Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dude2 on May 20, 2009, 05:49:03 AM
-
I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8.
Does anyone know how?
-
I don't really get what you mean...
Are you asking what is the point of the script blocker?
If that's the question, there are lots of reasons. Just look around the forum for people that have had iFrame detections and a bunch of other obfuscated scripts on webpages that they've visited.
Just use avast (all providers that you can possibly use).
-
If that's the question, there are lots of reasons. Just look around the forum for people that have had iFrame detections and a bunch of other obfuscated scripts on webpages that they've visited.
Are those obfuscated scripts JavaScripts, VB scripts, or ActiveX codes? Do you mean Avast Home, especially Web Shield, can do nothing against malicious web page scripts? I contacted Avast Tech support by mail, but I was unable to draw conclusion and to understand the clearly defined role of Script Blocker as to evaluate how risky to run Avast Home 4.8 without it. If Avast Tech support does not object to this, I will post the email discussion proceedings of ticket PIN-945700 so that you may help bridge the gap of understanding.
-
Well, avast! has Script Blocker since version 4.0, while Web Shield was introduced much later (in v4.6).
Now, Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more.
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
-
Now I'm confused ???
I read somewhere that Script Blocker either does not work in Vista or is un-necessary.
I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.
I do know that on my XP Pro system a very brief popup opens showing the Script Blocker is active when I open IE8 or a new tab is opened.
Whatever the outcome avast! is hard do beat.
-
I read somewhere that Script Blocker either does not work in Vista or is un-necessary.
I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.
Vista has IE8 running in Protected Mode.
Script Blocker is not loaded in this situation (or at least not effective). I do not see the splash screen, for instance.
-
Here is the email message I sent to Avast! tech support around 37 hours ago.
The date stamps like (2009/5/5) and (2009/5/6) are the dates Avast sent in the email answers.
>>
Let me summarize what I have received with regard to the function of Script
Blocker:
1. Even without Script Blocker, your protection will be the same because of
the same scan engine with PRO(2009/5/5).
2. Script blocker avoids to execute scripts... scriptblocker is protecting
computer in source code(2009/5/6).
3. script is being stopped when loading web page with script
content...Script blocker detects script viruses and it is in the Avast virus
catalog(2009/5/7).
4. You are protected against JavaScript codes and VBScript codes but there
is some small number of scripts using advanced technologies (eg. cooperation
with rootkits or saving in the hidden folders) when only scriptblocker is
able to detect them(2009/5/13).
While I have kept asking since 2009/5/7, "Where can I find, at your site or
in your documents, how many different types of malicious JavaScript codes,
VB scripts, or ActiveX codes that Script Blocker can detect and block?", I
have not received well referenced answers to show the types of scripts or
even name list of malcious scripts that Script Blocker can stop as to help
me evaluate how risky to run Avast Home 4.8 without it.
When I responded to your 5/13's explanation with "Should Script Blocker be
called Advanced Rootkit Blocker?" and "Is there a list of rootkits which can
be detected only by Script Blocker but not by the built-in GMER
anti-rootkit?", I got no direct response.
If you can provide answers with sources of reference and help respond to my
returning questions to your answers, then we may converge faster to
something that makes sense to both of us.
....
<<
, and the very last response I got from Avast on (2009/5/19) was:
>>
Script blocker hasn't anything related to anti-rootkit. They are two separated components with absolutely different function.
<<
Hope someone can help bridge the gap.
-
I read somewhere that Script Blocker either does not work in Vista or is un-necessary.
I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I'm not sure that it will work.
Vista has IE8 running in Protected Mode.
Script Blocker is not loaded in this situation (or at least not effective). I do not see the splash screen, for instance.
I've turned the notifications of script blocker on. When the protected mode of IE8 is on, there is no notification as it should be. But when i turn the protected mode off, i can see the notifications while surfing, that is, it works. But the splash screen doesn't appear. So we can conclude that there is no a splash scrren feature for script blocker on Vista.
Here is a similar topic which i opened before: http://forum.avast.com/index.php?topic=39673.0
-
While I have kept asking since 2009/5/7, "Where can I find, at your site or
in your documents, how many different types of malicious JavaScript codes,
VB scripts, or ActiveX codes that Script Blocker can detect and block?", I
have not received well referenced answers to show the types of scripts or
even name list of malcious scripts that Script Blocker can stop as to help
me evaluate how risky to run Avast Home 4.8 without it.
You may ask on an on, but you won't receive an answer - because such an information is not available. Script Blocker doesn't block any specific types of scripts - it's an antivirus scanner, using the same virus database/signatures as the other scanners; the difference is where it receives the data to scan from. Nobody has ever counted different "types" (whatever it should mean) of scripts it may detect.
When I responded to your 5/13's explanation with "Should Script Blocker be
called Advanced Rootkit Blocker?" and "Is there a list of rootkits which can
be detected only by Script Blocker but not by the built-in GMER
anti-rootkit?", I got no direct response.
Again - the question doesn't have much sense, because Script Blocker has nothing to do with GMER or rootkits.
So, there's certainly no such list.
But yes, as I wrote previously, there are certain situations when Script Blocker may be the one detecting the infection (but I really don't know whether such a malware exists for real today).
-
You may ask on an on, but you won't receive an answer - because such an information is not available. Script Blocker doesn't block any specific types of scripts - it's an antivirus scanner, using the same virus database/signatures as the other scanners; the difference is where it receives the data to scan from. Nobody has ever counted different "types" (whatever it should mean) of scripts it may detect.
If no types of scripts can be clearly defined as Script Blocker's target, can we look from the Windows vulnerability perspective? Based on Microsoft's "Threats and Countermeasures Guide.doc", using XP SP2 or a more recent Windows OS will be much safer because it locks down the Local Machine zone. It said, "Many of the exploits that involve the Local Machine zone were mitigated by other changes to Internet Explorer in Windows XP SP2."
Does Script Blocker help users who are using older Windows OS? If not, then what types of vulnerability will be mitigated by Script Blocker?
Again - the question doesn't have much sense, because Script Blocker has nothing to do with GMER or rootkits.
So, there's certainly no such list.
That question came up simply trying to clarify Avast's 5/13 notes - "but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them".
Do you understand how Script Blocker ends up like an advanced rookit blocker?
-
Web Shield and Standard Shield detect scripts before execution, Script Blocker detects scripts that are already being executed and is looking for known script strings. Thats mostly through WSH or Windows Scripting Host, but is not limited only to that as far as i know.
As for the rootkits, i don't know how exactly you think they are related. If any script that is known tries to install rootkit (which is not detected as file in the first place) it may detect the actions of the bad script. But in the end Anti-rootkit feature will most probabl kick in.
But primary function of Script Blocker is not rootkit detection, just the same as Internet Mail provider is not intended for HTTP scanning...
-
Does Script Blocker help users who are using older Windows OS? If not, then what types of vulnerability will be mitigated by Script Blocker?
Script Blocker scans scripts just before they are executed - that's all.
If there's anything bad in that script (where "bad" is defined by avast! virus database, i.e. something that can be updated from day to day), the script execution is blocked. Whether the script is "ordinary" and just does something you wouldn't want it to, or whether it exploits some javascript engine vulnerability - doesn't matter (as far as the vulnerability doesn't occur even before the script is started - such as a vulnerability in the HTML parser, for example).
So again - I can't answer your question (and I don't think anybody can); there is no list of vulnerabilities this may prevent. There are lots of detections of avast! database, and if any new [java]script malware appears, we can add another.
-
How long is a piece of string?
http://www.zyra.org.uk/string0.htm
-
Web Shield and Standard Shield detect scripts before execution, Script Blocker detects scripts that are already being executed and is looking for known script strings. Thats mostly through WSH or Windows Scripting Host, but is not limited only to that as far as i know.
Script Blocker scans scripts just before they are executed - that's all.
If there's anything bad in that script (where "bad" is defined by avast! virus database, i.e. something that can be updated from day to day), the script execution is blocked. Whether the script is "ordinary" and just does something you wouldn't want it to, or whether it exploits some javascript engine vulnerability - doesn't matter (as far as the vulnerability doesn't occur even before the script is started - such as a vulnerability in the HTML parser, for example).
Are you Avast engineers? Or, where can I look into your referenced documents so that I can learn whether Script Blocker simply blindly blocks all scripts or scans scripts against a different virus DB from Web Shield's virus DB?
-
I'm not an avast! engineer, i just work as forum tech support (non official).
I don't think anyone will exlain you Script Blocker in such detail because to be honest, there is no need to.
Script Blocker is there to protect from malicious scripts during (before) execution. And thats it. I don't think any company would explain its features in detail as deep as you seem to expect.
