Windows Scripting Host -Should it be disabled to prevent malware?

Discussion in 'privacy problems' started by freakish, Sep 9, 2007.

Thread Status:
Not open for further replies.
  1. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    If the Windows Scripting Host is disabled in the registry ( http://www.microsoft.com/technet/scriptcenter/guide/sas_sbp_lhak.mspx ), will this cause programs to not run at all or have some of their functionality disabled? Or will the advantages of disabling WSH outweigh the cons (disable all Windows Script-based malware from running at all)?

    Edit: Added URL on how to disable WSH (not just changing the default handler).
     
    Last edited: Sep 10, 2007
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    Not sure how this would affect your everyday work.

    You could try changing the default handler from run to edit for common files like .js, .vbs. You could also use an anti-virus or a script-monitoring software - like Script Defender, for example.

    Myself, I don't think this is really important. What are the chances you will run some stand-alone script - unknown to you, btw? As to the browser attacks and exploits, just go with non-IE browser.

    If you do programming, use scripts etc, disabling the WSH might cause troubles.

    Mrk
     
  3. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Bunkface

    interesting question really: is disabling scripts still relevant.?

    I have WSH disabled in registry ( Dword change or at least check it)
    http://www.microsoft.com/technet/scriptcenter/guide/sas_sbp_lhak.mspx?mfr=true

    Here is an older write-up from Symantec, and a link to NoScript
    http://service1.symantec.com/sarc/sarc.nsf/html/win.script.hosting.html

    Script Defender is here:
    http://www.analogx.com/CONTENTS/download/system/sdefend.htm

    Change the settings in options as per MrK

    There may be other options.

    In the not to distant past, disabling scripts was sine qua non.

    A recent security test from the now defunct "Green Border" https://www.wilderssecurity.com/showthread.php?t=150840&highlight=Green Border
    Elicited this interesting response from developer of BOClean
    https://www.wilderssecurity.com/showpost.php?p=863627&postcount=62
    Not entirely sure if this is relevant to you, interesting post nonetheless.

    EHowes and spyware warrior were always beating on about scripts in the past and there were some advices from him/them on their older pages.

    FWIW I have had both the reg change and Symantec NoScript in place for years and never had issues with any routine runnings. No issues with updates of any kind from anywhere.

    AFAICR, dont most AV and "hips" disable scripts one way or another now?

    In terms of potential malware the file options could be set to run .vbs in Notepad to see what interesting objects you might otherwise have clicked on.

    As per Mrk maybe essential to have both enabled for specific programming needs and some specialised files.

    HTH

    PS dont forget browser scripts: solution = FF and ( the other) NoScript.
     
    Last edited: Sep 9, 2007
  4. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    I used to use ScripTrap. Simple & free.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Disabling WSH, CMD, BAT increases security, but it causes more problems, that it is worth of.
    I put it like this, I had it disabled in XP and Vista for a few months and I do not have it for now.
    I have it enabled for another few months and nothing "bad" happened, but that depends on a user.
    On the other hand using a utility, which would monitor it to allow/block WSH, sounds really interesting.
     
  6. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    My main concern are trojans and worms that are spread through removable drives like USB flash disks. Most of them enable autoplay (even if I have autoplay disabled) in the removable drives which bypasses most script blockers (I use AnalogX Script Defender). A sure-fire way of disabling these from running is disabling WSH from the registry.

    Another concern of mine are programs that might not run or have problems running if WSH is disabled. Have any of you experienced problems with programs if WSH is disabled in the registry?
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    If autoplay is disabled, you have nothing to worry about files on the usb drive.
    Nothing will execute itself.
    Mrk
     
  8. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    I have autoplay disabled in TweakUI on all drive letters. But when I doubleclick the removable drives, autoplay becomes the default action - maybe there is another way to permanently disable autoplay?
     
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I think that's not autoplay, rather what that usb driver is programmed to do when started.
    If you're double clicking, it's not really auto is it? :D
     
  10. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I find the Windows Scripting Host unnescessary; at least on my machines. I have the Windows Scripting Host disabled via AVG Anti-spyware. I am still able to run the .bat files I need to run but other ActiveX based scripts and such can no longer run. Why run something you don't need especially if it causes security problems. I have also never had any program need the scripting host turned on to run, but there may be some out there that do. If I ever need it though I can easily enable it again. (I'm betting I never need it).

    Here is a site with a discussion on whether WSH is needed or not. I am sure there are many more out there if you want to look.

    http://fox.wikis.com/wc.dll?Wiki~RemovingWindowsScriptingHost~WIN_COM_API
     
  11. freakish

    freakish Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    46
    AFAIK, doubleclicking will do the default action (in this case it is Autoplay). So instead of opening the drive in Windows Explorer, the action defined by Autoplay is executed.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The right way to do this is to right-click the removable drive and choose "Explore" from the contextual menu.
     
  13. herbalist

    herbalist Guest

    Instead of disabling WSH entirely, I effectively made it an "admin only" function. I made SSM rules for Wscript.exe and Cscript.exe that block them from running when SSM's UI is disconnected, which is it's normal setting on my box. I also have Script Sentry installed so I can still read them before deciding if they're going to be allowed to run.

    The result is that scripts can't be run at all by other users or accidentally allowed/run by me. I can choose to allow them when I need to but I get to examine them first.
    Rick
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    On my Windows 98 box theres now much more freedom to experiment with automation with .VBS files thru WScript/Cscript launchers since little if any attention is directed to them anymore.

    Now on my XP Pro system though, like herbalist, i use ScriptSentry also. It is a perfect interceptor of many such extensions especially .reg files etc. Now that i think about it, one might say that programs like ScriptSentry were the real forerunners of HIPS. Think about that one. ;)
     
  15. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Last edited: Sep 15, 2007
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    zapjb. Thanks for the mention of ScriptTrap. Will check that one out myself.
     
  17. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    You're welcome EASTER.
     
Loading...
Thread Status:
Not open for further replies.