Script Defender Remake?

I also let it auto run from a cd i burned the files to.

 

I forgot about RegRun. RunGuard+WG+Script Sentry

Last time i tried i couldn't make it autorun. Now it does, and i see Runguard's alert as well.

If i open cmd, and type 'wscript start.vbs' i get no alert, calc executed.
So it's not the same thing.

The thing about Runguard is that it comes with RegRun. I never got along with that. From installation it's window after window opening non-stop. All kinds of settings and options.
He should make a standalone.

 

I concur. Initializing the command this way does in fact open calc without RunGuard stopping it. Although if you add cmd.exe to the blacklist within RunGuard then the cmd can not run in the first place.

muf

 

Thanks, muf, for confirming about the command prompt.

Can you post the contents of the autorun file you used?

---

 

Thanks muf for filling us in on that, but is this a totally separate app, or is integrated into Greatis entire anti program?

All that site shows as a headliner is...............
RegGuard protects Windows startup registry keys from changing.

My question is just how many it can cover, theres over time been a pletora of invasion into scripts like CHM, HLP, etc. to name a few. And from what i seen theres a definite limit to how many associations/extensions that they can cover.

Then lists registry entries it covers, any HIPS can do that and cover much more. (Curious)

EASTER

 

Here's a screenie of the contents of the cd and each of the files open in notepad.

 

It is integrated within Regrun as part of the suite. http://www.greatis.com/security/detail.htm#FULL
It appears that RunGuard is only available on Gold and Platinum version's.

It has set file types it monitors, but you can add more to the blacklist. As far as I can see, you could put any number of files types in the blacklist. Doesn't appear to be a limit.

See these screenies.

 

Hello muf,

It doesn't make sense to me that RegRun alerts to the autorun command using

shellexecute=wscript.exe,

yet does not alert when wscript.exe is run from a command prompt.

Can you change the filename start.vbs to start.jnk and run again from your CD using this autorun.inf file:

------------------------------
[AutoRun]
wscript /e:vbscript "start.jnk"
------------------------------

thanks,


----
rich

 

Ok, I did what you said but that makes no sense really as Regrun is not designed to stop .jnk files. I popped the disc in and it opened the folder up that contains both files. It didn't run the start.jnk file. Not sure what result you were hoping for tbh.

muf

 

Sorry, muf,

I gave you the wrong syntax for the Autorun.inf file. It should be

--------------------------------------------------------
[Autorun]
shellexecute=wscript.exe /e:vbscript "start.jnk"
--------------------------------------------------------


Would you also test with start.vbs again using:


----------------------------------------------
[autorun]
open=wscript.exe /e:vbscript "start.vbs"
----------------------------------------------

I'll explain when I see these results!


thanks,


----
rich

 

Rich,

I tried both methods as you requested. Pleased to let you know that with this particular script the calculator ran and RunGuard did not alert. 'Pleased' may not be the term I mean, but I suspect this result will give you some satisfactory information.

muf

 

Thanks, muf.

Here are the results and comments about the different Autorun.inf commands:

1)
----------------------------------------------
Alert from RunGuard:
shellexecute=wscript.exe start.vbs

No Alert:
shellexecute=wscript.exe /e:vbscript "start.jnk"
-------------------------------------------------

This confirms what you said about RegRun watching for .vbs files. A spoofed scripting file will run because the script engine command with correct parameters is not concerned about file extensions.

But "open=start.jnk" will not work because that command uses Windows to associate the file extension with a program, and of course, there is nothing associated with .jnk.

2)
------------------------------------------------
Alert:
shellexecute=wscript.exe start.vbs

No Alert:
open=wscript.exe /e:vbscript "start.vbs"
------------------------------------------------

This is interesting, because Script Defender does not alert to the command, shellexecute=
Shellexecute is a Windows API command, so perhaps RegRun is looking deeper than the other script blocking programs? This would be an interesting question for greatis.com.

The command open=wscript.exe
passes directly to the script engine, in the same way cmd.exe does (not using Windows file associations),
and none of the script blocking programs will alert.

The solution, as you surmised, is to block or black list cmd.exe, and by deduction, also wscript.exe

Should one be concerned about this? Analyses of some recent USB pen drive and picture frame exploits where the autorun.inf file is listed do not show a .vbs file.

Typical autorun.inf file seen in security analyses:

Code:

[autorun]
open=kwjkpww.exe
shell\open=Open
shell\open\Command=kwjkpww.exe
shell\explore=Explore
shell\explore\Command=kwjkpww.exe

However, the Switchblade and Hacksaw USB exploits did use a .vbs file, and their autorun.inf files showed:

Code:

[autorun]
open=wscript go.vbs

This would bypass script blocking programs.

Some other exploits also use autorun.inf and .vbs files, but unfortunately, the analyses do not list the contents of the autorun.inf file so we don't know the commands used. Here is one:

Worm:VBS/AutoRun.B
http://www.f-secure.com/v-descs/worm_vbs_autorun_b.shtml

Other preventative measures for this type of exploit include:

==> disabling AutoRun;

==> having a policy of not permitting other people's USB devices on your computer;

==> avoiding U3-type USB flash drives (autorun doesn't work on non-U3 types). If you used your non-U3 type flash drive to copy some files from another person's computer which was infected with a USB virus, the virus would install on your flash drive but would not run on your computer. To confirm, I put a USB exploit on my non-U3 flash drive and the Autorun.inf file does not run when I plug it into my computer.

==> others _______________?

Some References

infections on pendrive
http://www.computing.net/answers/security/infections-on-pendrive/19560.html

Security Watch Island Hopping
http://technet.microsoft.com/en-us/magazine/cc137730.aspx

CES Risk: Free USB Flash Drives
http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=205210426


---