Please excuse my ignorance, but...

Does wormguard protect from ALL sources of common scripts ?

I know WG will protect me from user activated worms (email attachments and other mouse-click activated stuff)... but what about scripts that come through our webbrowser ?

I presume it provides the same defense for IM & P2P as for email, but that's just a presumption. Am I correct ?

Thanks for any answers in advance

 

Well it seems the way Wormguard works is that it associates itself as the default app to use when certain extensions are opened.

In other words, if windows is called to open one of those scripts, instead of windows 'doing it's thing' by calling the default script engine, Wormguard goes first.

It applies only to external scripts though , not scripts interpreted directly by the browser. Eg javascript , VBS etc

 

Hi ---,

Do all browsers now interpret .vbs?

See:

http://216.15.201.66/dpec/courses/i11/i11ac.htm

---------------------------------
Topic 2.2.1: Visual Basic Script (VBScript)
*VBScript-Friendly Environments

VBScript runs in the Windows Scripting Host environment and in some Web browsers. Microsoft's Internet Explorer 3.0 and later Web browsers support VBScript, but earlier versions and those from other vendors may not support VBScript.
---------------------------------

I haven't seen specific documentation in the Opera Security KB about this, but will check.

EDIT: I just checked with Opera and vbs is defined as a client side script, a proprietary microsoft technology, not recommended for Web use (except for server-side if you're running IIS), and not supported by Opera.

Not sure about other non-IE browsers.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi all

Thanks for the replies. It seems rather annoying that browsers interpret their own scripts. Can't see a speed benefit in it.

Still, it would be great if WG4 covered browser scripts then.

 

My understanding is only MSIE does. Unless things have changed for Opera.

It's not for speed, it's designed to work that way, so webmasters can overcome the limitations of merely static html.

Not without quite a bit of work.

 

And ?

Then again, maybe what you mean is it's impossible to program, don't know

 

When I tested several script blocking programs, I tested running scripts from within other files, such as .html. Worm Guard displayed its alert box immediately. You can demonstrate this by creating an .html file with this code. Note that it is commented out, so will not execute:

------------------------------
<SCRIPT LANGUAGE="VBScript">

<!--
function fnCreateFolder()
dim oShell
dim oFolder
dim sDir

sDir = "C:\SomePath"
set oShell = CreateObject("Shell.Application")
set oFolder = oShell.NameSpace(sDir)
end function
-->

</SCRIPT>
--------------------------

This means that if an .html file with vbscript comes in via email attachment or download, WG would block it from opening in the browser. (see image below)

Two other programs - Script Sentry and Script Defender - did not catch this, illustrating a basic difference between Worm Guard and the other programs.

The first two change the default action of the script filetypes to pass the command directly to the program:

--------------------
[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@="C:\\Program Files\\AnalogX\\Script Defender\\sdefend.exe %1 %*"
--------------------

This means these two programs only block .vbs scripts when a .vbs file is executed - (d-clicked or run from a command prompt) - but not when a script is embedded in another filetype.

On the other hand, according to the WG Help file, WG, uses several analyzing engines to run tests:

------------------------
If at the end of the tests the alarm report is empty (eg. no alarms were triggered), then the file will be allowed to process normally by the operating system, allowing it to execute. If there is an alarm report, it will be displayed, and the user will then have the option of re-deciding if executing the file is a wise idea or not. WormGuard will also provide the user with a Risk Assessment.
----------------

This means that WG is looking for vbscript language no matter what the file type. Put the above code in a MSWord document and WG will alert.

Very impressive.

So. while WG will not block a web page on-line from running vbscript (that solution lies in disabling vbscript in IE or using an alternative browser) an .html page containing vbscript on the HD will be blocked from opening in the browser.

-rich
________________
~~Be ALERT!!! ~~

 

Thanks for the info. Rather helpful

 

I remember WormGuard behaving as rich described when blocking some malicious scripts, but I wasn't absolutely sure.

Rich