Virtualization question.

There is a slight misconception here.

Both file extensions .exe and .vbs are "executable" in that they run code. However, for convenience, a distinction is made between .exe (executable) and .vbs (script).

Anti-Executable does not protect against script-types: .js, .vbs, etc.

Anti-Executable's job is to create a White List of all .exe-type executable file types: .exe, .dll, .sys, .ocx, etc. Any file of this executable type will not be allowed to download/install/run if not on the White List.

Script-type executables must be dealt with according to whether the file (using .js is an example) is already on the HD and attempts to execute by some means; or, embedded in a web page, as I've described above.

Lucas, WormGuard does not analyze web-based scripts. I suggested that it's approach might be integrated with some type of web-scanning solution. We'll have to see

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Please read the XSS threads in the other security forum. This is a completely different problem, and none of the solutions discussed here in this thread will work.

So, go over there and have a look and give it some thought, because it requires a totally different approach and analysis.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I know that I just didn't want to explode Erik's head

Well, I'm confused now I thought that AE intercepts WSH scripts. So, ScriptDefender/ScriptSentry aren't redundant add-ons to AE.

Have you tested WG against malware/PoC?

 

Only if a malicious program is either already installed before you let AE create the White List, or if it installed while you had AE disabled. In both cases, the malicious program could use those two you mention to carry out attacks.

AE is not a behavior blocker. It has one simple function: while enabled, to guard the door against any executable not on its White List;

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Strange but still disturbing fact nonetheless that you bring up here, but not so long as you apply script security which acts as a go-between for .vbs,.bat,.js,.reg, so forth and so on with script extensions.

These potentially dangerous files can be easily overlooked and in many instances have been discounted in the past AND present but nothing is more threatening as these scripts can be to a system.

I once clicked a single .bat file purely by accident that was so coded that when i hit the shut off button to stop it thought i had prevented a catastrophy since it was HardDrive Killer program i got off a virus site. Unbeknowns untill i actually read the code later, the worse thing i did was reboot because it proceeded to complete the DELTREE C:\ FORMAT job completely and quickly

 

No, not at all.

See here:

https://www.wilderssecurity.com/showpost.php?p=521885&postcount=7

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Please, read this post:

Thanks
Unfortunately, DiamondCS seems to be in the twilight.

 

I'm not sure what your point is.

In the XSS exploit, where the login page has been compromised, the user enters her/his ID and Password to log in to the page. When the user clicks "Submit" that information is sent out to the hacker.

Nothing discussed here will prevent that.

If you have a solution, please go to my XSS thread and present it

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Here is a good example of the problem with web-embedded scripts.

I can click elio's link in the ZA XSS thread to open his XSS exploit demo page, and the browser happily obliges.

However, if I d-click the cached .html file, WormGuard snags it because it has been able to read the file from disk:

http://www.urs2.net/rsj/computing/imgs/wg-example.gif

The file with a questionable script has to be already on the HD for a script-blocking program to work.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I'm suggesting that against browser-based attacks, the countermeasures are:
- NoScript (anti-XSS features).
- Whitelisted HTTP/S traffic (your approach).

You're right. A possible solution would be integrating WG's engine into a broswer plug-in. Firekeeper could be that solution.

 

The problem here is that you could not log in to your account with javascript disabled. (assuming your log in page uses javascript)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

This is what makes Wilder's so very valuable for us, the generosity in sharing results either from real-world experiences or even articles.

Thanks for the mention of No-Script, i have to consider it and will likely test it myself.

 

Anti-XSS features are for whitelisted sites Whitelisted sites can execute Javascript.
Firekeeper (discussion between developers of Adblock Plus and NoScript)
Link

 

Sorry, Lucas, I completely forgot about NoScript

Here is another link to follow:

http://www.castlecops.com/p930581-NoScript_1_1_4_8_is_out.html

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

You're excused

 

OK Guys. I installed ScriptDefender, which protect me against these script extensions :

.VBS .VBE .JS .JSE .HTA .WSF .WSH .SHS .SHB

Anymore extensions ?

And thanks for expanding my security set with another execution-killer.

PS: I could run the test.vbs without warning and that is not a good sign.
Problem fixed.

 

Erik, you have done your system a very huge favor indeed but i do spot one missing, and it regards your system registry. .REG I know ScriptSentry covers that one too, dunno about ScriptDefender though.

 

Done and thanks. I will put all these extensions in my installation file of ScriptDefender to remember them in case I reinstall from scratch.

Script Defender v1.02
http://www.analogx.com/CONTENTS/download/system/sdefend.htm

.HTA, .JS, .JSE, .REG, .SHB, .SHS, .VBE, .VBS, .WSF, .WSH in alfabetical order.

 

Hello ErikAlbert,

As you know, this program modifies your Registry, so be sure and have a backup of your Registry,
and if you decide to uninstall, follow their procedures exactly.

See this old thread:

https://www.wilderssecurity.com/showthread.php?t=101823

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I don't backup my registry, because it is included in my freeze storage, my archived on-line snapshot and also imaged.
That is 3 x backup.

 

OK, my statement should have read, In case of a mishap, Be sure you can revert back to a previous Registry before the installation of SD

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

So what ? It seems to work. Are you checking on me ? We are the good guys remember ?

 

This product is known for quite some time and used by many members. So what should be the problem. My MS Office is more than 7 years old and it still works.

 

One difference between AE and SD is that AE alerts you and takes the decision for you. SD only alerts you and the decision has to be made by you.

 

Yes I noticed. AE gives you just a warning without decision and SD gives you a warning with execute or abort.
I'm still not convinced I need SD, because I still don't have a list of 80+ executables, verified by AE. I asked Faronics for such a list, but they didn't give it to me with a cheap excuse. On their website they only mention 9 of 80+, so I don't know the rest.
Getting straight answers nowadays seems to be very difficult, even when you ask the RIGHT people.