What is the use of Script Defender?

Discussion in 'other anti-malware software' started by sg09, May 24, 2010.

Thread Status:
Not open for further replies.
  1. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Hi can anyone please explain me the role of Script Defender? Hi have heard good words about it but never understood it's function.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    It says rather well on the page you linked to. A lot of AV & FW already incorporate something similar.
    "..
    AnalogX Script Defender will intercept any request to execute the most common scripting types used in virus attacks, such as Visual Basic Scripting (.VBS), Java Script (.JS), etc., and can even be configured to intercept new script extensions as needed! It's very simple to use and helps to ensure that you do not inadvertently run a script no matter what email program you use, or even if you get it via another method.
    .."
     
  3. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,096
    Location:
    QC
    Have a read at http://keir.net/scriptrap.html.

    ScripTrap is similar to Script Defender and the author makes there a good roundup of what it can do to intercept and warn you of possible malicious script about to start on your system.
     
  4. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    I am using that for some time but never get a warning. Will it give me information which is executing the script? Otherwise how will I know which is legitimate and which is not..!!
    And is it the same type of protection that is lacking in Avast free?
     
  5. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Per your signature, you already have very good protection from scripts via DrWeb (laptop) & Emsisoft AM (desktop).

    However, if you want a failsafe, ScriptDefender is superb. The absence of alerts means you're Okay, wot?
     
  6. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thank you...:)
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The problem with Script Defender, ScripTrap, and the like, is that they intercept the command invoked by the file extension via its Windows Association. This is done by replacing the command in the Registry. For example, VBS.

    Here is the normal Registry entry, showing the command to have the script engine, wscript.exe, open VBS files:

    vbsReg.gif

    Script Defender replaces wscript.exe with its own program:

    sdefend.gif

    When you click to open a VBS file, Script Defender intercepts the command:

    scripdef-1.jpg

    This is good protection against exploits such as the old Love.VBS worm which arrived as an email attachment, where the user clicks on the VBS attachment.

    But what if the attachment is a Word Document with a macro to open the VBS attachment? Here, the Word document and attachment are saved to a Temp folder, the Word document opens and the macro sends the Shell command directly to the script engine, wscript.exe. Script Defender never sees this command because the Windows file association and the Registry are not involved. I use the finjan.vbs test file:

    finjan.gif

    The same result occurs with an AutoRun exploit, where the Shell command to run the script engine (wscript.exe) is contained in the AutoRun.inf file.

    So, Script Defender and the like protect only those who click on untrusted script files. They cannot protect when commands to run the script engine are contained in an exploit.

    ----
    rich
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This is the problem with Allow-Deny Prompts, as in the case of my 3rd screenshot above.

    How does the user know? How can the user know?

    The solution is to not open untrusted files!

    At what point does a file become "trusted"

    Either you trust its source, or you trust a scanner.

    ----
    rich
     
  9. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thank a lot Rmus,
    Now I understand why WinPatrol gave me alert that Script Defender is trying to change some file association. Thanks again for the detailed explanation.
    But one question.

    Is there any way to stop exploits when commands to run the script engine are contained in an exploit o_O
     
  10. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    Yes thanks you Rmus. But this old news for old reader of Wilder. Nice remind any way. To stop this type exploit you need careful where you get new file. I copy many thing from user ban from here so I no mention his name. But you can use default deny with SRP or Applocker or antiexecutable 3 in general Ok? This stop all payload exploit out there that we see. By way I test antiexecutable 3 and I like very well. If you use XP Home or Vista Home or 7 Home then you can use this one since you no have SRP or Applocker. That with user limited is enough. But if want more protect then use contain method with Sandboxie when you open new file on your system. That way you are very nice protect. I'm sure Rmus agree. Ok?
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    You are welcome.