But from my quite extensive knowledge of avast! technologies, avast! doesn't just blindly block all scripts but relies on internal database which is updated through regular VPS updates to block just scripts that are known to be malicious or bad.
-
But from my quite extensive knowledge of avast! technologies, avast! doesn't just blindly block all scripts but relies on internal database which is updated through regular VPS updates to block just scripts that are known to be malicious or bad.
According to Avast Tech support's 5/13 email explanation - "You are protected against JavaScript codes and VBScript codes but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them" , it seems there is something extra played into AV programming than the regular VPS updates even though I did not get the source reference of that explanation either. Do you think Script Blocker may get its update via Avast program updates as well?
I tried to avoid hearsay by asking for source references. I did not ask for anything more than necessary to evaluate the risk of not having Script Blocker, or the risk of simply using Avast Home. Please find http://www.velocityreviews.com/forums/t306748-avast-questions.html, and do you agree with this paper's suggestion to use Microsoft AntiSpyware(or something newer) if Script Blocker is not available for Avast Home users?
-
Milions are using avast! Home and no one really bothers with lack of Script Blocker. Besides, it's not like script malware is in majority anyway...
-
Are you Avast engineers?
Yes, I am.
Or, where can I look into your referenced documents so that I can learn whether Script Blocker simply blindly blocks all scripts or scans scripts against a different virus DB from Web Shield's virus DB?
You can't.
I really don't understand what you are trying to achieve. As I wrote multiple times already, Script Blocker is just another avast! scanner - so it doesn't block "blindly" anything, it looks for specific virus signatures. However, whether these signatures are related to an exploit or not, it doesn't matter at all.
According to Avast Tech support's 5/13 email explanation - "You are protected against JavaScript codes and VBScript codes but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them" , it seems there is something extra played into AV programming than the regular VPS updates even though I did not get the source reference of that explanation either.
You wanted an answer - so Tech Support guys started to imagine strange scenarios (like you have an active rootkit on your system which hides a script file. So, it's on your disk, so Web Shield is out of question, it's hidden from Standard Shield... so Script Blocker may be the last instance to detect it). However, I doubt a rootkit would hide script files (instead of ordinary executables) - besides, if you have an active rootkit on your system (which the antirootkit scanner should detect, btw), blocking or not blocking the script execution would probably be the least of your problems.
Do you think Script Blocker may get its update via Avast program updates as well?
Erm, Script Blocker is a part of avast!... so of course it gets updated with avast! program updates (and its detection is updated with VPS updates)... why shouldn't it?
I did not ask for anything more than necessary to evaluate the risk of not having Script Blocker, or the risk of simply using Avast Home.
I'm afraid such a risk is really hard to estimate. We believe that Web Shield should be sufficient for most of the users... but yes, there is some possibility that sometimes it's not. And I won't deny that we are also trying to encourage the users to buy the Professional version...
-
Besides, it's not like script malware is in majority anyway...
I wouldn't agree with that. Seing the trend in the last few months, I'd say the script malware is the biggest threat these days. Yes, the script eventually passes execution to a real executable, but that can be server-generated (changing every minute or so, so an antivirus program may easily miss it) - so I'd say detecting the scripts is very important.
Actually, we were originally planning to drop the Script Blocker for avast! 5.0 because it looked rather useless for some time - but with the latest development in the malware world, it won't happen (and there may be some bigger updates in the future).
-
Well, i meant in terms that script actually makes malicious actions, not just redirecting or serving EXE files. I know that s a problem by itself because they can spawn new versions every minute...
Btw, while we're at it, will Script Blocker free/pay policy apply to avast! 5 like it does for avast! 4.8 ?
I mean will Script Blocker still be only Professional Edition feature or will also end up in Home Edition when avast! 5 hits the final version?
-
I really have no idea.
-
I'm afraid such a risk is really hard to estimate. We believe that Web Shield should be sufficient for most of the users... but yes, there is some possibility that sometimes it's not. And I won't deny that we are also trying to encourage the users to buy the Professional version...
So doesn't matter what, getting the Professional edition with Script Blocker seems will get you on the safe side.
But, for those Avast Home users before their upgrade to the Professional edition, any comment on the remarks from this page?
http://www.velocityreviews.com/forums/t306748-avast-questions.html
>>
Script blocking is a good thing to have in a layered defense - Microsoft
AntiSpyware does this too. I'm not sure whether having two script blockers
running simultaneously is a good idea, so this would be redundant for me. If
you don't use MSAS, and if you run IE without IE-SpyAd, script blocking could be
very protective.
<<
-
Believing posts from 06-27-2005 are like being in a coma for 4 years and after awakening asking if you have missed much.
I think you are suffering from a terrible affliction:
http://redwing.hutman.net/~mreed/warriorshtm/ferouscranus.htm
-
If the two script blockers work similarly (that is, scan the scripts for virus signatures), then it migth be redundant. However, some script blockers (I mean more "browser-" than antivirus- oriented) may work differently (I don't know... blocking according to the script origin, things like that)... it may bring something new... and get you another protection layer.
But I admit I personally didn't try to run another script blocker side-by-side, so I don't know if any conflicts might occur.
-
igor, what I was trying to say in a round about way was that these are the ramblings of a troll and I am guilty of being a particular type of troll.
Please read the Home page:
http://redwing.hutman.net/~mreed/index.htm
My persona but watch out if I have a few beers and become Jekyll and Hyde: ;D
http://redwing.hutman.net/~mreed/warriorshtm/eaglescout.htm
-
If the two script blockers work similarly (that is, scan the scripts for virus signatures), then it migth be redundant. However, some script blockers (I mean more "browser-" than antivirus- oriented) may work differently (I don't know... blocking according to the script origin, things like that)... it may bring something new... and get you another protection layer.
But I admit I personally didn't try to run another script blocker side-by-side, so I don't know if any conflicts might occur.
I need to add a point to my previous comment. Even though XP SP2 is relatively safe because of the Local Machine zone lock down, but if you try to run an already downloaded VBS file or view an already-saved-to-local web page, then the hurt by mal-scripts is still unavoidable unless you got a Script Blocker. Isn't it?
Now, back to contemplating alternatives even they may not be as good as Script Blocker itself. If not running side by side with Script Blocker(i.e., running Avast Home only), would you recommend IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home to mitigate the threat from mal-scripts? Or, would you recommend using Symantec's Noscript.exe to turn off WSH and only to turn it back on when needed? Or, would you recommend simply disabling WSH in the registry like this?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000
From a very old page: http://www.www.techzonez.com/forums/showthread.php?p=88655
>>
Peep's @Avast forum recommended the FREE program Script Sentry . Old but still does its job with scripts
<<
Agree?
-
dude2, why don't you want to update to SP3 as it has been available for almost a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
Putting band aids on an old leaking operating system is about as effective as chewing gum in a leaky dam.
Using posts from March 13th, 2005 as a reference is about as good as 5 week old bread and about as hard to digest.
-
dude2, why don't you want to update to SP3 as it has been available for almost a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
I do not see major security difference between XP SP3 and a well updated and armed-to-teeth XP SP2, isn't XP3 just like a cumulatively updated XP SP2?
I am more interested in the effect of Script Blocker. It is supposed to be more WSH related. Isn't it? I mentioned about IE related security improvement on XP SP2 simply because I heard that Script Blocker's targets may not be limited to WSH VB scripts(see Avast PRO brochure or RejZoR's comment Reply #10) but may also apply to web page scripts. But, I got no clarification on what other scripts are scanned by Script Blocker in addition to VB scripts. Are Javascripts, ActiveX codes, and those other IE scripts the targets of Script Blocker? I don't know. Are you ready to open that can of worms once again? I just found that XP SP2 is safer for IE scripts in general.
-
Avast Home may be one of the best Free antivirus softwares. But, I really hope its users can rest assured that there is no tangible vulnerability unattended without Script Blocker. So far, my quest for the comprehensive understanding of Script Blocker has grinded to a halt at these two threads:
1. "Script Blocker mystery" http://forum.avast.com/index.php?topic=45438.0
2. "Avast Script Blocker" http://forum.avast.com/index.php?topic=45472.0
Regarding the function of Script Blocker:
Script Blocker simply acts as Web Shield(added with some minor differences) + WSH shield. Igor's advice in http://forum.avast.com/index.php?topic=45438.msg380636#msg380636 noted the minor differences including: (1)when someone loads a bad browser script infected web page from disk cache, only Script Blocker can protect him; (2)Script Blocker can detect encrypted pages or pages from encrypted web site.
What's missing:
(1)No sources of reference
(2)No instances available to illustrate the cases mentioned above
(3)How redundant to have both Web Shield and Script Blocker running together?
