Please excuse my ignorance, but...

Discussion in 'WormGuard' started by Vikorr, Jul 31, 2005.

Thread Status:
Not open for further replies.
  1. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Does wormguard protect from ALL sources of common scripts ?

    I know WG will protect me from user activated worms (email attachments and other mouse-click activated stuff)... but what about scripts that come through our webbrowser ?

    I presume it provides the same defense for IM & P2P as for email, but that's just a presumption. Am I correct ?

    Thanks for any answers in advance :)
     
    Last edited: Jul 31, 2005
  2. ---

    --- Guest

    Well it seems the way Wormguard works is that it associates itself as the default app to use when certain extensions are opened.

    In other words, if windows is called to open one of those scripts, instead of windows 'doing it's thing' by calling the default script engine, Wormguard goes first.

    It applies only to external scripts though , not scripts interpreted directly by the browser. Eg javascript , VBS etc
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi ---,

    Do all browsers now interpret .vbs?

    See:

    http://216.15.201.66/dpec/courses/i11/i11ac.htm

    ---------------------------------
    Topic 2.2.1: Visual Basic Script (VBScript)
    *VBScript-Friendly Environments

    VBScript runs in the Windows Scripting Host environment and in some Web browsers. Microsoft's Internet Explorer 3.0 and later Web browsers support VBScript, but earlier versions and those from other vendors may not support VBScript.
    ---------------------------------

    I haven't seen specific documentation in the Opera Security KB about this, but will check.

    EDIT: I just checked with Opera and vbs is defined as a client side script, a proprietary microsoft technology, not recommended for Web use (except for server-side if you're running IIS), and not supported by Opera.

    Not sure about other non-IE browsers.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Jul 31, 2005
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Hi all

    Thanks for the replies. It seems rather annoying that browsers interpret their own scripts. Can't see a speed benefit in it.

    Still, it would be great if WG4 covered browser scripts then.
     
  5. ----

    ---- Guest

    My understanding is only MSIE does. Unless things have changed for Opera.

    It's not for speed, it's designed to work that way, so webmasters can overcome the limitations of merely static html.


    Not without quite a bit of work.
     
  6. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    And ?

    Then again, maybe what you mean is it's impossible to program, don't know :)
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    When I tested several script blocking programs, I tested running scripts from within other files, such as .html. Worm Guard displayed its alert box immediately. You can demonstrate this by creating an .html file with this code. Note that it is commented out, so will not execute:

    ------------------------------
    <SCRIPT LANGUAGE="VBScript">

    <!--
    function fnCreateFolder()
    dim oShell
    dim oFolder
    dim sDir

    sDir = "C:\SomePath"
    set oShell = CreateObject("Shell.Application")
    set oFolder = oShell.NameSpace(sDir)
    end function
    -->

    </SCRIPT>
    --------------------------

    This means that if an .html file with vbscript comes in via email attachment or download, WG would block it from opening in the browser. (see image below)

    Two other programs - Script Sentry and Script Defender - did not catch this, illustrating a basic difference between Worm Guard and the other programs.

    The first two change the default action of the script filetypes to pass the command directly to the program:

    --------------------
    [HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
    @="C:\\Program Files\\AnalogX\\Script Defender\\sdefend.exe %1 %*"
    --------------------

    This means these two programs only block .vbs scripts when a .vbs file is executed - (d-clicked or run from a command prompt) - but not when a script is embedded in another filetype.

    On the other hand, according to the WG Help file, WG, uses several analyzing engines to run tests:

    ------------------------
    If at the end of the tests the alarm report is empty (eg. no alarms were triggered), then the file will be allowed to process normally by the operating system, allowing it to execute. If there is an alarm report, it will be displayed, and the user will then have the option of re-deciding if executing the file is a wise idea or not. WormGuard will also provide the user with a Risk Assessment.
    ----------------

    This means that WG is looking for vbscript language no matter what the file type. Put the above code in a MSWord document and WG will alert.

    Very impressive.

    So. while WG will not block a web page on-line from running vbscript (that solution lies in disabling vbscript in IE or using an alternative browser) an .html page containing vbscript on the HD will be blocked from opening in the browser.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

    Last edited: Aug 1, 2005
  8. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Thanks for the info. Rather helpful :)
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I remember WormGuard behaving as rich described when blocking some malicious scripts, but I wasn't absolutely sure.

    Rich
     
Thread Status:
Not open for further replies.