    Disabling Windows Script Host (WHS) -- will prevent the script engines from being used in an exploit. If you are comfortable in working with the Registry, you can use REG files to disable/enable WHS. I've tested these on Win2K and WinXP:


    DISABLE


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
    "Enabled"=dword:00000000
    

    ENABLE

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
    "Enabled"=dword:00000001
    
    You can test this by using the test.vbs file in the ScriptDefender Directory. Open a Command Prompt in that Directory:

    With wscript.exe enabled:

    scriptengine_1.gif

    Disabled:

    scriptengine_2.gif


    ----
    rich
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, there are many ways of dealing with these exploits.


    ----
    rich
     
  13. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thanks again Rmus. I hope this will not create problem with the installation or running of any good programs.
     
  14. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    And if I disable the Script host, is there any use of Script Defender?
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This is always a potential problem when you disable a part of Windows.

    There many be some file types not run by WHS so you would have to check the file association for each one.


    ----
    rich
     
  16. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thank you Rmus...:)
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Re AnalogX Script Defender

    You can include as many extentions as you like, but don't for get to add in ,. after each entry.

    ax.gif

    There are certain extentions it wouldn't make sense to add in, such as EXE etc. Because every time you or your comp tried to launch any program you would be alerted like crazy :D

    Rmus makes some valid points about bypassing etc :thumb:
    Disabling Windows Script Host (WHS) is a good idea, and one i've done for years with NO side effects ever. One method is via the Registry as Rmus suggests, but if you're not comfortable working in there, as i used not to be, then locating wscript.exe and changing the extension name even slightly will stop it running, which is what i've done in XP, and before that in 98. Renaming in safe mode is better, otherwise windows will try and replace them with a backup, unless you are quick :p

    Quote Rmus

    My experience is a little different to this, as on occassion, though very rarely, some legit app has triggered AnalogX Script Defender and i then allowed the script. Unfortunately i can't remember what it was, as the last time this happened was several years ago.

    *

    Edit add screenie :D
     
    Last edited: May 28, 2010
  18. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thanks CloneRanger for the valuable input..:)
     
  19. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    If you use Script Defender, backup the registry settings it changes beforehand. It didn't restore them correctly on my box which ended up being a PITA to undo after the fact.
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    In combination with Disabling Windows Script Host I use Malware Defender, with MD you can add or remove any type of file extension you want for MD to monitor.
     

    Attached Files:

    • s1.JPG
      s1.JPG
      File size:
      47.6 KB
      Views:
      252
  21. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Then you don't need script defender. :D
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This is the dilemma that I encountered years ago when thinking of security applications for home users: How would they deal with such a prompt?

    My solution was (and still is) to avoid applications (for the most part) that prompt for a decision, and settle for Default-Deny solutions.

    In the case of malicious script files, I asked myself, How would such a file get onto the computer in the first place? It occurred to me that such potential scenarios are easily handled by sound policies and procedures, so that, for example, the user won't open email attachments unless notified ahead of time they are coming. This would solve the Word Document with a malicious macro scenario, along with the Love.VBS worm, which also arrived as an email attachment.

    Script files in autorun exploits are easily handled by a policies of:

    1) not using the U3-type flash drives, so that autorun will not work, in case the drive becomes infected while connected to another computer. (As I showed above, script blockers don't work against shell command exploits anyway)

    2) not permitting unknown USB media to connect to the user's computer.

    With these policies in place, no script blocker program is necessary. If a White Listed application runs a script in its normal course, so be it. Non-white listed applications that attempt to run via some remote code execution exploit are intercepted by other Default-Deny security.

    I'm speaking not to the experienced user who can use such programs and make correct decisions with prompts, as you did, but to the average home user, where teaching sound procedures and policies precludes the need for lots of security products.

    (Remote code execution exploits have not used script files in many years; it's really easier to use binary executables-- trojans-- and all of the current exploit packs contain such executables)

    ----
    rich
     
  23. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,096
    Location:
    QC
    I use xp-AntiSpy to easily desactivate/activate Windows Scripting Host at will (on xp pro). Just yesterday I needed to reactivate it to give a test run to ComboFix.
     
  24. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    How to do that?
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    When I help someone set up a system, I insist on a number of policies, one being not to connect someone else's USB drive to the computer. You never know if it is a U3 type which will execute autorun, or if might be infected.

    ----
    rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.