forget browser scripts: solution = FF and ( the other) NoScript.

[zapjb]

I used to use ScripTrap. Simple & free.

[TOMxEU]

Disabling WSH, CMD, BAT increases security, but it causes more problems, that it is worth of.
I put it like this, I had it disabled in XP and Vista for a few months and I do not have it for now.
I have it enabled for another few months and nothing "bad" happened, but that depends on a user.
On the other hand using a utility, which would monitor it to allow/block WSH, sounds really interesting.

[freakish]

My main concern are trojans and worms that are spread through removable drives like USB flash disks. Most of them enable autoplay (even if I have autoplay disabled) in the removable drives which bypasses most script blockers (I use AnalogX Script Defender). A sure-fire way of disabling these from running is disabling WSH from the registry.

Another concern of mine are programs that might not run or have problems running if WSH is disabled. Have any of you experienced problems with programs if WSH is disabled in the registry?

[Mrkvonic]

Quote:

Originally Posted by BunkFace

My main concern are trojans and worms that are spread through removable drives like USB flash disks. Most of them enable autoplay (even if I have autoplay disabled) in the removable drives which bypasses most script blockers (I use AnalogX Script Defender). A sure-fire way of disabling these from running is disabling WSH from the registry.

Another concern of mine are programs that might not run or have problems running if WSH is disabled. Have any of you experienced problems with programs if WSH is disabled in the registry?

Hello,
If autoplay is disabled, you have nothing to worry about files on the usb drive.
Nothing will execute itself.
Mrk

[freakish]

I have autoplay disabled in TweakUI on all drive letters. But when I doubleclick the removable drives, autoplay becomes the default action - maybe there is another way to permanently disable autoplay?

[Pedro]

I think that's not autoplay, rather what that usb driver is programmed to do when started.
If you're double clicking, it's not really auto is it?

[Firebytes]

I find the Windows Scripting Host unnescessary; at least on my machines. I have the Windows Scripting Host disabled via AVG Anti-spyware. I am still able to run the .bat files I need to run but other ActiveX based scripts and such can no longer run. Why run something you don't need especially if it causes security problems. I have also never had any program need the scripting host turned on to run, but there may be some out there that do. If I ever need it though I can easily enable it again. (I'm betting I never need it).

Here is a site with a discussion on whether WSH is needed or not. I am sure there are many more out there if you want to look.

http://fox.wikis.com/wc.dll?Wiki~RemovingWindowsScriptingHost~WIN_COM_API

[freakish]

Quote:

Originally Posted by Pedro

I think that's not autoplay, rather what that usb driver is programmed to do when started.
If you're double clicking, it's not really auto is it?

AFAIK, doubleclicking will do the default action (in this case it is Autoplay). So instead of opening the drive in Windows Explorer, the action defined by Autoplay is executed.

[lucas1985]

Quote:

Originally Posted by BunkFace

I have autoplay disabled in TweakUI on all drive letters. But when I doubleclick the removable drives, autoplay becomes the default action - maybe there is another way to permanently disable autoplay?

The right way to do this is to right-click the removable drive and choose "Explore" from the contextual menu.

Instead of disabling WSH entirely, I effectively made it an "admin only" function. I made SSM rules for Wscript.exe and Cscript.exe that block them from running when SSM's UI is disconnected, which is it's normal setting on my box. I also have Script Sentry installed so I can still read them before deciding if they're going to be allowed to run.

The result is that scripts can't be run at all by other users or accidentally allowed/run by me. I can choose to allow them when I need to but I get to examine them first.
Rick

[EASTER]

On my Windows 98 box theres now much more freedom to experiment with automation with .VBS files thru WScript/Cscript launchers since little if any attention is directed to them anymore.

Now on my XP Pro system though, like herbalist, i use ScriptSentry also. It is a perfect interceptor of many such extensions especially .reg files etc. Now that i think about it, one might say that programs like ScriptSentry were the real forerunners of HIPS. Think about that one.

[Longboard]

Quote:

i use ScriptSentry also

Ahh yes, the great Jason Levine: great little web site, tremendous resource.
http://www.jasons-toolbox.com/BrowserSecurity/

He still maintains his home page:
http://www.jasons-toolbox.com/

heh; one of the first reviews of BING that really got my attention:
http://www.jasons-toolbox.com/Articles/

i think I see him posting at DSLR occasionally.

[EASTER]

Quote:

Originally Posted by zapjb

I used to use ScripTrap. Simple & free.

zapjb. Thanks for the mention of ScriptTrap. Will check that one out myself.

[zapjb]

You're welcome EASTER.