Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Sutieday on May 21, 2009, 05:30:28 AM

Title: Avast Script Blocker
Post by: Sutieday on May 21, 2009, 05:30:28 AM
Why is Script blocker not included in all products? Doesn't Avast know that most drive by downloads are from script viruses. Proved at www.remove-malware.com
Title: Re: Avast Script Blocker
Post by: igor on May 21, 2009, 08:54:58 AM
Erm.... there has to be some difference between the free and paid-for product, right?
Title: Re: Avast Script Blocker
Post by: RejZoR on May 21, 2009, 09:04:31 AM
Why is Script blocker not included in all products? Doesn't Avast know that most drive by downloads are from script viruses. Proved at www.remove-malware.com

I'm not sure what Remove Malware proved (to be honest he's not exactly conducting scientific tests), but script malware is clearly not the dominating form of malware, not even in drive by downloads. iframes and redirection scripts, but they aren't malicious by themself.
The payload is whats malicious and thats usually in form of Win32 binary (EXE file). Either a trojan/backdoor or a fake AV.
Title: Re: Avast Script Blocker
Post by: dude2 on May 21, 2009, 05:37:26 PM
Why is Script blocker not included in all products? Doesn't Avast know that most drive by downloads are from script viruses. Proved at www.remove-malware.com

If you read this: http://www.dslreports.com/forum/r21926093-Blocking-Scripts-with-ScriptSentry-ScriptDefender~start=20
You will find that drive by attack was not that efficient in his tests. The definition of "Script" is the crux of the whole thing. Depending on your target is local script files (VBS, HTA, etc.) or browser scripts (JavaScript, ActiveX), they will have different implications. But, it seems Avast is not ready to elaborate on that.
Title: Re: Avast Script Blocker
Post by: Lisandro on May 21, 2009, 05:46:01 PM
But, it seems Avast is not ready to elaborate on that.
I think you're underestimating the Script Blocker and, specially, the whole functions of avast protection.
Title: Re: Avast Script Blocker
Post by: igor on May 21, 2009, 05:49:38 PM
If we're talking about IE, then "script" is anything IE sends into the scripting engine. So certainly VBscript and JavaScript, and certainly not ActiveX.
Title: Re: Avast Script Blocker
Post by: dude2 on May 21, 2009, 07:04:57 PM
If we're talking about IE, then "script" is anything IE sends into the scripting engine. So certainly VBscript and JavaScript, and certainly not ActiveX.

But, won't those mostly-executed-by-Browser's IE scripts' capability be much more restrained than locally initiated VB script files? I wonder how many types of IE scripts may need Script Blocker's intervene when those IE scripts lost the rein and Web Shield cannot help either. If Web Shield can not stop recognized mal-JavaScript or other IE scripts but only Script Blocker can, then wouldn't Avast Home users need an immediated upgrade to PRO or find an alternative for the Script Blocking function?

Welcome to comment on my research of alternatives for the Script Blocking function:
http://forum.avast.com/index.php?topic=45438.msg380955#msg380955
Title: Re: Avast Script Blocker
Post by: igor on May 21, 2009, 08:48:53 PM
I'm afraid I give up... really don't know what you want to hear or ask about.
Title: Re: Avast Script Blocker
Post by: calcu007 on May 22, 2009, 01:50:52 AM
t help either. If Web Shield can not stop recognized mal-JavaScript or other IE scripts but only Script Blocker can, then wouldn't Avast Home users need an immediated upgrade to PRO or find an alternative for the Script Blocking function?

Welcome to comment on my research of alternatives for the Script Blocking function:
http://forum.avast.com/index.php?topic=45438.msg380955#msg380955

What part you dont understand? If the script is a BAD-javascript or whatever script and it is in the signatures data base then it will be catch by WebShield if you are browsing). If is not detected by Webshield, then is not in the virus database and will not detected by Script blocker. I am talking of IE scripts.
Title: Re: Avast Script Blocker
Post by: mkis on May 22, 2009, 03:38:31 AM
I've been trialling Avast Pro on one computer, and I like the script blocker function.

