For eg, this recent nasty that both encrypts your HD & is a keylogger ! 1 - Disable Wscript.exe & Cscript.exe 2 - Install a Script blocker I downloaded the nasty & double clicked it, knowing i was doubley safe due to my having the above in place since W98SE days. First SD intercepts it, i then click Allow, but due to my already having disabled the above, nothing happens ! Not only do these methods prevent such nasties, but others too.
If you do not need scripts, you can disable it completely: https://technet.microsoft.com/en-us/library/ee198684.aspx
Yes I also disable Script Hosts completely and also add file extensions to Software Restriction Policies designated file types.
I monitor globally, start ups of jscript*.exe, wscript.exe, powershell.exe, cmd.exe, etc. using Eset's HIPS. Additionally, I monitor browser execution of any of the following: jscript*.exe wscriptexe telnet.exe mshta.exe cmd.exe ftp.exe rundll32.exe reg.exe at.exe
Browser execution of .js is expected and nothing to worry about. This ransomware executes outside the browser when Windows Script Host runs an email .js file attachment's that been opened. Just opened - you don't need to double-click on the infected file for it to run and it doesn't need user permission to execute. There is no real legitimate need to send someone a .js attachment so if you notice an e-mail that has one, delete it immediately and empty it from your trash. Disable WSH (which is enabled by default) to keep Windows secure. It won't affect .js in the browser and if your browser runs sandboxed, nothing can damage your data.
Hello Norman, This is true for js files in a self-extracting rar attachment. Have you seen where a ZIP file attachment can to the same thing? All of the ZIP attachments with a js file that I've seen are normal ZIP files. Thanks, ---- rich
FYI Within the last few days, researchers have discovered a ransomware strain, called RAA, entirely written in JavaScript. In theory, a future HTML5 malvertising campaign would be able to deliver ransomware directly to the user via HTML5. "JavaScript is a general purpose programming language," comments Simon Crosby, CTO at Bromium. "Once one hacker has figured out how to use it to write crypto-malware, any other hacker can simply read the source code and use it elsewhere. So I expect to see rapid re-use and many variants of this attack." The only way to prevent such breaches, he suggests, "is to use an endpoint isolation technology like micro-virtualization that hardware isolates each tab of the browser from the OS - so that crypto-malware cannot impact the endpoint." Ref.: http://www.securityweek.com/html5-wont-stop-malvertising-brings-new-threats -EDIT- Here's a ref. to HTML5 attack vectors: http://heideri.ch/jso/