Regarding WSH shield:
I still want to know what Avast Home users can do to somewhat mitigate the WSH vulnerability before they get a chance to upgrade to PRO for the full protection. I proposed and seeked for advices on: (1)using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home to mitigate the threat from mal-scripts by detecting and stopping them from running; (2)using Symantec's Noscript.exe to turn off WSH and only to turn it back on when needed; (3)simply disabling WSH in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000
No response yet.
Avast 5 is slated for this year. Hope these problems will be addessed by then.
-
If they add their firewall and other thing to the pro and stay Home like that. I think its would be great for what im guessing.
But well let wait for what they offer us.
Be patient. Be awarded. :)
Mr.Agent
-
(1)when someone loads a bad browser script infected web page from disk cache, only Script Blocker can protect him
Wrong. The bad scripts from disk will be catch by the resident shield too, so if you have the home version you are protected too. You are requesting 'secret' technical information that can't be share with public, so dont ask the same things again, again. Dont complicate things.
-
Wrong. The bad scripts from disk will be catch by the resident shield too, so if you have the home version you are protected too. You are requesting 'secret' technical information that can't be share with public, so dont ask the same things again, again. Dont complicate things.
No, definitively not. I don't seek for 'secret' technical information or any secret answer without source of reference. Where Web Shield and Script Blocker "seem" both capable of scanning "browser scripts", but from http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, I am not so sure about how Resident Shield handle browser scripts. How do you draw the conclusion that computer file system protection implies Resident Shield scan engine capable of scanning locally cached "browser scripts"? If your version can be verified, I will modify my current conclusion at Reply#28 to reflect that:
http://forum.avast.com/index.php?topic=45438.msg381542#msg381542
To avoid a back and forth hearsay campaign, please back your words with an official source of reference.
-
Are you m...n or what? It is common sense. Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS
-
Are you m...n or what? It is common sense. Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS
Don't be nasty unless you can get a bonus for that. People come and discuss things that are not very clear to them. So, please focus on the subject "the difference with/without Script Blocker". You may not agree with my summary quoted from Igor's regarding Script Blocker:
http://forum.avast.com/index.php?topic=45438.msg380636#msg380636
>>
Script Blocker may detect something more.
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
<<
You think things are already built in for Resident Shield. But, are you sure that Script Blocker is not needed to be installed for the advanced scanner option to scan for WSH scripts or to deal with locally cached or saved web pages' browser scripts? Besides, I was still unable to find your mentioned settings from my Avast! Home 4.8 Simple User Interface.
-
Hi dude,
I still have a feeling you are missing one important difference between script blocker and other file/URL based scanners in avast (on-demand, resident standard shield, webshield).
Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.
The database is the same, but the content which is scanned may be different.
This also includes various means of generating the script code (be it Javascript, VBS script or other registered script language) on the fly and then executing it via some scripting trick - e.g. evaluate( ) method.
-
Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.
The database is the same, but the content which is scanned may be different.
This also includes various means of generating the script code (be it Javascript, VBS script or other registered script language) on the fly and then executing it via some scripting trick - e.g. evaluate( ) method.
Hi Lukor,
So eventually, what's the difference with and without Script Blocker in addition to WSH scripts scanning and protection? I like to know Script Blocker's functions first and then maybe its methods if needed and allowed. For example, without Script Blocker, won't Web Shield or Resident Shield sift through online or locally cached/saved web pages and check for bad scripts? I haven't found much online document exploring this subject.
-
Are you m...n or what? It is common sense. Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS
Don't be nasty unless you can get a bonus for that. People come and discuss things that are not very clear to them. So, please focus on the subject "the difference with/without Script Blocker". You may not agree with my summary quoted from Igor's regarding Script Blocker:
http://forum.avast.com/index.php?topic=45438.msg380636#msg380636
>>
Script Blocker may detect something more.
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
<<
You think things are already built in for Resident Shield. But, are you sure that Script Blocker is not needed to be installed for the advanced scanner option to scan for WSH scripts or to deal with locally cached or saved web pages' browser scripts? Besides, I was still unable to find your mentioned settings from my Avast! Home 4.8 Simple User Interface.
Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
-
Hi Lukor,
So eventually, what's the difference with and without Script Blocker in addition to WSH scripts scanning and protection? I like to know Script Blocker's functions first and then maybe its methods if needed and allowed. For example, without Script Blocker, won't Web Shield or Resident Shield sift through online or locally cached/saved web pages and check for bad scripts? I haven't found much online document exploring this subject.
Here we come again. The Webshield scan EVERY file accessed by the browser through internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times
-
Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
Got that screen. Thanks calcu007! The "Always scan WSH-script files" box is already selected as default. But, does it mean I don't need Script Blocker or Avast PRO to have WSH script scanning and protection function kick in and work in the background? Not quite the same as advertised by Avast PRO.
Here we come again. The Webshield scan EVERY file accessed by the browser through internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times
I didn't see whether JavaScript or other browser pages scripts would be handled by the look of the Resident Shield configuration screen, at least not as obvious as WSH scripts, and not sure about how much difference between the Resident Shield engine, the Web Shield engine, or the Script Blocker engine. If scan engines are different, could it make any difference even if the virus signature DB is the same? Plus, does any scan engine use heuristic analysis for proactive protection so that the scan results will not be limited to the virus DB? Lukor seems to have touched that subject and noted Script Blocker is capable of handling polymorphic or encrypted scripts; hopefully, he will share more.
I hope Igor can join the discussion.
-
Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
Got that screen. Thanks calcu007! The "Always scan WSH-script files" box is already selected as default. But, does it mean I don't need Script Blocker or Avast PRO to have WSH script scanning and protection function kick in and work in the background? Not quite the same as advertised by Avast PRO.
Here we come again. The Webshield scan EVERY file accessed by the browser through internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times
I didn't see whether JavaScript or other browser pages scripts would be handled by the look of the Resident Shield configuration screen, at least not as obvious as WSH scripts, and not sure about how much difference between the Resident Shield engine, the Web Shield engine, or the Script Blocker engine. If scan engines are different, could it make any difference even if the virus signature DB is the same? Plus, does any scan engine use heuristic analysis for proactive protection so that the scan results will not be limited to the virus DB? Lukor seems to have touched that subject and noted Script Blocker is capable of handling polymorphic or encrypted scripts; hopefully, he will share more.
I hope Igor can join the discussion.
If you check the resident confg screen there is a option "scan modified/created file" below that option appears only files with selected extension. There you will see the extension of the scripts(JS for javascript) ect. Also you can add more extension if you know the extension of other scripts. Or you can chose the option "scan all files". There are heuristics in the mail and outlook providers, but it only give you a alert about a "suspicious message" alert, it uses the virus db to give you a virus alert.
-
The bottom line is that the Script Blocker is able to check scripts more thoroughly (generally speaking). That is, it checks them after they're decrypted, reassembled etc.
There are numerous attacks towards the traditional script scanners that cannot be efficiently shielded without the Script Blocker (at least in the case of Avast).
-
If you check the resident confg screen there is a option "scan modified/created file" below that option appears only files with selected extension. There you will see the extension of the scripts(JS for javascript) ect. Also you can add more extension if you know the extension of other scripts. Or you can chose the option "scan all files". There are heuristics in the mail and outlook providers, but it only give you a alert about a "suspicious message" alert, it uses the virus db to give you a virus alert.
Amazing! In addition to "JS?" in the Default extension list, I also found "VB?" and "WS?", are they VB scripts and WSH scripts? I noticed all Shields are up and running except Outlook/Exchange, and its status is read as "The provider is waiting for a subsystem to start". I checked all tabs in [Outlook/Exchange>Customize...] and found [Heuristics - Advanced] options are greyed out. The note on that tab reads [The following settings affect handling of outbound messages and are relevant only when the sensivity is set to "High" or "Custom"]. In the [Outlook/Exchange>Customize...>Heuristics] tab, the sensitivity is shown set to "High". I went to [Standard Shield>customize...>Scanner(advanced)] and selected/checked [Scan created/modified files] and [Only files with selected extension] with [Default extension set(recommended)] plus verified [show ...] and found EML on the list. After I made the modification by selecting [Scan created/modified files], Standard Shield security level jumped from Normal to High. But, the Outlook/Exchange Shield is still showing the same "waiting for a subsystem to start" with both Outlook/Exchange and Standard Shield now set to High. Any idea?
The bottom line is that the Script Blocker is able to check scripts more thoroughly (generally speaking). That is, it checks them after they're decrypted, reassembled etc.
There are numerous attacks towards the traditional script scanners that cannot be efficiently shielded without the Script Blocker (at least in the case of Avast).
Since XP SP2 and up Microsoft has beefed up its browser security via "local machine zone lockdown", how does JavaScript or other browser scripts work around Microsoft's defense by encrypting or reassmbling? Do those rare cases happen only when someone tries to open a locally cached/saved web pages? If the difference of Script Blocker is the capability of handling polymorphed scripts, why don't name it so? Thus, Avast Home users know that they are still protected from bad WSH scripts and other browser scripts except polymorphed scripts.
