Script Defender Remake?

Discussion in 'other anti-malware software' started by EASTER, Jul 24, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Is anyone in favor, including either product developers or freelances that a script interceptor along the lines of AnalogX's now abandoned SD would be worth the effort to compile for that little extra security coverages? And perhaps even leaving open (if possible) where a user could add thir own 3 letter or number extension that would be flagged like ScriptDefender is done in the past for some file associations?

    I often sympathized with ErikAlbert over the abandonment of this project since it seemed a very well rounded script catcher that was completely configurable. Script Sentry and others of course are limited in scope in comparison, and am very curious why this simple little prevention type app could be left undone since on uninstall it doesn't exactly return your associations back to their normal defaults as expected.

    I taken the effort to gather ALL the .reg scripts courtesy Doug Knox & Kelly's just so if i decide to uninstall i won't be left in a complete panic and frustration as whay Erik experienced with it.

    Other then that, is there a reason why a useful small app of this nature just doesn't get the press or attention that it really seems to deserve seeing as it would go a long way in preventing malicious script attacks if compiled to exercise some form of either damage or disruption.

    Just curious on what everyone's take is on this. Is it at all worthwhile you think for a developer to fashion something on this order as a separate application?

    Although i haven't research as much as i wish i should have up to now i have made a ADS on my own machine that launches an ADS executable via vbs & batch file or both and they work flawlessly. (I use a toy named Rubberball.exe) as the executable.

    Taken from this URL:
    http://www.cknow.com/vtutor/NTFSADSViruses.html

    EASTER
     
    Last edited: Jul 24, 2008
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Is there not even a suggestion or opinion on this or do you feel like other apps or SRP are good enough to supercede the need for such a program.

    Really would appreciate any constructive feedback or experiences that might be relevant to this type of interest.

    Thanks

    EASTER
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    SRP makes Script Defender basically useless and inferior.

    Script Sentry has something extra (it analyses the script rather than just warn on anything, and it can analyze macros), though its usefulness is also limited.
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    does drivesentry blocks scripts virus well?any experience?
     
  5. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    In thinking about 'security coverages' - to use your phrase - I consider the attack vectors. For scripts, they include

    1) Scripts triggered by the Browser and/or plugins and similar applications

    2) Scripts triggered by macros in MSOffice documents

    3) Scripts that get onto the computer and the user clicks to open/run

    4) Scripts triggered by autorun.inf files on removable media

    We can eliminate 1) since that security is covered by the Browser security configurations

    For 2) I believe that current Office applications have Macro protection which alert if a document contains macros.

    Script Defender and similar protect well against 3) but protection against this attack mode can also be covered by common sense which should say, Why do I want to open an unknown script file? Or more basic, How will such a file get onto my computer in the first place?

    Script Defender will protect against 4) if a Windows command is used to open the file. But, as discussed in another thread, all attacks I've seen use Shell commands and the script engine to start the attack.

    Consider:

    Code:
    
    [u]Autorun.inf[/u]
    [autorun]
    shellexecute=wscript.exe start.vbs
    
    [u]start.vbs[/u]
    
    set shell = CreateObject("WScript.Shell")
    shell.Run "calc.exe"
    
    So SD will not block this attack:

    sd-calc.gif
    __________________________________________________

    There are other more effective ways of blocking this type of attack. Therefore, I conlude for myself
    that programs like Script Defender would not add to security coverage.

    My Motto: The fewer applications to fiddle with, the better.

    ---
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    All valid points, and leads me back again to HIPS because if anything were to contain let's say an executable designed to release a script that could delete the entire system, even on reboot as Hard Drive Killer does (I have a copy). This malware completely obliterated a Windows 98 unit once by me accidently clicking on the batch file, in a matter of seconds it went to work and unbekowns to me and confirmed by the virus author, it's designed deliberately for a user to panic and shut down the PC, only to find on start up it finishes the job. It's now been compiled into an executable to drop a script (vbs) or (batch) to do it's thing.

    AE would immediately block it, a HIPS would immediately suspend it long enough to investigate it.

    Script Defender is probably old hat by now but it offers me anyway an alternative just in case of a security program glitch or for lack of a better term, a "miss".

    I haven't tried it with SRP yet.

    EASTER
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i am having a hard time to find a security software that can prevent or block
    a cross-site attack malware kind.does Anti Executable Blocks this type of attack?thanks in advance.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It will block it if you use a LUA.
     
  11. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Wouldn't SRP prompt as admin?
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Either/or and irregardless, i would personally (and i don't think i'm in the minority completely) really like to see ScriptDefender remade again if nothing else by someone new, even Script Sentry is been left behind. I know HIPS + SRP likely make them of little use for most anymore, but it sure couldn't hurt to have such an app like i described where you could even add your own 3 letter/number extension and it jump up and alert on it.

    I just admire these old style apps and the fact they can still be of some use even on NT systems today.