All other computers run Avast Home. I have USB wireless modem, only work single computer at a time, no network, so run standalone computers, different internet at different times, all have same web connect, and basically same desktop platform (XP Home or Pro), same exposure and protections, resident Avast shield at startup, add range of anti-malware when want / need, don't go there when warned not to, and no worthwhile false postives to talk about since last year.

No bottom-line difference between Avast Home and Pro to date.

But this may depend on the nature of your workload. If you are professional IT environment, then preferable to work with Pro, which is design for more technical types (record and research and retrieve or reset exposure and protections). Some IT wont load Avast Home only because they need be protected from adverse user behavioral, so Pro with after-sales service is good option for them. But yet to find one that says Avast Home is any lesser effective.

My rule is for home user who is worried about whether their workload means too big exposure for Home to cover, then they should go Pro. Also, if they can afford Pro, then go Pro. That said, my workload and exposure is big and yet I find Avast Home ideal. Granted I also protect against host file intrusion and protect against spyware and the like. All the protections I use can be found in Avast forum.

By running Avast Home I can keep abreast of what picture my people see on their screen and understand what problem they are talking about. Some know Avast, others can barely use MSWord, one only uses the web to bet electronically on the horse races. None of them get viruses anymore, not since they brought their infected PCs around to be fixed. I believe I have had a few brushes with malware, that might have led to infection, but then you would expect that with my exposure.

Trial time is up soon, and I might buy Pro this time around. Since there is work being lined up which may require more depth IT monitor and maintain. With larger external party, extra conditions to consider.

But otherwise, Avast Home seems adequate for computer user.
   
Title: Re: Avast Script Blocker
Post by: dude2 on May 22, 2009, 04:33:04 AM
I'm afraid I give up... really don't know what you want to hear or ask about.
What part you dont understand? If the script is a BAD-javascript or whatever script and it is in the signatures data base then it will be catch by WebShield if you are browsing). If is not detected by Webshield, then is not in the virus database and will not detected by Script blocker. I am talking of IE scripts.

See it for yourself:
http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html
It said,
>>
The resident protection of the Professional Edition includes an additional module, not contained in the Home Edition, called Script Blocker. This module watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla).
<<

WSH scripts(e.g., VBScript) is clear to everyone as Script Blocker's targets. But, which brower scripts(e.g., advanced JavaScript) can only be scanned and detected by Script Blocker but not by the ordinary Web Shield is part of the mystery.

For WSH scripts protection, does anyone have a comment on Script Blocker alternatives for those Avast! Home users as the second best choice? http://forum.avast.com/index.php?topic=45438.msg380955#msg380955
Title: Re: Avast Script Blocker
Post by: RejZoR on May 22, 2009, 06:50:36 AM
To be honest, you're complicating way too much around Script Blocker provider. It's there, it's designed to check scripts and thats it.
Title: Re: Avast Script Blocker
Post by: Mr.Agent on May 22, 2009, 12:52:33 PM
Script Blocker with PUSH Update is already a big update with the other that inclued on Pro.
Title: Re: Avast Script Blocker
Post by: mkis on May 22, 2009, 05:35:50 PM
Silly. Silly. Forgot to mention about media access point - USB plugin is not able to carry malware.   :)
Title: Re: Avast Script Blocker
Post by: calcu007 on May 22, 2009, 07:53:33 PM

WSH scripts(e.g., VBScript) is clear to everyone as Script Blocker's targets. But, which brower scripts(e.g., advanced JavaScript) can only be scanned and detected by Script Blocker but not by the ordinary Web Shield is part of the mystery.

For WSH scripts protection, does anyone have a comment on Script Blocker alternatives for those Avast! Home users as the second best choice? http://forum.avast.com/index.php?topic=45438.msg380955#msg380955

It is not a a mystery. Script Blocker scan EVERYYYYYYYYYYYYY  browser scripts and WSH scripts. The Webshield scan the javascript and any script that pass through your browser. If the script if in your computer already then it is scanned by ScripBlocker, because the WEbshield scan http traffic ONLY. What part you dont understand? Do you need a map?

