Protection against Script attacks: XP-Antispy & others?

Rmus pointed out very nicely in
https://www.wilderssecurity.com/showpost.php?p=1683493&postcount=7
and
https://www.wilderssecurity.com/showpost.php?p=1683502&postcount=11
that a effective way to stop script attacks might be to Disabling Windows Script Host.
ruinebabine mentioned that xp-antispy could be used to disable Windows Script Host easily.

Anyone have any experience with xp-antispy? Are there any alternatives?

 

I have used XP-Antispy (3.xx) when my primary OS was Windows XP, but I have used it to optimize other settings, not to disable Windows Script Host. I do not remember it can disable Windows Script Host completely?

 

AnalogX Script Defender is an effective countermeasure too:

http://www.analogx.com/contents/download/System/sdefend/Freeware.htm .

 

Block cscript.exe & wscript.exe with SRP.

 

Nope, Rmus has pointed out very nicely in https://www.wilderssecurity.com/showpost.php?p=1683493&postcount=7 why ScriptDefender can be circumvented very easily.

 

Thats another idea...what does csript.exe do?
And I assume blocking them wont screw up SRP?

 

Hmmm, the screenshot has a setting for "deactivate scripting host".... did you ever use this feature?

 

You are right. Under miscellaneous settings, there is an option to Deactivate Scripting Host, which I have never used.
I think for protection against script attacks, NoScript in browser is enough. Email clients also has option to disable script or you can add it to blacklist extensions.

 

Actually SRP by default will prevent scripts, but blocking those files won't cause any problem.

 

SRP only prevent certain kinds of scripts (based on the extension), and SRP can enforce its policy only for files handled by MS windows, it cannot enforce it for files handled by third parties.
Hmmm I wonder if Disabling Windows Script Host will buy anything extra?

 

NoScript, indeed, can protect you from browser-side scripting attacks. But it can't protect you from script attacks on your system when ran from outside the browser for e.g scripts(like vbscript and jscript) running automatically when you open PDF files outside of the browsers.

A nice work around for system wide protection against script attacks is by blocking cscript.exe and wscript.exe via some modification in the registry setting like xpantispy, or via SRP/HIPS/AE. Or by running files sandboxed.

Here is an example of a Download and Execute Script Shellcode... http://grey-corner.blogspot.com/2010/05/download-and-execute-script-shellcode.html


Bypassing AntiVirus Detection for Malicious PDFs:
http://grey-corner.blogspot.com/2010/06/bypassing-antivirus-detection-for.html

 

I ask you, can anything in this world protect you from an infinite variety of perils ? No, so you have you compromise and hope the bullet misses you and hits somebody else. The bomber always gets through.

The eternal quest for the impossible is a fruitless pursuit. There is no pot of gold at the end of the rainbow. NoScript does a magnificent job, so just install it and don`t get paranoid.

~~ snipped remark ~~

 

That NoScript and simply disabling script from running in your PDF files can do wonders.

But how about zero day overflows and remote code executions?

AE/HIPS/SRP or Sandboxie or Light virtualizer or Image back ups can help paranoid freaks like me sleep soundly.

 

I think a good browser like Firefox with an excellent add-on like NOSCRIPT coupled with some common sense will parry most script attacks. As for attacks within a system one may use a simple HIPS like DSA in Privatefirewall or even Spyshelter.

 

Buy ya a drink ?

 

Sorry to be daft here, but how do you block selected files in a default allow SRP?
Have you not added the entire Program Files/windows directories to the whitelist?

 

From what you seem to be looking for, wearetheborg, I would say that it would be easier to go with xp-Antispy for a realy satisfying tame on zerodays scripts in all corners of your machine with a simple ON/OFF switch (no need to reboot, in my past experience on XP), imo...

 

Why the need for a program to disable WSH? Rmus' post already indicates a registry tweak to disable it.

 

The answer, for me and about xp-A in particular, would be that this program can do this very tweak easily back and forth, (i mean for a single mortal liking to tick option boxes and pushing buttons) and also can let the chauffeur intuitively do much more than single this tweak, all available options assembled in a simple free no-nonsense puppy.

 

Yes, that's default.

By either path or hash rule, select 'Disallow' for security level.

 

Hmm interesting.. So say I have C:\Foo directory which is the SRP whitelist; and another disallowed path rule for C:\Foo\baz.exe; then the disallowed rule will take precedence over the C:\Foo whiterule?

So, in general, if there is ANY disallowed rule, that will take precedence in SRP?

 

Correct.

 

+1
Does xp-Antispy block both cscript.exe & wscript.exe ?

 

​

 

If the windows scripting host is disabled, I assume javascript etc can still run in the web browser....so does blocking the scripting host buy any extra security?