Will using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home help somewhat mitigate the possible vulnerabilities exploited by polymorphed or advanced scripts even though Script Blocker of PRO would probably be the best choice?
-
"Waiting for subsytem" message is because Outlook is not opened. This provider will work when you open outlook
-
I don't have an IM client, a SMTP server, or a web browser opened on the PC, but Instant Messaging Shield, Internet Mail Shield, and Web Shield are all actively running as default though. How about the greyed out [Heuristics - Advanced] options?
-
It is normal if you have Outlook in your PC. Outlook is a email client program not a IM program
-
Let me sum up the subject and list the million dollar questions:
1. If "JS?" and "VB?" in the Default extension list stand for JavaScript and VBScript respectively, then will the files with the extension names ".htm", ".html", and ".mht" or maybe even all files be scanned for the possible embeded exploiting JavaScript codes? Do users need to add any more extensions to the default extension list? I thought Default extension list should have included all known types that can be recognized and detected by Avast except those surely non-executable file types.
2. What's the difference between enabling "Always scan WSH-script files" and selecting "WS?" file extension other than "the condition/time to scan"(either On File Open or On File being Created/Modified)? I though VBScript is one type of WSH scripts.
3. If it is true that WSH script files(e.g., VBS files) and the embeded browser script(e.g., JavaScript) web pages including most of the locally cached/saved web page files can be scanned and mostly detected by the Avast Home once it is properly configured, then what extra settings users will see in the Avast Professional configurations so that users can tell that extra Script Blocker scanning options are now available?
4. When Script Blocker is activated, will it only provide some extra capabilities to detect polymorphed, advanced, or encrypted scripts without incurring duplicated scan effort for the common(i.e., neither polymorphed, nor advanced) scripts? Or, will Script Blocker built in with some extra capabilities run in tandem with the existing Avast Home shields so each web page will be scanned twice against the common script fingerprints and once against the polymorphed/advanced script fingerprints?
5. Will using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home help somewhat mitigate the possible vulnerabilities exploited by polymorphed or advanced scripts even though Script Blocker of PRO would probably be the best choice?
-
Now that you have sorted out the questions dude2, I think it is time for you to do some research of your own. Up to you of course. You can put 'Script blocker' through the hoops and run comparatives with the performance of Avast Home. Whatever you cannot find that is not available through documentation and product range that Alwil put out to the market, is obviously not yours to demand. Unless Avast team wish to make a special case for you, which they may do (their prerogative). But you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses.
If you decide to do this, then you can post your findings in the Avast forum, or on the internet somewhere, and I'm sure you will have audience enough to help you get to the bottom of the matter. This seems to be the best way for you to tackle your problem, and the ideal method by which you will have complete control of the whole process. I certainly would await the outcome of your possible undertaking with much interest, although I have to say that I am quite happy with the lengths that Avast team have gone to make their product range available to people like me.
-
I think it is time for you to do some research of your own. Up to you of course. You can put 'Script blocker' through the hoops and run comparatives with the performance of Avast Home. Whatever you cannot find that is not available through documentation and product range that Alwil put out to the market, is obviously not yours to demand. Unless Avast team wish to make a special case for you, which they may do (their prerogative). But you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses.
Your suggestion is thoughtful. But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. For now, even Script Blocker's extra capability to detect polymorphed, advanced, or encrypted types of scripts is merely a hearsay without the sources of reference. Nor have any mal-script instances been illustrated for those different types of scripts. That is why some of my questions starting with an "if...". How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec?
Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with. For instance, it would be great if Alwil can provide the following info:
1. Which common scripts(e.g., WSH scripts or browser scripts) will be scanned by both Home and PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
2. What extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) can be scanned by Avast! PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
-
can you trust that developers tell you about Avast? Why you insist in more information? You question had been answered. Now is your turn and test it, almost every website use scripts, so you can test it.
-
Since I asked in the beginning "I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8. Does anyone know how?", here is related info gathered:
(1). According to http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)".
(2). According to http://forum.avast.com/index.php?topic=45438.msg380636#msg380636, Igor believes "Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more."
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
**According to http://forum.avast.com/index.php?topic=45438.msg381748#msg381748, lukor agreed with Igor on Script Blocker's capability to scan mal-script "No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.". Script Blocker achieved this advanced script scan capability by "executing it via some scripting trick - e.g. evaluate( ) method".
(3). According to http://forum.avast.com/index.php?topic=45438.msg381615#msg381615, calcu007 disagreed with Igor on Avast Home's lack of capability to scan scripts for locally cached/saved web pages, and he further provided info on how to set it up in http://forum.avast.com/index.php?topic=45438.msg381818#msg381818 and http://forum.avast.com/index.php?topic=45438.msg381865#msg381865.
(4) According to http://forum.avast.com/index.php?topic=45438.msg382023#msg382023, mkis suggested "you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses."
**But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec? Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with. For instance, it would be great if Alwil can provide the following info:
1. Which common scripts(e.g., WSH scripts or browser scripts) will be scanned by both Home and PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
2. What extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) can be scanned by Avast! PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
In summary, the gathered info (2) and (3) are still conflicted with each other regarding "Avast Home's capability to scan scripts for locally cached/saved web pages". There are no illustrated types and instances of the so called "polymorphed, advanced, or encrypted types of scripts" which can only be detected by Script Blocker. The only official source of reference is (1) or http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html. With this limited info on hand, I do not know how to test and evaluate the risk of not having Script Blocker as recommended in (4).
-
Do you know what do the Resident shield(Standard shield)? It scan EVERY file that is accessed in the hard disk. SOOOOOOOO it scan EVERYYYYY scripts executed in the hard disk. What part you don understand? The Webshield scan EVERY files that is streamed in your comoputer through HTTP protocol. BOTH provider use the virus db, not behavior detection, there is not heuristics in the script or webshield provider.
-
About you point 3, I don't disagree with Igor. Your problem is that you dont understand what is the difference between provider.Webshield, scan http traffic, script blocker scan scripts, resident shield scan VERY FILES including scripts. As Lukor said the Script blocker scan the script code before it is executed, both Script blocker and resident shield scan scripts with diferent methods
-
About you point 3, I don't disagree with Igor. Your problem is that you dont understand what is the difference between provider.Webshield, scan http traffic, script blocker scan scripts, resident shield scan VERY FILES including scripts. As Lukor said the Script blocker scan the script code before it is executed, both Script blocker and resident shield scan scripts with diferent methods
How do you evaluate and test the difference without knowing the types or instances of these so called "polymorphed, advanced, or encrypted types of scripts" which can only be detected by Script Blocker via a different scan method? If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
-
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
-
I find this discussion very interesting, as I am also attempting to evaluate how to protect my husband against being infected during his web browsing. I still don't know what method _qbot used to get on his computer, but I feel certain that it was some sort of hijack of a normally trustworthy website, or *maybe* some random item on eBay that he viewed.
As I cannot find any reference to this particular malware in Avast's current database, and as several posts in this discussion mention that all of Avast's engines are using the database to flag malware, I am now wondering if the WebShield or the ScriptBlocker actually would have protected him last Thursday had I had the foresight to have chosen to install it.
I had actually gotten the impression that the WebShield and, perhaps especially, the ScriptBlocker were using some behavioral detection techniques to perhaps prevent this sort of drive-by infection. If not, then I think I must expand my search for something that may do the job. I still don't know what the infecting "vehicle" was, but I have been assuming it to be JavaScript related. I really distrust javascript as I have no real way of knowing what any java is, and no real way of using the internet without permitting it to run. NoScript helps, but it cannot protect me if a trustworthy site gets bad code somehow injected.
So, if ScriptBlocker simply relies on using the same database for its detections, regardless of when they occur, it may not be providing the more advanced protection from drive-by infections from hacked sites that I might be expecting. I would love to send one of you to test it out, if I only knew which sites for sure. Unfortunately, I haven't dared reopen IE nor have I found the correct tool to look at the Temp internet files. :D
-
Do you know how to access event viewer?
- either in Avast - rightclick 'a' icon in the tray bottom righthand of screen and choose avast! Log Viewer.
- or Windows - Control Panel > Administrative Tools > Event Viewer > Antivirus
Look through your logs for warnings and errors to get a better indication of what, when and where things have happened on your computer. You can post details here if you want.
Have you posted a Hijack This log yet?
I dont think 'Script Blocker' has anything to do with this matter.
-
The webshield and scrip blocker use virus database and not behavioral detection techniques. If you husband got infected then that virus was not in the virus database of Avast. There is not a anti-virus that detect everything so sometime will fail to detect something, like every antivirus in the market
-
Sorry - let me clarify.
