Protection against Script attacks: XP-Antispy & others?

Discussion in 'other anti-malware software' started by wearetheborg, Aug 18, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  2. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    I have used XP-Antispy (3.xx) when my primary OS was Windows XP, but I have used it to optimize other settings, not to disable Windows Script Host. I do not remember it can disable Windows Script Host completely?
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  4. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Block cscript.exe & wscript.exe with SRP.
     
  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thats another idea...what does csript.exe do?
    And I assume blocking them wont screw up SRP? :D
     
  7. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Hmmm, the screenshot has a setting for "deactivate scripting host".... did you ever use this feature?
     
  8. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    You are right. Under miscellaneous settings, there is an option to Deactivate Scripting Host, which I have never used.
    I think for protection against script attacks, NoScript in browser is enough. Email clients also has option to disable script or you can add it to blacklist extensions.
     
  9. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Actually SRP by default will prevent scripts, but blocking those files won't cause any problem.


    cscript.PNG
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    SRP only prevent certain kinds of scripts (based on the extension), and SRP can enforce its policy only for files handled by MS windows, it cannot enforce it for files handled by third parties.
    Hmmm I wonder if Disabling Windows Script Host will buy anything extra?
     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    NoScript, indeed, can protect you from browser-side scripting attacks. But it can't protect you from script attacks on your system when ran from outside the browser for e.g scripts(like vbscript and jscript) running automatically when you open PDF files outside of the browsers.

    A nice work around for system wide protection against script attacks is by blocking cscript.exe and wscript.exe via some modification in the registry setting like xpantispy, or via SRP/HIPS/AE. Or by running files sandboxed.

    Here is an example of a Download and Execute Script Shellcode... http://grey-corner.blogspot.com/2010/05/download-and-execute-script-shellcode.html


    Bypassing AntiVirus Detection for Malicious PDFs:
    http://grey-corner.blogspot.com/2010/06/bypassing-antivirus-detection-for.html
     
  12. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I ask you, can anything in this world protect you from an infinite variety of perils ? No, so you have you compromise and hope the bullet misses you and hits somebody else. The bomber always gets through.

    The eternal quest for the impossible is a fruitless pursuit. There is no pot of gold at the end of the rainbow. NoScript does a magnificent job, so just install it and don`t get paranoid.

    ~~ snipped remark ~~
     
    Last edited by a moderator: Aug 19, 2010
  13. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    That NoScript and simply disabling script from running in your PDF files can do wonders.

    But how about zero day overflows and remote code executions? :eek:

    AE/HIPS/SRP or Sandboxie or Light virtualizer or Image back ups can help paranoid freaks like me sleep soundly. :rolleyes:
     
    Last edited: Aug 19, 2010
  14. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    I think a good browser like Firefox with an excellent add-on like NOSCRIPT coupled with some common sense will parry most script attacks. As for attacks within a system one may use a simple HIPS like DSA in Privatefirewall or even Spyshelter.
     
  15. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Buy ya a drink ?
     
  16. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Sorry to be daft here, but how do you block selected files in a default allow SRP?
    Have you not added the entire Program Files/windows directories to the whitelist?
     
  17. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    From what you seem to be looking for, wearetheborg, I would say that it would be easier to go with xp-Antispy for a realy satisfying tame on zerodays scripts in all corners of your machine with a simple ON/OFF switch (no need to reboot, in my past experience on XP), imo...
     
    Last edited: Aug 19, 2010
  18. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Why the need for a program to disable WSH? o_O Rmus' post already indicates a registry tweak to disable it.
     
  19. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    The answer, for me and about xp-A in particular, would be that this program can do this very tweak easily back and forth, (i mean for a single mortal liking to tick option boxes and pushing buttons) and also can let the chauffeur intuitively do much more than single this tweak, all available options assembled in a simple free no-nonsense puppy.
     
    Last edited: Aug 19, 2010
  20. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Yes, that's default.

    By either path or hash rule, select 'Disallow' for security level.
     
  21. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667

    Hmm interesting.. So say I have C:\Foo directory which is the SRP whitelist; and another disallowed path rule for C:\Foo\baz.exe; then the disallowed rule will take precedence over the C:\Foo whiterule?

    So, in general, if there is ANY disallowed rule, that will take precedence in SRP?
     
  22. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Correct.
     
  23. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    +1
    Does xp-Antispy block both cscript.exe & wscript.exe ?
     
  24. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    WScript error.png

    CScript error.png
     
  25. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    If the windows scripting host is disabled, I assume javascript etc can still run in the web browser....so does blocking the scripting host buy any extra security?
     
Loading...
Thread Status:
Not open for further replies.