Scripts?

Discussion in 'malware problems & news' started by sam42, Jul 6, 2005.

Thread Status:
Not open for further replies.
  1. sam42

    sam42 Guest

    Hey all,

    I been wondering are there any programs that can and detect dangerous and damaging scripts from starting in windows using the mshta.exe process, and then delete the suspect script?

    Thanx guys/girls for any replys1:)

    S:):)))))))
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  3. sam42

    sam42 Guest

    Thank you, kinda what i had in mind,

    Script defender looks good!:)
     
  4. Tom772

    Tom772 Guest

  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Both Script Defender and Sript Sentry do a similar job, but Script Defender is configurable (so you can add extensions).

    I beleive the default extensions in Script Defender are:-

    .VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB

    But you could easily add others such as:-

    .CSS,.PIF,.CHM,.WSC,.SCT,.EML,.WMD,.ASF,.CPL,.CRT,.ADE,.ADP,.BAS,.BAT.

    if you wish to do so.

    I'm not sure whether you can make these additions to Script Sentry. Also, in the past there has been a known conflict between ANtiVir AV and Script Sentry, I don't know if that has been resolved (it may have been); but it is something to consider if you run AntiVir. So on balance I would probably go for S.D.

    To be complete, mention should be made to Worm Guard:- http://wormguard.diamondcs.com.au/

    it is not a freebie but is offering even better protection in this area.
     
  6. tom772

    tom772 Guest


    Topper, thanks for the info. When you install S.D., does it require a lot of attention. for example when using microsoft update or updating abtivirus protection etc?

    Cheers T
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Be careful with those programs - they modifiy the \Shell\Open\Command for each of the filetypes.
    Example for .vbs

    --------------------
    [HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
    @="C:\\Program Files\\AnalogX\\Script Defender\\sdefend.exe %1 %*"

    [HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
    @="C:\\Program Files\\Script Sentry\\ScriptSentry.exe \"%1\" %*"
    ---------------------------

    A rollback program or backup of the Registry is essential, because if you decide to uninstall the program and don't do it exactly as instructed, you are left with a mess in the Registry. There is a caution about this with one of them (I forget which)

    These programs, then, work by bringing up an Alert box when you attempt to run a file (.vbs in this example), because the command to "Open" (run) the file is sent to the script block program.

    In the days of Win9x tweaks (and still done by many today), it was common to change the default action in those filetypes to "Edit" so that d-clicking or trying to run them from a command line would open them in Notepad, preventing any accidental or surreptitious executing of a script, including merging .reg files into the Registry.

    To run a legitimate file, you just r-click on the file and select "Open" (run) or "Merge."

    It takes more time to manually set up the script types this way, but much safer, IMO.

    Another program, Worm Guard, on the other hand, works from an entirely different principle, with engines working in the background to analyze the scripts before they run.

    From the Help file about one of the engines:

    -------------------------
    This engine will actually analyse the script source code to determine what it is capable of doing, and compile a human-readable report of it's findings.
    -------------------------

    You can dl a trial version of WG.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Jul 24, 2005
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Rich has been very gracious in sharing lots, and extremely informative information with me, concerning Script protection. As I suspected, this is an important element of security and I am still digesting all of the information that Rich has shared with me. Some of which he has already discussed in his prior message.

    Thanks much Rich!!!

    Rich
     
  9. tom772

    tom772 Guest

    Interesting to no this about the way these programs work>worm gaurd seems like a better ideaa , but when a friend installed it on his laptop he wouldnt run and his system was totally clean ,so not sure at the moment what i will try to use and play with.

    Good replys T
     
  10. SagaLore

    SagaLore Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    4
    Location:
    United States
    I think a better solution is to disable HTA execution altogether. I did a quick search and came across this article:

    http://www.spywareinfoforum.com/articles/htasploit/

    Which refers to this freeware product that will enable/disable HTA:

    http://www.nsclean.com/htastop.html

    Alternatively, you can remove the Windows Scripting Host. This article:

    http://www.windowsnetworking.com/kb...ellaneous/DisableWindowsScriptingHostWSH.html

    Refers to the "noscript.exe" utility found at:

    http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

    Which will disable WSH.
     
  11. tom772

    tom772 Guest

    reall good info - thanks very much for this;)
     
  12. tom772

    tom772 Guest

    One concern though with disabling this is that some windows services like changing the way users logon/logoff and add/remove programs need this to be working?

    Am i right or wrong?

    T
     
Loading...
Thread Status:
Not open for further replies.