I do not have Avast installed. I was using a different AV provider.
I am here because I am "shopping" for a better AV, and those features lead me to believe that Avast might be "IT". :)
The greatest danger for the ordinary and careful, IMO, is random hijacking of websites, and because of the high usage of Javascript and it's "intertwining" with everything - that seems the most likely vector to me. However, I could be mistaken.
p.s. yes, I have posted an HJT log at malwareremoval.com if you're curious - same ID, search _qbot or Qakbot
-
avast is one of the very few that are even checking for this hacked site issue and is all over it like a rash (even us using the Home version). With many sites totally unaware that they have been hacked until an avast user has informed them. Even the US Forestry site was hacked and didn't know until an avast user reported it.
Of all those reported in the viruses and worms forum, all that I have checked have proven to be correct. So far avast has proven to be very accurate in this regard.
-
That is great to know, DavidR. And as I have now confirmed that Avast! does detect this particular infection, I believe I have found my best solution for his protection in Avast! (I worry about this one because he's likely to visit wherever-it-was again.)
Now, what would anyone recommend as the best free always-on protection that would complement Avast! (of the anti-spyware sort) for a person on dial-up - if any? I think the OP is asking that, also (though without the dial-up restriction). Mainly for web-browsing safety - he is not likely to download or install anything, nor does he frequent "questionable" sites. I can't get him to use Firefox *sigh*
-
the best free always-on protection that would complement Avast!
Malwarebytes' Anti-Malware (MBAM):
http://www.malwarebytes.org/mbam.php
One time upgrade fee for always-on protection $25US I believe.
Web of Trust (WoT)Free Internet Security
WOT warns you about risky websites
http://www.mywot.com
-
Does WOT use up bandwidth looking things up all the time like LinkScanner, or might it consult a "local" database?
What part of MBAM do you feel best complements Avast? Differing databases, differing focus, differing scanning methods?
-
WOT is the only thing I use (though it is far from perfect and I wouldn't take everything at face value), being on dial-up the others effect bandwidth and I don't have much of that to start with.
-
David, couldn't help noticing the 22' steerables and ram air canopy on your profile, Oxford to, PTS by any chance?
-
No not PTS, 3 Para originally (the Pegasus bit of the avatar) and other Units, did a lot of skydiving and Weekend Instruction at RAF WOTG, left the Army and settled in the area.
One of the staff at WOTG was called Gwilym ?
-
Does WOT use up bandwidth looking things up all the time like LinkScanner, or might it consult a "local" database?
Not that I notice but that would be a good question for their forum:
http://www.mywot.com/en/forum <== it uses Drupal that is like a blog format
What part of MBAM do you feel best complements Avast? Differing databases, differing focus, differing scanning methods?
There are 2 parts to MBAM one is Free that needs manual update downloads then a Quick scan that usually only takes a couple of minutes on a modern system and the one time Fee up update that is about $25US that includes automatic updates and automatic scanning.
-
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
Can you explain Avast claim that Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while you claim that Script Blocker is not needed to achieve the same goal?
-
the best free always-on protection that would complement Avast! ?
A very good question that has been asked a couple of times.
See: http://forum.avast.com/index.php?topic=45438.msg380955#msg380955
http://forum.avast.com/index.php?topic=45438.msg381542#msg381542
I wonder how you can get a self-explained and verifiable answer before you know what is missing from Avast Home compared to Avast PRO. That is why evaluating the risk of going without Script Blocker is the key to unlock the mystery.
-
My instinctive thoughts on the answer to your question, while not of course technical, or even "in the know" is this:
Malware uses so many different vehicles and processes to try to get around our protection and is so changeable in its forms that having different procedures for watching our systems can only increase the chances that some new thing may be caught before it can do any damage. I think of it as another tool that might do the same job, but more efficiently or effectively in certain limited circumstances that I am not qualified to predict. Just like a long-handled screwdriver may be awkward in some situations, but can still get the job done, versus a short-handled screwdriver. Or maybe a monkey-wrench versus a set of box wrenches.
I think I shall spring for the extra PRO protection, if I can find the money, if only to increase my peace of mind. That one extra tool may someday win a battle for me. Besides, PRO offers a couple other "perqs", too. However, if I can't find the extra funds, I shall still feel well protected with the basic protection, especially the Web Shield.
-
Until Alwil is ready to provide the key and unlock the mystery, we are free to choose whatever version story that eases our mind most. But, deep inside we know we still don't know.
-
Don't say "we". You are the only one that dont understand what script blocker do.
-
Don't say "we". You are the only one that dont understand what script blocker do.
Something is waiting for you on Reply #66, if you can share your knowledge.
-
Here is the recap.
Openning Question
"I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8. Does anyone know how?"
Gathered info
(1). According to http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)".
(2). According to http://forum.avast.com/index.php?topic=45438.msg380636#msg380636, Igor believes "Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more."
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
**According to http://forum.avast.com/index.php?topic=45438.msg381748#msg381748, lukor agreed with Igor on Script Blocker's capability to scan mal-script "No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.". Script Blocker achieved this advanced script scan capability by "executing it via some scripting trick - e.g. evaluate( ) method".
(3). According to http://forum.avast.com/index.php?topic=45438.msg381615#msg381615, calcu007 believes Avast Home's Resident Shield is able to scan scripts for locally cached/saved web pages, and he further provided info on how to set it up in http://forum.avast.com/index.php?topic=45438.msg381818#msg381818 and http://forum.avast.com/index.php?topic=45438.msg381865#msg381865.
calcu007 believes "Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus." see http://forum.avast.com/index.php?topic=45438.msg382320#msg382320
**However, he has not explained why Avast! PRO is claimed to "watch all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while he claims that Script Blocker makes no difference.
(4). According to http://forum.avast.com/index.php?topic=45438.msg382023#msg382023, mkis suggested "you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses."
**But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec? Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with.
Summary
From the gathered info (2) and (3), one is hard to draw a conclusion regarding "Avast Home's capability to scan scripts including script snippets in the locally cached/saved web pages". If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods, then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?
It would be great if Alwil can provide this key info to unlock the mystery. It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted as recommended in (4). Until then, the risk of just using Avast! Home can be evaluated, and it may also be possible to thoroughly consider what can be used to supplement or complement Avast Home!, such as using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender (as mentioned in http://forum.avast.com/index.php?topic=45438.msg381542#msg381542)
-
If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods,
As I was saying earlier, there are no special "advanced methods" here (at least for now) - only the source of the data to scan is different.
then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?
Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.
You won't get any better answer, and certainly no list - because nobody has such a list (and honestly, nobody cares). If an encrypted script appears (and we get the sample), we add the detection (even for the encrypted form) - but it's possible that Script Blocker detects this beforehand, without the virus database update.
-
If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods,
As I was saying earlier, there are no special "advanced methods" here (at least for now) - only the source of the data to scan is different.
then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?
Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.
You won't get any better answer, and certainly no list - because nobody has such a list (and honestly, nobody cares). If an encrypted script appears (and we get the sample), we add the detection (even for the encrypted form) - but it's possible that Script Blocker detects this beforehand, without the virus database update.
By saying "advanced methods", I am referring to lukor's comments in Reply #34 http://forum.avast.com/index.php?topic=45438.msg381748#msg381748.
"Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.", which is not much different from your saying "Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption."
If you do not have more info to share, then let's wait until Avast! 5.
But if you are willing to share some more, please define "only the source of the data to scan is different". Does that still refer to "encrypted scripts"? Where can users learn what ecryption techniques you are referring to? I used to script some web pages with JavaScripts(for collapsable menu), but I don't know any method to encrypt embedded script snippets in the web page. Do you mean encrypted page as a whole or encrypted script snippets?
Based on lukor's version, before the encrypted, obfuscated or disected scripts can do any harm, it needs to be decrypted and merged together and executed to do any harm. But then, based on your version, "those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.", wouldn't the bad scripts still end up being caught by Avast! Home after being decrypted and merged together and before doing any harm?
-
I am saying it over and over again, and Lukor said basically the same.
Script Blocker gets the data [to be scanned] from the browser itself - so, that's the source here. Of course, the browser may have performed some decryption in between. That is certainly not the case for Web Shield or Standard Shield that get the raw data from web or disk.
The data flow is basically something like:
Internet --> WebShield --> Browser --> Script Blocker --> Scripting engine (Windows or back in browser again)
So, Script Blocker gets different data - after they were partially processed by the browser itself. This may have removed some encryption layers, for example.
-
Dude, it is very tiring to read all those resumes since apparently you lack some knowledge required to understand this topic.