    EASTER
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Pardon me, but this is no attack... this is a feature. If you dislike autorun, then disable it in operating system, instead of complaining that third-party apps don't block legitimate functionality. :blink:
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easter, you need a reality check. You acknowledge they are of little use, but wish someone would develop one. Okay so a developer says he needs 2000 sales at $30 to make it viable. You gonna cough up the $60000? That's the heart of the problem.

    Pete
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Pete, with all do respect, you need a reality check. Older apps are as efficient now as they were eons again, well at least some of them are. And you're way off base in your figures and obviously don't favor freeware developers and freelancers because of the almighty dollar thats lodge in the brain.

    Not everyone needs greats amount of greenbacks to compile programs, then i guess you never compile any yourself personally but rather rely on forking over for commercial interests without hesitation, and thats all and good for those who have it to throw around.

    EASTER
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    AFAIK, SRP does not prompt ever. It blocks.

    If you configure SRP to skip Administrators, then SRP does not block for administrators.
    If you apply SRP for all including admins, it will block, only admins can write to Program Files and Windows folders - where normally SRP allows execution (it really depends on configuration, but it's the 'default' in a way).

    See here: http://www.mechbgon.com/srp/
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    [refering to using USB/Autorun to launch a script file]

    It's an attack, albeit one that exploits the open door of a feature.

    I stated,

    and disabling Autorun is one of several ways.

    ---
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easter, I have no quarrel that in many cases older programs are better. But if your logic was correct you wouldn't have to be asking for the script programs you'd have them. Obviously for whatever the reason it isn't worth anyone's time.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think there would be some use for a good script blocker, just not a 'Script Defender remake'.
    I look at the best, imo Script Sentry and WormGuard, and i think something better along these lines would be useful.

    They're sort of an Antivirus, for scripts, but with very generic heuristics (if i can call it that, don't know).
    They detect a script being executed, block it, analyze it and tell us what these could do - open a file, delete a file, execute a program, etc.

    The best use for a script blocker is of course blocking the possibility of a script running without our knowledge. A whitelist for scripts.

    As they stand, they can be bypassed (run a script in cmd and it will pass, CD with autorun..). But this can surely be improved.

    Then, they have to add languages and interpreters to detect, analyze and block. Not trivial.
    And perhaps they could introduce better, more intelligent rules for the analysis, like delete a file + system32.

    All in all, an AV does/could do this, perhaps in some advanced settings - as this arises many FP's; SS and WG flag innocent scripts as well as bad ones, but the user is given a bit of information on the reason.

    It's getting late, and my brain is failing right now. I'm missing something.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    And just by chance, and it's happened before with Microsoft Systems, what happens if something, let's say a destructive malware app or even some script bypasses SRP, then what?

    There are plenty of intelligent computer minds out there that likely could easily disable it as easy as malware authors blow the tires off System Restore, and you're right, theres no PROMPT, it just blocks, so if it was happened to become bypassed or rendered disabled by some cruel & clever means, the user would never know about it.

    EASTER
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Unfortunately it does seem the case, at least for the time being as regards open-source or commercial developers to bother with such an app. But i recall ErikAlbert going heads over heels about this app untill he uninstalled it and found what SD's associations were covered not working anymore. Of course theres a simple workaround for that and it's not that big a deal for someone willing to apply the default reg files and such to restore them.

    I know some like yourself find it much easier just to use SandboxIE and thats a potent app PERIOD!

    Just so you don't get the wrong idea, the applying of ScriptDefender and wishful thinking on seeing it remade again is purely for research purposes on this end. But if it was redone by someone i think it would be a great addition to script protection for users interested in running less security apps.

    Then again, AV's and other "resident" AS apps i think have taken a huge bite out of those type virus script writers efforts as well as HIPS has done, and all but have rendered them completely useless. SRP too.

    EASTER
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Lets separate the issues:

    If it's an exe, vbs, dll - it's blocked, unless there's a bug. Saying a bug is possible leads nowhere.

    If it's a script not blocked by SRP, sure.
    These are interpreted by some program allowed in SRP (if i'm wrong someone correct me), and probably can be adjusted in that program (Word has a good policy for macros for instance).
    If that program doesn't have such feature, it's where such script blocker could prove useful - but forget Script Defender, it's very basic.
    And at least they are limited by the LUA.

    Finally you say that if it doesn't prompt, it doesn't prompt when it fails either. Is this correct?
    If it is, note that this is the same for HIPS as well. Do you disagree?

    Then there's exploits. I really don't know how to think on it, other than "at least it's limited by the OS".
     
  23. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    The application you are looking for already exists. Regrun RunGuard does everything ScriptDefender and WormGuard does, and more. It's been around for years and i've used it for years. Your test script for running the calculator was easily stopped by it.

    muf
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you post a screenshot of the alert you got with the test script?

    ---
     
  25. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    As requested.

    muf
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.