Author Topic: Script Blocker mystery  (Read 63360 times)

0 Members and 1 Guest are viewing this topic.

YoKenny

  • Guest
Re: Script Blocker mystery
« Reply #60 on: May 29, 2009, 03:18:11 AM »
Quote
the best free always-on protection that would complement Avast!
Malwarebytes' Anti-Malware (MBAM):
http://www.malwarebytes.org/mbam.php
One time upgrade fee for always-on protection $25US I believe.

Web of Trust (WoT)
Quote
Free Internet Security
 WOT warns you about risky websites
http://www.mywot.com
« Last Edit: May 29, 2009, 03:23:49 AM by YoKenny »

PRG

  • Guest
Re: Script Blocker mystery
« Reply #61 on: May 29, 2009, 03:40:25 AM »
Does WOT use up bandwidth looking things up all the time like LinkScanner, or might it consult a "local" database?

What part of MBAM do you feel best complements Avast?  Differing databases, differing focus, differing scanning methods?

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: Script Blocker mystery
« Reply #62 on: May 29, 2009, 03:03:54 PM »
WOT is the only thing I use (though it is far from perfect and I wouldn't take everything at face value), being on dial-up the others effect bandwidth and I don't have much of that to start with.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

gwilym

  • Guest
Re: Script Blocker mystery
« Reply #63 on: May 29, 2009, 05:26:49 PM »
David, couldn't help noticing the 22' steerables and ram air canopy on your profile, Oxford to, PTS by any chance?

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: Script Blocker mystery
« Reply #64 on: May 29, 2009, 06:25:47 PM »
No not PTS, 3 Para originally (the Pegasus bit of the avatar) and other Units, did a lot of skydiving and Weekend Instruction at RAF WOTG, left the Army and settled in the area.

One of the staff at WOTG was called Gwilym ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Script Blocker mystery
« Reply #65 on: May 29, 2009, 08:15:33 PM »
Does WOT use up bandwidth looking things up all the time like LinkScanner, or might it consult a "local" database?
Not that I notice but that would be a good question for their forum:
http://www.mywot.com/en/forum <== it uses Drupal that is like a blog format

Quote
What part of MBAM do you feel best complements Avast?  Differing databases, differing focus, differing scanning methods?
There are 2 parts to MBAM one is Free that needs manual update downloads then a Quick scan that usually only takes a couple of minutes on a modern system and the one time Fee up update that is about $25US that includes automatic updates and automatic scanning.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #66 on: May 30, 2009, 06:17:34 AM »
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?

Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.

Can you explain Avast claim that Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while you claim that Script Blocker is not needed to achieve the same goal?
« Last Edit: May 30, 2009, 08:18:29 AM by dude2 »

dude2

  • Guest
Re: Script Blocker mystery
« Reply #67 on: May 30, 2009, 06:31:10 AM »
the best free always-on protection that would complement Avast! ?

A very good question that has been asked a couple of times.
See: http://forum.avast.com/index.php?topic=45438.msg380955#msg380955
http://forum.avast.com/index.php?topic=45438.msg381542#msg381542

I wonder how you can get a self-explained and verifiable answer before you know what is missing from Avast Home compared to Avast PRO. That is why evaluating the risk of going without Script Blocker is the key to unlock the mystery.

PRG

  • Guest
Re: Script Blocker mystery
« Reply #68 on: May 30, 2009, 07:11:31 AM »
My instinctive thoughts on the answer to your question, while not of course technical, or even "in the know" is this:

Malware uses so many different vehicles and processes to try to get around our protection and is so changeable in its forms that having different procedures for watching our systems can only increase the chances that some new thing may be caught before it can do any damage.  I think of it as another tool that might do the same job, but more efficiently or effectively in certain limited circumstances that I am not qualified to predict.  Just like a long-handled screwdriver may be awkward in some situations, but can still get the job done, versus a short-handled screwdriver.  Or maybe a monkey-wrench versus a set of box wrenches.

I think I shall spring for the extra PRO protection, if I can find the money, if only to increase my peace of mind.  That one extra tool may someday win a battle for me.  Besides, PRO offers a couple other "perqs", too.  However, if I can't find the extra funds, I shall still feel well protected with the basic protection, especially the Web Shield.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #69 on: May 30, 2009, 07:34:25 AM »
Until Alwil is ready to provide the key and unlock the mystery, we are free to choose whatever version story that eases our mind most. But, deep inside we know we still don't know.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #70 on: May 30, 2009, 07:45:54 AM »
Don't say "we". You are the only one that dont understand what script blocker do.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #71 on: May 30, 2009, 08:13:08 AM »
Don't say "we". You are the only one that dont understand what script blocker do.