Otherwise you would not be able to ask such a question repeatedly. As an example please see this:
Based on lukor's version, before the encrypted, obfuscated or disected scripts can do any harm, it needs to be decrypted and merged together and executed to do any harm. But, then, based on your version, "those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.", wouldn't the bad scripts still end up being caught by Avast! Home after being decrypted and merged together and before doing any harm?
So the answer is: if the decryption created a file on your disk (which is highly unlikely), then it could be caught by the file scanner; otherwise NOT!
-
Lukor, trust me it is exhausting to put this mystery into perspective as well. If there is a document which well explains the risk of not having Script Blocker, this tiring process wouldn't be needed. Not many Avast! users know the data flow as just noted by Igor.
I used to script some web pages with JavaScripts(for collapsable menu), but I don't know any method to encrypt embedded script snippets in the web page. Where can users learn what ecryption techniques you are referring to? Nor do I know the difference between a received html file via a network capable program or by a browser so that I can understand the significance of the Web Shield location in the data flow. Why not move Web Shield toward the downstream of the data flow right after "browser" to intercept decrypted bad scripts if it helps?
-
How exactly do you suggest WebShield (local HTTP proxy) could be moved "toward the downstream" to help blocking things Web Browser is doing with downloaded content ? (here by content I mean scripts, and the activity done with them is "running them")
What is once downloaded can not be undownloaded later.
-
Why not move Web Shield toward the downstream of the data flow right after "browser" to intercept decrypted bad scripts if it helps?
- because it wouldn't be a "Web" Shield then
- it would have access only to the scripts, not to the surrounding HTML code (where there can be many exploits as well)
- it would work only in specific browsers where Script Blocker is currently supported
-
it would work only in specific browsers where Script Blocker is currently supported
Of course, NOBODY wants that... keep WebShield where it is, please.
-
Is it possible to move the new one "toward the downstream" to help blocking decrypted things by implementing a merged version of the current Web Shield and Script Blocker? Or, is it possible to employ heuristic or proactive protection by applying some virtual machine techniques used by other antivirus products? I can not say it for sure because you have not explained to me what encryption techniques you referred to.
In calcu007's version(with some unanswered parts), he said that even Web Shield may not be able to block encrypted things at the first line of defense, he believes that Resident Shield will still be the last line of defense with the help of the properly configured settings and that all types of specified scripts will be scanned as efficiently as done by Script Blocker when files/scripts are either created, accessed(opened), or modified. Agree?
-
Is it possible to move the new one "toward the downstream" to help blocking decrypted things by implementing a merged version of the current Web Shield and Script Blocker?
Not possible.
-
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
Can you explain Avast claim that Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while you claim that Script Blocker is not needed to achieve the same goal?
DOnt change my statements. I didn't say that the Script blocker is no needed. I said that you are protected with webshield and the resident shield. If you access a bad script and it is in the virus db, you will be protected depending where or how you accessed it(internet by webshield, or resident shield) KEEP IN MIND if the questionable script is not in the virus db it will not detected.
-
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
-
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
No one said it couldn't. They said they didn't want it to. The Web Shield is much more like a first line of defense - and that's the best way for it to be, IMO. I'd far rather a nasty was caught while it was still "in transit" and before it is saved to my hard drive! :o
-
The Web Shield is much more like a first line of defense - and that's the best way for it to be, IMO. I'd far rather a nasty was caught while it was still "in transit" and before it is saved to my hard drive! :o
If you access a bad script and it is in the virus db, you will be protected depending where or how you accessed it(internet by webshield, or resident shield) KEEP IN MIND if the questionable script is not in the virus db it will not detected.
I don't think Resident Shield provide protection only after the damage is done. But, can Resident Shield scan the decrypted and reassmbled scripts before they pass through the script engine(i.e., WSH or browser script engine)? Won't web pages coming from internet be loaded into the temporary internet folder/cache? Why doesn't Resident Shield work there? If those encrypted files or web pages are to be decrypted and/or reassembled to do any harm, is there no way for Resident Shield to play as the last line of defense to intercept the decrypted scripts?
-
Dude2, come in, think a bit!
Lets say I today create a program that has a database of viruses in scripts stored in some undetected file. I randomly choose one, syntesize its source code (by guessing, pure programatic creation, decryption, decompressing, downloading by parts from the internet etc.) and create a script source code in memory and then I call Windows Scripting Engine to execute my script -- do you with all your proclaimed knowledge and systematic approach see the point that this will never get written to the disk and hence could never be scanned by resident shield?
-
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
Did you try repling yourself before posting the same question AGAIN?
-
I think this guy is 12 year old. He is asking the same question in difference ways, and even he received the answer he didn't understand yet.
I don't think Resident Shield provide protection only after the damage is done. But, can Resident Shield scan the decrypted and reassmbled scripts before they pass through the script engine(i.e., WSH or browser script engine)? Won't web pages coming from internet be loaded into the temporary internet folder/cache? Why doesn't Resident Shield work there? If those encrypted files or web pages are to be decrypted and/or reassembled to do any harm, is there no way for Resident Shield to play as the last line of defense to intercept the decrypted scripts?
The resident shield SCAN EVERY FILE THAT IS WRITE IN THE HARD DISK, SOOOOOOOOOOOO it will scan the temporary internet folder/cache, in case that you dont have the Webshield activate. Webshield and script blocker are first line of defense, if you dont have those shield activated it will be catch by resident shield even they are decrypted scripts, because the resident USE the virus signature to detect themmmmm.
Following Lukor example, that file is scanned by Script blocker, but if you dont have that shield, that it will be cathed in the moment that it is written to hdd by resident shield. So the only way you can be infected by a bad script is in 2 cases:
1. The script is not in the Virus db yet.
2. You have the resident shield disabled.
How I can explain you better?
-
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
It will be always that last line of defense. It will catch the bad file or script before it made the damage, because to do damage it needs to be write in hdd.
-
Dude2, come in, think a bit!
Lets say I today create a program that has a database of viruses in scripts stored in some undetected file. I randomly choose one, syntesize its source code (by guessing, pure programatic creation, decryption, decompressing, downloading by parts from the internet etc.) and create a script source code in memory and then I call Windows Scripting Engine to execute my script -- do you with all your proclaimed knowledge and systematic approach see the point that this will never get written to the disk and hence could never be scanned by resident shield?
CREATING SOMETHING IN MEMORY ON THE FLY sounds like the one to beat Avast! Home. But, in your example why did anti-rootkit (GMER) allow "database of viruses in scripts stored in some undetected file" to happen on your system?
I think this guy is 12 year old. He is asking the same question in difference ways, and even he received the answer he didn't understand yet.
If I am a 12 year old, you ought to bear with me. If I am not, don't force me to speak in Madarin!
The resident shield SCAN EVERY FILE THAT IS WRITE IN THE HARD DISK, SOOOOOOOOOOOO it will scan the temporary internet folder/cache, in case that you dont have the Webshield activate. Webshield and script blocker are first line of defense, if you dont have those shield activated it will be catch by resident shield even they are decrypted scripts, because the resident USE the virus signature to detect themmmmm.
Following Lukor example, that file is scanned by Script blocker, but if you dont have that shield, that it will be cathed in the moment that it is written to hdd by resident shield. So the only way you can be infected by a bad script is in 2 cases:
1. The script is not in the Virus db yet.
2. You have the resident shield disabled.
How I can explain you better?
For your raised two cases:
1. The script is not in the Virus db yet. -> Start thinking heuristicly
2. You have the resident shield disabled. -> Define how encryption/decryption works and the data flow of all components
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
It will be always that last line of defense. It will catch the bad file or script before it made the damage, because to do damage it needs to be write in hdd.
If lukor or Igor does not oppose, it seems like your points are well made there. But, lukor's IN YOUR MEMORY attack is still possible if his hypothetical tactic finds a way to elude GMER.
After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.
-
CREATING SOMETHING IN MEMORY ON THE FLY sounds like the one to beat Avast! Home. But, in your example why did anti-rootkit (GMER) allow "database of viruses in scripts stored in some undetected file" to happen on your system?
Because, the anti-rootkit it is a scanner, it is integrated in the on-demand scanner not in on-access shields(like the resident shield,script shield,etc). it scan when you power up your Pc and when you make a scan. Get informated before make assumptions.
-
For your raised two cases:
1. The script is not in the Virus db yet. -> Start thinking heuristicly
2. You have the resident shield disabled. -> Define how encryption/decryption works and the data flow of all components
After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.
1. Start thinking and reading again. There is NO heuristics. Only the mail and outlook scanners have it.
2. The resident dont decrypt nothing, the data flow the same way if you dont have antivirus in your PC, but it will NOT scanned for malware,
As lukor said think and use your proclaimed knowledge.
-
An old story goes like this:
Two famous Chinese philosophers once stood on a bridge and looked into the river down below.