READ AGAIN EVERY RESPONSE THAT YOU RECEIVED.
Title: Re: Avast Script Blocker
Post by: dude2 on May 23, 2009, 12:53:04 AM
It is not a a mystery. Script Blocker scan EVERYYYYYYYYYYYYY  browser scripts and WSH scripts. The Webshield scan the javascript and any script that pass through your browser. If the script if in your computer already then it is scanned by ScripBlocker, because the WEbshield scan http traffic ONLY. What part you dont understand? Do you need a map?

READ AGAIN EVERY RESPONSE THAT YOU RECEIVED.
Read this for the explanations regarding the function of Script Blocker I received from Avast Tech Support by mail.
http://forum.avast.com/index.php?topic=45438.msg380729#msg380729

If anyone has explained with a source of reference that Script Blocker simply acts as Web Shield(with some minor differences) + WSH shield, then I would not repeatly point to the same mystery. Igor's advice in http://forum.avast.com/index.php?topic=45438.msg380636#msg380636 explained the minor differences, except the not-so-palpable encryption/decryption parts, but it went without source of reference. Plus, are you aware of any instance where damage is done by JavaScripts or other browser scripts when someone loads an infected web page from disk with only Web Shield protection turned on?

Nevertheless, I still want to know what Avast Home users can do to somewhat mitigate the WSH vulnerability before they get a chance to upgrade to PRO for full protection. Any comment on my proposed alternatives in http://forum.avast.com/index.php?topic=45438.msg380955#msg380955 from you?
Title: Re: Avast Script Blocker
Post by: igor on May 23, 2009, 01:25:20 AM
If anyone has explained with a source of reference that Script Blocker simply acts as Web Shield(with some minor differences) + WSH shield, then I would not repeatly point to the same mystery.

Well, if by "acts as" you mean "scans for viruses", then yes. Otherwise, Script Blocker and Web Shield have (technically) nothing in common, they work in a completely different way (regarding the way they get their data; yes, the final virus scanner is the same again).
Title: Re: Avast Script Blocker
Post by: mkis on May 23, 2009, 03:27:34 AM
Avast alerts on url - Hxxp://www.georgedillon.com/freeware/scriptsentry.shtml

Second link down on page Google search - 'script sentry'

-----------------------------------------------------------------------------------------

I have secured 4 instances of alert in the virus chest.
Event viewer reads:

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif\[UPX]" file.  
 

First analysis from virustotal

MD5:   6e139b35a2a2803cf7d93f9607e7586b
First received:   2009.05.23 00:50:17 UTC
Date:   2009.05.23 00:50:17 UTC [<1D]
Results:   0/40
Permalink:   analisis/945ea3afff21067d5d0d4ade8c5460d583e0ed87a379accf218f0b42a0afa30a-1243039817

So I dont know as I'm not an expert.
Have emailed the instances to Alwil as potential malware anyway.

I'll  secure my PC first then I'll retun to virustotal and Avast forum.
Title: Re: Avast Script Blocker
Post by: mkis on May 23, 2009, 03:39:23 AM
False positives?

Alerts perhaps triggered by some of George Dillons examples of malware?
Title: Re: Avast Script Blocker
Post by: DavidR on May 23, 2009, 03:48:26 AM
Well with firefox I didn't get an alert on that page (hXXp://www.georgedillon.com/freeware/scriptsentry.shtml), however WOT doesn't like that site either, see http://www.mywot.com/en/scorecard/georgedillon.com (http://www.mywot.com/en/scorecard/georgedillon.com).
Title: Re: Avast Script Blocker
Post by: mkis on May 23, 2009, 05:27:48 AM
Thanks for response DavidR.

yes I noted comment by varnk. And WOT - site appears to have poor reputation.

I dont usual go through reporting process - in fact first time. So should be a learning experience. I think time for me to start working out a routine for these kinds of things.

I have to go out for a while to do a few things. So I will come back online later and pick up from there.
I'm currently on a different computer. but my PC seems fine.

Also, first time I will retain files in chest. Normally I would have prob deleted by now.



