Scripts?

Hey all,

I been wondering are there any programs that can and detect dangerous and damaging scripts from starting in windows using the mshta.exe process, and then delete the suspect script?

Thanx guys/girls for any replys1

S))))))

 

There are script blockers, if that is what you mean:-

http://www.analogx.com/contents/download/system/sdefend.htm

http://www.jasons-toolbox.com/programs.asp?Program=Script Sentry

http://www.snapfiles.com/screenshots/scriptsentry.htm

 

Thank you, kinda what i had in mind,

Script defender looks good!

 

Topper, out of these what would you go for as a rule?

Thanks T

 

Both Script Defender and Sript Sentry do a similar job, but Script Defender is configurable (so you can add extensions).

I beleive the default extensions in Script Defender are:-

.VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

But you could easily add others such as:-

.CSS,.PIF,.CHM,.WSC,.SCT,.EML,.WMD,.ASF,.CPL,.CRT,.ADE,.ADP,.BAS,.BAT.

if you wish to do so.

I'm not sure whether you can make these additions to Script Sentry. Also, in the past there has been a known conflict between ANtiVir AV and Script Sentry, I don't know if that has been resolved (it may have been); but it is something to consider if you run AntiVir. So on balance I would probably go for S.D.

To be complete, mention should be made to Worm Guard:- http://wormguard.diamondcs.com.au/

it is not a freebie but is offering even better protection in this area.

 

Topper, thanks for the info. When you install S.D., does it require a lot of attention. for example when using microsoft update or updating abtivirus protection etc?

Cheers T

 

Be careful with those programs - they modifiy the \Shell\Open\Command for each of the filetypes.
Example for .vbs

--------------------
[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@="C:\\Program Files\\AnalogX\\Script Defender\\sdefend.exe %1 %*"

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@="C:\\Program Files\\Script Sentry\\ScriptSentry.exe \"%1\" %*"
---------------------------

A rollback program or backup of the Registry is essential, because if you decide to uninstall the program and don't do it exactly as instructed, you are left with a mess in the Registry. There is a caution about this with one of them (I forget which)

These programs, then, work by bringing up an Alert box when you attempt to run a file (.vbs in this example), because the command to "Open" (run) the file is sent to the script block program.

In the days of Win9x tweaks (and still done by many today), it was common to change the default action in those filetypes to "Edit" so that d-clicking or trying to run them from a command line would open them in Notepad, preventing any accidental or surreptitious executing of a script, including merging .reg files into the Registry.

To run a legitimate file, you just r-click on the file and select "Open" (run) or "Merge."

It takes more time to manually set up the script types this way, but much safer, IMO.

Another program, Worm Guard, on the other hand, works from an entirely different principle, with engines working in the background to analyze the scripts before they run.

From the Help file about one of the engines:

-------------------------
This engine will actually analyse the script source code to determine what it is capable of doing, and compile a human-readable report of it's findings.
-------------------------

You can dl a trial version of WG.


-rich
________________
~~Be ALERT!!! ~~

 

Hi everyone,

Rich has been very gracious in sharing lots, and extremely informative information with me, concerning Script protection. As I suspected, this is an important element of security and I am still digesting all of the information that Rich has shared with me. Some of which he has already discussed in his prior message.

Thanks much Rich!!!

Rich

 

Interesting to no this about the way these programs work>worm gaurd seems like a better ideaa , but when a friend installed it on his laptop he wouldnt run and his system was totally clean ,so not sure at the moment what i will try to use and play with.

Good replys T

 

I think a better solution is to disable HTA execution altogether. I did a quick search and came across this article:

http://www.spywareinfoforum.com/articles/htasploit/

Which refers to this freeware product that will enable/disable HTA:

http://www.nsclean.com/htastop.html

Alternatively, you can remove the Windows Scripting Host. This article:

http://www.windowsnetworking.com/kb...ellaneous/DisableWindowsScriptingHostWSH.html

Refers to the "noscript.exe" utility found at:

http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

Which will disable WSH.

 

reall good info - thanks very much for this

 

One concern though with disabling this is that some windows services like changing the way users logon/logoff and add/remove programs need this to be working?

Am i right or wrong?

T