"Don't you see how happy those fish are to swim in the river?", one asked.
"You are not the fish; how could you tell if they are happy?", the other challenged.
"You are not me; how could you tell if I don't know whether they are happy or not?" one replied.
It went on and on for several more rounds. Finally, this story ends up in the history book.
I believe we can end up accomplishing more even may not be as glorious.
Because, the anti-rootkit it is a scanner, it is integrated in the on-demand scanner not in on-access shields(like the resident shield,script shield,etc). it scan when you power up your Pc and when you make a scan. Get informated before make assumptions.
I thought lukor said the mal-script DB is already planted somewhere in undetected files and waiting to be called for and then synthesized in memory for the GRAND EVIL SCHEME. So, won't on-demand GMER or on-access Resident Shield find the undetected source files before they get a chance to be used as an arsenal ON THE FLY?
-
For your raised two cases:
1. The script is not in the Virus db yet. -> Start thinking heuristicly
2. You have the resident shield disabled. -> Define how encryption/decryption works and the data flow of all components
After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.
1. Start thinking and reading again. There is NO heuristics. Only the mail and outlook scanners have it.
2. The resident dont decrypt nothing, the data flow the same way if you dont have antivirus in your PC, but it will NOT scanned for malware,
As lukor said think and use your proclaimed knowledge.
According to this 2009 report - http://www.anti-malware-test.com/?q=node/77, Avast! proactive component was praised for the satisfactory heuristic test result, and it never mentioned about Avast heuristic function only found in mail and outlook scanners.
>>
Products in the dark orange (80-100%) and light orange (60-80%) zones demonstrated excellent and good detection levels of new viruses (aged from 1 to 5 weeks, see methodology).
The majority of them (Avira Antivir Premium, Sophos Anti-Virus, Dr.Web, Kaspersky, Eset Nod32, BitDefender Antivirus, AVG Anti-Virus, Avast Professional Edition and Norton Anti-Virus) attained that level based on the contribution of their proactive component.
<<
Here is a recently discussed topic: "What happened to Avast in the latest AV-Comparatives Pro-active Test"
http://forum.avast.com/index.php?topic=45663.0
with the reference of av-comparatives Proactive Test (May 2009):
http://www.av-comparatives.org/comparativesreviews/main-tests
In av-comparatives tests, the 2009/5 result showed 42% overall heuristic detection rate, garnered a 2% increase comparing to 2008/11 report. I am not even sure if this 42% has ruled out common signatures based detections.
I know Avast used to be heuristic but only limited on mail analysis as shown in this thread:
"AVAST RESIDENT SCANNER is using Heuristic analysis?" http://forum.avast.com/index.php?topic=37044.0
But, has Avast just started employing more heuristic analysis?
See this thread: "PnkBstrB.exe malware infection heuristic method used"
http://forum.avast.com/index.php?topic=43076.0
and this: "Heuristic scanner detects TrustedInstaller.exe as suspicious"
http://forum.avast.com/index.php?topic=39310.0
Where is heuristic component located? In the Resident Shield, Web Shield, or Script Blocker? Or, is it a separate component shared by others?
-
Here is a recently discussed topic: "What happened to Avast in the latest AV-Comparatives Pro-active Test"
http://forum.avast.com/index.php?topic=45663.0
with the reference of av-comparatives Proactive Test (May 2009):
http://www.av-comparatives.org/comparativesreviews/main-tests
In av-comparatives tests, the 2009/5 result showed 42% overall heuristic detection rate, garnered a 2% increase comparing to 2008/11 report. I am not even sure if this 42% has ruled out common signatures based detections.
If you read well that topic, especially post #14 and #15, you will confirm that Avast not has heuristics, it use generic signatures for this proactive detections. That test was made using 3 month old database with new viruses.
I know Avast used to be heuristic but only limited on mail analysis as shown in this thread:
"AVAST RESIDENT SCANNER is using Heuristic analysis?" http://forum.avast.com/index.php?topic=37044.0
But, has Avast just started employing more heuristic analysis?
See this thread: "PnkBstrB.exe malware infection heuristic method used"
http://forum.avast.com/index.php?topic=43076.0
and this: "Heuristic scanner detects TrustedInstaller.exe as suspicious"
http://forum.avast.com/index.php?topic=39310.0
Where is heuristic component located? In the Resident Shield, Web Shield, or Script Blocker? Or, is it a separate component shared by others?
In those topic the poster used the wrong term to explain his problem, there is no heuristic in the resident shield.
As explained in topic http://forum.avast.com/index.php?topic=37044.0 the resident shield only use signatures for its detections. There is not confirmation if in version 5 will be heuristics. Only the mail and outlook shield use heuristics.
-
Igor, lukor, and calcu007, correct me if the following synthesized result is wrong.
Avast Home! and PRO provide almost the same level of protection, and both will work when someone loads a bad browser script infected web page from disk cache or from saved local files if Resident Shield is set up properly.
But, as for loading encrypted pages or reassembled pages, it is a different matter. If the web browser engine or a script engine receives its source from (temporary) local file/files, then these files must have been scanned, upon their creation or access, by both Home and PRO before browser engine or script engine executing the scripts. But if the web content or the script content is synthesized in memory to produce dangerous scripts(even though how it is done is still hazy to me), then there is no way Avast Home can scan and detect it. Thus, Script Blocker, acting like the script engine goalie, assumes the last line of defense to intercept the "in memory" mal-scripts.
With regard to the heuristic analysis, I wonder if there is a way to handle the conflicting reports dialectically. Before I mail my questions to anti-malware-test.com for their report's(http://www.anti-malware-test.com/?q=node/77) accuracy, regarding their casting Avast proactive protection test result to 40+% effect of signature component and 50+% effect of heuristic component. May I ask for Igor's or lukor's second opinion? You may work for Avast, but it would help make the case strong if you provide your answers with sources of reference. Maybe anti-malware-test.com simply took "generic signatures", as referred by calcu007, to a broader explanation or even somewhat heuristic.
Igor, if the email heuristic analysis can work on html format mails, why not port this function to Web Shield or Resident Shield?
-
But if the web content or the script content is synthesized in memory to produce dangerous scripts(even though how it is done is still hazy to me), then there is no way Avast Home can scan and detect it. Thus, Script Blocker, acting like the script engine goalie, assumes the last line of defense to intercept the "in memory" mal-scripts.
In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.
-
In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.
calcu007, thank you for your continual dedication. Here are the ones to be further investigated with you:
1. Do you agree that if a web browser engine or script host engine is designed to always be fed from locally cached files or saved files, then a properly configured Resident Shield should just be sufficient for mal-scripts detection and prevention? If it is the case, then which web browsers will never be fed directly from memory? If the browser in use sometimes gets fed from memory, do you recommend disabling scripts functions for safety concern unless Script Blocker is in use as well?
2. Even though you said, "In Avast Home the 'in memory' mal-scripts will be catch(caught?) in moment that is written or cached in the hdd, in Pro it is catch(caught?) in memory by the Script blocker before it is write(written?) to the HDD.", could it still be possible that some 'in memory' mal-scripts can still work around Resident Shield's detection and manage to send itself to the script engine for execution to cause damages before anything getting written to hdd? As I said, this 'in memory' attack puzzles me most.
-
In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.
calcu007, thank you for your continual dedication. Here are the ones to be further investigated with you:
1. Do you agree that if a web browser engine or script host engine is designed to always be fed from locally cached files or saved files, then a properly configured Resident Shield should just be sufficient for mal-scripts detection and prevention? If it is the case, then which web browsers will never be fed directly from memory? If the browser in use sometimes gets fed from memory, do you recommend disabling scripts functions for safety concern unless Script Blocker is in use as well?
2. Even though you said, "In Avast Home the 'in memory' mal-scripts will be catch(caught?) in moment that is written or cached in the hdd, in Pro it is catch(caught?) in memory by the Script blocker before it is write(written?) to the HDD.", could it still be possible that some 'in memory' mal-scripts can still work around Resident Shield's detection and manage to send itself to the script engine for execution to cause damages before anything getting written to hdd? As I said, this 'in memory' attack puzzles me most.
1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.
2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.
-
1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.
2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.
ad 2) - can not agree with this one either, see SQL Slammer sample, this worm has done a lot of damage, yet has never been written to the disk.
http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)
(today SQL Slammer is catched by Network Shield)
-
1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.
2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.
Web pages DO get fed from internet, but aren't they supposed to be downloaded into [temporary internet files] per browser's GET REQUEST command? If the included javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly, then how can scripts do damage directly in memory without being detected by Resident Shield upon its creation(reception) or accessing(loading into memory) in the [temporary internet files] directory?
ad 2) - can not agree with this one either, see SQL Slammer sample, this worm has done a lot of damage, yet has never been written to the disk.
http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)
(today SQL Slammer is catched by Network Shield)
From that page, I see no bearing on the subject. Could you extract the relevant part of your reference and show us?