Title: Re: Avast Script Blocker
Post by: mkis on May 23, 2009, 08:57:41 PM
I returned to url - hxxp://www.georgedillon.com/freeware/scriptsentry.shtml

No alerts - secured page then looked through source code - nothing untoward but then I'm not an expert, just seems messy, so prob simple to hijack (no, I didn't try). Seems contain lots of references to malware so maybe something triggered there. George Dillon disassociates himself, but page still there. My post immediately took reference getfile-090213-dns[1].gif to top on Google search, so perhaps some  changes were subsequently made to page. The two entries below mine in Google search are mentioned below (Avira AntiVir and Kapersky).

(See .gif image attached below)

Still messy, unsafe page - http://forum.avast.com/index.php?topic=45472.msg381353#msg381353

There is a couple of entries for "Win32:Tipa [Cryp]" with "C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.IE5\xxxx\getfile-090213-dns[1].gif\[UPX]" file. A warning from Avira AntiVir - executable file, quarantined - and Kapersky reported a trojan downloader. An earlier Malwarebytes scan had not registered an alert.

Win32:Tipa [Cryp] - indicates a trojan downloader (from what I can gather). This is what F-secure
says about these downloaders - http://www.virus.fi/v-descs/trojdown.shtml

Quote
Trojan Downloader (generic description)

Trojan downloader is usually a standalone program that attempts to hiddenly download and run other files from remote web and ftp sites. Usually trojan downloaders download different trojans and backdoors and activate them on an affected system without user's approval. Trojan downloader, when run, usually installs itself to system and waits until Internet connection becomes available. After that it attempts to connect to a web or ftp site, download specific file or files and run them.



There is not a lot more that I can do now except wait for Avast. I have given the computer a good clean out and will keep running a few checks on Registry to see if there were any associated entries. But seems like Avast Home did what it was supposed to.



Title: Re: Avast Script Blocker
Post by: mkis on May 25, 2009, 01:15:56 AM
First things first. I could afford to lose this PC. It holds a copy of music archive that generates auto playlists to stream constant music in house when I want. Just happens to be in a warm part of house in cold Auckland winter, so I happened to be using it to surf web instead of usual web PC (at reception). But never nice to lose anything, so I should have been more careful. I have learned a few things.

At the time I went to web page link and clicked without first securing page - better to 'Save target as'...then scan target html copy saved to my HDD would have been good option, or perhaps just trying to scan link first.

This is what I think happened. I click Google search link for page, Avast Home 'Abort connection' alert comes up, but I hit to kill page (X at top right corner of page) instead of 'Abort connection' - don't ask me why, I guess I in the mood, PC not my regular. And page does not kill. Instead Avast 'Save to chest' alert comes up on top of 'Abort connection' alert. So now I have to save a download to virus chest, followed by three more before I can finally out of connection kill page. These downloads are inject of malware (so I gather).

So what happen. By hit on page to kill it rather than hit Avast "Abort connection' I have effectively said okay you allowed to download your malware onto my HDD. (I would say many protects like Defender and like have to comply with this okay, so malware is through). SO MALWARE IS THROUGH.

Obviously Avast Home then stepped in with okay you through but you still not permitted on HDD unless you pass through next check which enables user to quarantine you in chest. And this is what happen. The malware was secured in the virus chest and sent off to/picked up by Avast as 'potential malware' and also checked through Virustotal and on Google search.

Now one important question here - would Avast Pro 'Script Blocker' have disallowed the download, stop inject of malware to HDD, and simply left user to 'Abort connection' to alerted page?

Next important - was downloader malware instances actually on HDD and try outbound to connect with page? I dont think so, unless they arrived the day before. More likely they were loaded onto web page the day before - drive-by loading of virus on insecure web page.

Most important resident Avast Home did everything A1 :D  - even with user faulty practice.


These downloaders Win32:Tipa [Cryp] are not accorded a high danger rating by AV agencies. Virustotal did not raise one query on any of the four instances. But you cannot let them inject. Maybe next time more lethal brew malware. And its not nice to lose any PC. I'm using the (dis)infected PC now and a music playlist is running.  8)
I've checked the HDD for inject of any associate entries and I'll keep running tests.