Script Blocker mystery

[dude2]

I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8.
Does anyone know how?

[scythe944]

I don't really get what you mean...

Are you asking what is the point of the script blocker?

If that's the question, there are lots of reasons.  Just look around the forum for people that have had iFrame detections and a bunch of other obfuscated scripts on webpages that they've visited.

Just use avast (all providers that you can possibly use).

[dude2]

If that's the question, there are lots of reasons.  Just look around the forum for people that have had iFrame detections and a bunch of other obfuscated scripts on webpages that they've visited.

Are those obfuscated scripts JavaScripts, VB scripts, or ActiveX codes? Do you mean Avast Home, especially Web Shield, can do nothing against malicious web page scripts? I contacted Avast Tech support by mail, but I was unable to draw conclusion and to understand the clearly defined role of Script Blocker as to evaluate how risky to run Avast Home 4.8 without it. If Avast Tech support does not object to this, I will post the email discussion proceedings of ticket PIN-945700 so that you may help bridge the gap of understanding.

[igor]

Well, avast! has Script Blocker since version 4.0, while Web Shield was introduced much later (in v4.6).
Now, Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more.

In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.

[YoKenny]

Now I'm confused 

I read somewhere that Script Blocker either does not work in Vista or is un-necessary.

I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.

I do know that on my XP Pro system a very brief popup opens showing the Script Blocker is active when I open IE8 or a new tab is opened.

Whatever the outcome avast! is hard do beat.

[Lisandro]

I read somewhere that Script Blocker either does not work in Vista or is un-necessary.

I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.

Vista has IE8 running in Protected Mode.
Script Blocker is not loaded in this situation (or at least not effective). I do not see the splash screen, for instance.

[dude2]

Here is the email message I sent to Avast! tech support around 37 hours ago.
The date stamps like (2009/5/5) and (2009/5/6) are the dates Avast sent in the email answers.

>>
Let me summarize what I have received with regard to the function of Script
Blocker:
1. Even without Script Blocker, your protection will be the same because of
the same scan engine with PRO(2009/5/5).
2. Script blocker avoids to execute scripts... scriptblocker is protecting
computer in source code(2009/5/6).
3. script is being stopped when loading web page with script
content...Script blocker detects script viruses and it is in the Avast virus
catalog(2009/5/7).
4. You are protected against JavaScript codes and VBScript codes but there
is some small number of scripts using advanced technologies (eg. cooperation
with rootkits or saving in the hidden folders) when only scriptblocker is
able to detect them(2009/5/13).

While I have kept asking since 2009/5/7, "Where can I find, at your site or
in your documents, how many different types of malicious JavaScript codes,
VB scripts, or ActiveX codes that Script Blocker can detect and block?", I
have not received well referenced answers to show the types of scripts or
even name list of malcious scripts that Script Blocker can stop as to help
me evaluate how risky to run Avast Home 4.8 without it.
When I responded to your 5/13's explanation with "Should Script Blocker be
called Advanced Rootkit Blocker?" and "Is there a list of rootkits which can
be detected only by Script Blocker but not by the built-in GMER
anti-rootkit?", I got no direct response.

If you can provide answers with sources of reference and help respond to my
returning questions to your answers, then we may converge faster to
something that makes sense to both of us.
....
<<

, and the very last response I got from Avast on (2009/5/19) was:
>>
Script blocker hasn't anything related to anti-rootkit. They are two separated components with absolutely different function.
<<

Hope someone can help bridge the gap.

[mevcit]

I read somewhere that Script Blocker either does not work in Vista or is un-necessary.

I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.

Vista has IE8 running in Protected Mode.
Script Blocker is not loaded in this situation (or at least not effective). I do not see the splash screen, for instance.

I've turned the notifications of script blocker on. When the protected mode of IE8 is on, there is no notification as it should be. But when i turn the protected mode off, i can see the notifications while surfing, that is, it works. But the splash screen doesn't appear. So we can conclude that there is no a splash scrren feature for script blocker on Vista.

Here is a similar topic which i opened before: http://forum.avast.com/index.php?topic=39673.0

[igor]

While I have kept asking since 2009/5/7, "Where can I find, at your site or
in your documents, how many different types of malicious JavaScript codes,
VB scripts, or ActiveX codes that Script Blocker can detect and block?", I
have not received well referenced answers to show the types of scripts or
even name list of malcious scripts that Script Blocker can stop as to help
me evaluate how risky to run Avast Home 4.8 without it.