-
You can make a search in wikipedia and sear for sql slammer worm
http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29
"Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected)."
-
You can make a search in wikipedia and sear for sql slammer worm
http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29
"Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected)."
You are right, most home PCs shouldn't be affected. Generally, computer worm propagates itself and sends the replicated file through the network to infect other computers. Therefore, this specific worm seems unique.
How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.
-
Are you still here?
-
Are you still here?
Yes unfortunatly:
http://www.bjacked.net/LuvToHunt/forums/phpBB2/modules/gallery/albums/album01/Beat_Dead_Horse.jpg
-
How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.
I don't see any point reading this thread further.
Edit: "when browser sends back an OK status code per HTTP" ;D this certainly does not happen
-
How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.
I don't see any point reading this thread further.
Edit: "when browser sends back an OK status code per HTTP" ;D this certainly does not happen
Try this: http://samsclass.info/100/projects/Ethereal_HTTP_Status.doc
-
Try this: http://samsclass.info/100/projects/Ethereal_HTTP_Status.doc
That's from 4-24-06 which is about as relevant today as the fear that a dinosaur will come to my cave and eat me and my loved ones:
http://74.52.59.146/~amk/invitations/dinosaur-printable-invitation.jpg
-
You can make a search in wikipedia and sear for sql slammer worm
http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29
"Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected)."
You are right, most home PCs shouldn't be affected. Generally, computer worm propagates itself and sends the replicated file through the network to infect other computers. Therefore, this specific worm seems unique.
How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.
The temporary internet files folder is created in the hdd not in memory. If it were created in memory your PC will slow down because the files cached in memory. So again it will be catch by the resident shield.
-
How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.
I don't see any point reading this thread further.
Edit: "when browser sends back an OK status code per HTTP" ;D this certainly does not happen
Try this: http://samsclass.info/100/projects/Ethereal_HTTP_Status.doc
Do you think that you know more than the experts? when Lukor said that it does not happen, it is so. Dont continue with the same discussion, as he said there is not point reading this thread, so you will not receive more replies from me.
-
I don't see any point reading this thread further.
Edit: "when browser sends back an OK status code per HTTP" ;D this certainly does not happen
Do you think that you know more than the experts? when Lukor said that it does not happen, it is so. Dont continue with the same discussion, as he said there is not point reading this thread, so you will not receive more replies from me.
How HTTP status code works to reflect its delivery status is another can of worm that may need to be handled separately in another thread to avoid this thread from getting further interwined.
It seems no more valuable input from calcu007 and lukor will be provided. Nevertheless, let me sum up what has not been clarified to me. Thus, those who have the answers or want to investigate further may pitch in.
Resident Shield will scan all files on HDD upon their creation or accessing if it is properly configured. If all web pages need to be downloaded to [temporary internet files] directory(or compared with cached version) per GET REQUEST command when reading a web page, then Resident Shield should be able to scan bad browser scripts in [temporary internet files] directory. The reason Web Shield or Script Blocker is needed I guess could be file access control or data flow related. For example, if Resident Shield is neither locking the scanned files during the on-access scanning nor located upstream to intercept the infected page content before it gets delivered to the browser handler, then Resident Shield may be able to detect the bad scripts but still unable to stop the damage in time.
But, if the above assumption holds true, wouldn't Resident Shield also fail to protect users from bad scripts when they are reading locally cached or saved web pages?
-
Sorry, but this thread is effectively dead nothing new is being covered all the answers given by the developers of avast and other avast users is basically discounted by you and you keep repeating the same question worded slightly differently.
So it could get quite lonely in this topic.
-
Sorry, but this thread is effectively dead nothing new is being covered all the answers given by the developers of avast and other avast users is basically discounted by you and you keep repeating the same question worded slightly differently.
So it could get quite lonely in this topic.
To question experts who help you is not a smart move; to challenge authority is even worse. But, if it is the price for getting closer to the truth, then some moves have to be made regardless how painful it is or how lonely you may end up with.
-
Got something to add to my own Reply#112.
I tested the functions of the On-Access Standard Shield protection:
Here are the test results:
================
1. Standard resident shield DOES scan both online(or locally cached) and locally saved web pages
Avast! Home scanned locally saved web pages as well as online pages on "High"(or "Custom" for all file types instead of defaults) settings w/wo Web Shield started.
As I stated before, it scans all temporary internet files which are either freshly downloaded from the web or reloaded from the local directory if not expired.
2. Standard resident shield DID carry out script blocking on certain operations as I had set up so.
Avast! Home successfully blocked my test scripts, not Javascripts though, to create files(open for writing) or to delete files as I had specified in the "Blocked Operations" in [Blocker] tab.
When I disabled certain script blocking functions such as Open-file-for-writing or Deleting-file, my test scripts then had the latitude.
Yet, I haven't found a way to test the extra layers of protection provided by Avast! Home's Web Shield or Avast! PRO Script Blocker.
More explicitly, I still don't know the functional difference w/wo Script Blocker other than the possible counter-measures against the memory-bound MSDE SQL slammer. For now I don't even have MSDE on hand to worry about or to test with though. If someone can show me other differences from the spec, I might try to download and test out Avast! PRO.
I wonder if this thread will ever reach a conclusion dialectically or empirically to solve the mystery.
-
Sorry, but this thread is effectively dead nothing new is being covered all the answers given by the developers of avast and other avast users is basically discounted by you and you keep repeating the same question worded slightly differently.
So it could get quite lonely in this topic.
As David Said:
(http://img.photobucket.com/albums/v323/marc57/deadhorse.gif)
-
Sorry, but this thread is effectively dead nothing new is being covered all the answers given by the developers of avast and other avast users is basically discounted by you and you keep repeating the same question worded slightly differently.
So it could get quite lonely in this topic.
As David Said:
(http://img.photobucket.com/albums/v323/marc57/deadhorse.gif)
We need a Pole:
Who is dumber Donovansrb10 or dude2?
Maybe they could star in Dumb & Dumber II?
-
A beaten dead horse many times is buried along with a mystery and served like a spell to scare people away. If this trick is openly sponsored by forum moderators, I am afraid the forum itself may become the dead horse surrounded by pinata players. Therefore, I do not like the dead horse slogan. I am just trying to solve this mystery dialectically or empirically. I thought that is what this forum is all about.
Can we get over with this dead horse thing? After my test results are posted, some of my questions are very much alive. Doesn't matter if the mystery itself one day will come to a conclusion, let's handle this without prejudice.
-
Hi dude,
Igor and Lukor are busy with critical work for the good of all Avast users. They have devoted considerable time and effort in considering your questions (as have others).
The debate must have held some interest to have continued so long and in such detail; however it is now, I believe, the almost unanimous opinion that this thread should be "physically" closed.
My regards
-
Hi dude,
Igor and Lukor are busy with critical work for the good of all Avast users. They have devoted considerable time and effort in considering your questions (as have others).
The debate must have held some interest to have continued so long and in such detail; however it is now, I believe, the almost unanimous opinion that this thread should be "physically" closed.
My regards
Hi Mike,
As an Avast! Home user myself, I don't know how to slight the importance of this set of questions as stated in Reply#115(http://forum.avast.com/index.php?topic=45438.msg386059#msg386059), to understand the functions of Web Shield and the role of Avast! PRO's Script Blocker. If this mystery is so fundamental, shouldn't this be taken care of seriously if not timely due to workload?
regards,
Dan
-
Can we get over with this dead horse thing? After my test results are posted, some of my questions are very much alive. Doesn't matter if the mystery itself one day will come to a conclusion, let's handle this without prejudice.
There is not a mystery only the one you create in your mind, you questions had been answered lot of times and you continue doing the same questions in diferent ways.
-
I haven't found a way to test the extra layers of protection provided by Avast! Home's Web Shield or Avast! PRO Script Blocker.
If anyone has already answered this question, please show me the reply#.
-
With that many negative comments on my questions, at one time I thought I might have overlooked the already provided answers. But, now it seems that no one can provide a Reply#, in which my questions are answered:
"I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8."
, or:
"I haven't found a way to test the extra layers of protection provided by Avast! Home's Web Shield or Avast! PRO Script Blocker."
I agree this question has been asked many times in different ways, but no answer yet has cleared the doubt EMPIRICALLY. Some answers even contradicted with one another. Still all your helps are appreciated, especially those from Igor, calcu007, and lukor. But I do not consider this mystery resolved. As to those despicable and baseless personal attacks, and I hope all charges come with a proof with strengthened and unbiased moderation in place in the future.