Something is waiting for you on Reply #66, if you can share your knowledge.

dude2

  • Guest
Recap of the progress
« Reply #72 on: May 30, 2009, 02:19:36 PM »
Here is the recap.

Openning Question

"I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8. Does anyone know how?"

Gathered info

(1). According to http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)".

(2). According to http://forum.avast.com/index.php?topic=45438.msg380636#msg380636, Igor believes "Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more."
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
**According to http://forum.avast.com/index.php?topic=45438.msg381748#msg381748, lukor agreed with Igor on Script Blocker's capability to scan mal-script "No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.". Script Blocker achieved this advanced script scan capability by "executing it via some scripting trick - e.g. evaluate( ) method".

(3). According to http://forum.avast.com/index.php?topic=45438.msg381615#msg381615, calcu007 believes Avast Home's Resident Shield is able to scan scripts for locally cached/saved web pages, and he further provided info on how to set it up in http://forum.avast.com/index.php?topic=45438.msg381818#msg381818 and http://forum.avast.com/index.php?topic=45438.msg381865#msg381865.
calcu007 believes "Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus." see http://forum.avast.com/index.php?topic=45438.msg382320#msg382320
**However, he has not explained why Avast! PRO is claimed to "watch all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while he claims that Script Blocker makes no difference.

(4). According to http://forum.avast.com/index.php?topic=45438.msg382023#msg382023, mkis suggested "you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses."
**But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec? Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with.

Summary

From the gathered info (2) and (3), one is hard to draw a conclusion regarding "Avast Home's capability to scan scripts including script snippets in the locally cached/saved web pages". If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods, then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?

It would be great if Alwil can provide this key info to unlock the mystery. It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted as recommended in (4). Until then, the risk of just using Avast! Home can be evaluated, and it may also be possible to thoroughly consider what can be used to supplement or complement Avast Home!, such as using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender (as mentioned in http://forum.avast.com/index.php?topic=45438.msg381542#msg381542)
« Last Edit: May 30, 2009, 02:40:17 PM by dude2 »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11812
    • AVAST Software
Re: Recap of the progress
« Reply #73 on: May 30, 2009, 02:30:17 PM »
If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods,

As I was saying earlier, there are no special "advanced methods" here (at least for now) - only the source of the data to scan is different.

then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?

Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.
You won't get any better answer, and certainly no list - because nobody has such a list (and honestly, nobody cares). If an encrypted script appears (and we get the sample), we add the detection (even for the encrypted form) - but it's possible that Script Blocker detects this beforehand, without the virus database update.
« Last Edit: May 30, 2009, 02:34:21 PM by igor »

dude2

  • Guest
Re: Recap of the progress
« Reply #74 on: May 30, 2009, 03:01:28 PM »
If Avast Home can scan most of the scripts including locally cached/saved web pages while Script Blocker can do more with advanced methods,

As I was saying earlier, there are no special "advanced methods" here (at least for now) - only the source of the data to scan is different.

then what extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) will be scanned by Avast! PRO other than the common scripts(e.g., WSH scripts or browser scripts) scanned by both Home and PRO?

Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.
You won't get any better answer, and certainly no list - because nobody has such a list (and honestly, nobody cares). If an encrypted script appears (and we get the sample), we add the detection (even for the encrypted form) - but it's possible that Script Blocker detects this beforehand, without the virus database update.


By saying "advanced methods", I am referring to lukor's comments in Reply #34 http://forum.avast.com/index.php?topic=45438.msg381748#msg381748.
"Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.", which is not much different from your saying "Those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption."

If you do not have more info to share, then let's wait until Avast! 5.

But if you are willing to share some more, please define "only the source of the data to scan is different". Does that still refer to "encrypted scripts"? Where can users learn what ecryption techniques you are referring to? I used to script some web pages with JavaScripts(for collapsable menu), but I don't know any method to encrypt embedded script snippets in the web page. Do you mean encrypted page as a whole or encrypted script snippets?

Based on lukor's version, before the encrypted, obfuscated or disected scripts can do any harm, it needs to be decrypted and merged together and executed to do any harm. But then, based on your version, "those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.", wouldn't the bad scripts still end up being caught by Avast! Home after being decrypted and merged together and before doing any harm?
« Last Edit: May 30, 2009, 05:59:36 PM by dude2 »