Faronics Anti-Executable v3 Beta

How often do you use scripts on your system?

It seems to me that your XP-antispy is a workable solution. Just keep a shortcut to it handy
to re-enable WSH when you want to use a local script.


--

 

OK, i see what your chief concern is, the proverbial REMOTE script attack thru the browser. A very valid concern more so for IE users i think then others, but then FF is beginning to feel the heat now since so many users ran like a rabbit over to it for security some time ago, and yet they still seem extremely cautious of it. Well, unfortunately or not, thats the nature of the internet's windows way and is the open avenue for introducing all sorts of REMOTE entry where they are discovered then implimented to create maximum disruption.

EASTER

 

You can control the executions of scripts by using SRP and then only allow the "good" scripts by creating a certificate rule so that you can only execute scripts signed with a particular certificate. Another way is forcing wscript.exe and cscript.exe to run sandboxed in Sandboxie.

/C.

 

No, only non-browser scripts here. Such as the USB exploits I've mentioned.

How else is a user susceptible to script files -- like the finjan.vbs file -- from being executed remotely.

If the threat is minimal to non-existent, is there any need for a script blocking program?

For example, USB exploits are easily blocked by disabling AutoRun for the drive. No need for a separate program to block the script if the Autorun.inf file can't execute its commands.

Thanks for the alternative suggestions.


---

 

Correct
You can whitelist your good scripts using a digital certificate or their cryptographic hash and deny the rest.

 

Ok then, we're focusing on either physical access to your machine or a rogue placement on a user's USB they take home and plug into their unit. Then yes, that particular exploit needs be prevented in advance of course.

Funny, you should mention Finjan.vbs test, that poor thing doesn't stand a chance against the HIPS (EQS) when all the parameters are set to BLOCK such as Desktop and/or My Documents plus wherever it tries to copy from. But i know we're not talking HIPS here as formidable as this one really is, but more on Faronic's Anti-Executable in keeping with this topic.

Similar in a way as those running just LUA, that's fine and dandy against dll injections or some Low-Level Disk Access and drivers, but doesn't stop all userland executables from firing. Now a combo of LUA w/ AE mgiht be ideal basic coverage should a user expect the worse from their travels.

EASTER

 

I suggest we eliminate the physical access one for this discussion.

That leaves the USB one, which is easily prevented by other means already discussed.

Since you haven't come up with other means of exploitation (I also can't find any current ones), in the interest of running with as few security programs as necessary, I propose that there is no need for a separate script blocking program. Certainly not those that have been mentioned here, which are of no use to the USB type of attack.

But I'm open to a change of mind in the event that other types of attacks seem probable.

The past loveletter types of attacks via .vbs email attachment certainly need no comment in a forum like this.

For browser scripts, there are ways to disable those within the browser.

After perusing the other LUA thread about needing something more, I think this is an ideal combination.

I'm waiting to hear back from tlu about a couple of matters regarding LUA.

---

 

Has anyone heard when a new version correcting the Firefox 3 problem will be released?