You may ask on an on, but you won't receive an answer - because such an information is not available. Script Blocker doesn't block any specific types of scripts - it's an antivirus scanner, using the same virus database/signatures as the other scanners; the difference is where it receives the data to scan from. Nobody has ever counted different "types" (whatever it should mean) of scripts it may detect.

When I responded to your 5/13's explanation with "Should Script Blocker be
called Advanced Rootkit Blocker?" and "Is there a list of rootkits which can
be detected only by Script Blocker but not by the built-in GMER
anti-rootkit?", I got no direct response.

Again - the question doesn't have much sense, because Script Blocker has nothing to do with GMER or rootkits.
So, there's certainly no such list.

But yes, as I wrote previously, there are certain situations when Script Blocker may be the one detecting the infection (but I really don't know whether such a malware exists for real today).

[dude2]

You may ask on an on, but you won't receive an answer - because such an information is not available. Script Blocker doesn't block any specific types of scripts - it's an antivirus scanner, using the same virus database/signatures as the other scanners; the difference is where it receives the data to scan from. Nobody has ever counted different "types" (whatever it should mean) of scripts it may detect.

If no types of scripts can be clearly defined as Script Blocker's target, can we look from the Windows vulnerability perspective? Based on Microsoft's "Threats and Countermeasures Guide.doc", using XP SP2 or a more recent Windows OS will be much safer because it locks down the Local Machine zone. It said, "Many of the exploits that involve the Local Machine zone were mitigated by other changes to Internet Explorer in Windows XP SP2."
Does Script Blocker help users who are using older Windows OS? If not, then what types of vulnerability will be mitigated by Script Blocker?

Again - the question doesn't have much sense, because Script Blocker has nothing to do with GMER or rootkits.
So, there's certainly no such list.

That question came up simply trying to clarify Avast's 5/13 notes - "but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them".
Do you understand how Script Blocker ends up like an advanced rookit blocker?

[RejZoR]

Web Shield and Standard Shield detect scripts before execution, Script Blocker detects scripts that are already being executed and is looking for known script strings. Thats mostly through WSH or Windows Scripting Host, but is not limited only to that as far as i know.

As for the rootkits, i don't know how exactly you think they are related. If any script that is known tries to install rootkit (which is not detected as file in the first place) it may detect the actions of the bad script. But in the end Anti-rootkit feature will most probabl kick in.
But primary function of Script Blocker is not rootkit detection, just the same as Internet Mail provider is not intended for HTTP scanning...

[igor]

Does Script Blocker help users who are using older Windows OS? If not, then what types of vulnerability will be mitigated by Script Blocker?

Script Blocker scans scripts just before they are executed - that's all.
If there's anything bad in that script (where "bad" is defined by avast! virus database, i.e. something that can be updated from day to day), the script execution is blocked. Whether the script is "ordinary" and just does something you wouldn't want it to, or whether it exploits some javascript engine vulnerability - doesn't matter (as far as the vulnerability doesn't occur even before the script is started - such as a vulnerability in the HTML parser, for example).
So again - I can't answer your question (and I don't think anybody can); there is no list of vulnerabilities this may prevent. There are lots of detections of avast! database, and if any new [java]script malware appears, we can add another.

[YoKenny]

How long is a piece of string?
http://www.zyra.org.uk/string0.htm

[dude2]

Web Shield and Standard Shield detect scripts before execution, Script Blocker detects scripts that are already being executed and is looking for known script strings. Thats mostly through WSH or Windows Scripting Host, but is not limited only to that as far as i know.

Script Blocker scans scripts just before they are executed - that's all.
If there's anything bad in that script (where "bad" is defined by avast! virus database, i.e. something that can be updated from day to day), the script execution is blocked. Whether the script is "ordinary" and just does something you wouldn't want it to, or whether it exploits some javascript engine vulnerability - doesn't matter (as far as the vulnerability doesn't occur even before the script is started - such as a vulnerability in the HTML parser, for example).

Are you Avast engineers? Or, where can I look into your referenced documents so that I can learn whether Script Blocker simply blindly blocks all scripts or scans scripts against a different virus DB from Web Shield's virus DB?

[RejZoR]

I'm not an avast! engineer, i just work as forum tech support (non official).
I don't think anyone will exlain you Script Blocker in such detail because to be honest, there is no need to.
Script Blocker is there to protect from malicious scripts during (before) execution. And thats it. I don't think any company would explain its features in detail as deep as you seem to expect.
But from my quite extensive knowledge of avast! technologies, avast! doesn't just blindly block all scripts but relies on internal database which is updated through regular VPS updates to block just scripts that are known to be malicious or bad.