Script Blocker mystery

[calcu007]

If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?

It will be always that last line of defense. It will catch the bad file or script before it made the damage, because to do damage it needs to be write in hdd.

[dude2]

Dude2, come in, think a bit!

Lets say I today create a program that has a database of viruses in scripts stored in some undetected file. I randomly choose one, syntesize its source code (by guessing, pure programatic creation, decryption, decompressing, downloading by parts from the internet etc.) and create a script source code in memory and then I call Windows Scripting Engine to execute my script -- do you with all your proclaimed knowledge and systematic approach see the point that this will never get written to the disk and hence could never be scanned by resident shield?

CREATING SOMETHING IN MEMORY ON THE FLY sounds like the one to beat Avast! Home. But, in your example why did anti-rootkit (GMER) allow "database of viruses in scripts stored in some undetected file" to happen on your system?

I think this guy is 12 year old. He is asking the same question in difference ways, and even he received the answer he didn't understand yet.

If I am a 12 year old, you ought to bear with me. If I am not, don't force me to speak in Madarin!

The resident shield SCAN EVERY FILE THAT IS WRITE IN THE HARD DISK, SOOOOOOOOOOOO it will scan the temporary internet folder/cache, in case that you dont have the Webshield activate. Webshield and script blocker are first line of defense, if you dont have those shield activated it will be catch by resident shield even they are decrypted scripts, because the resident USE the virus signature to detect themmmmm.

Following Lukor example, that file is scanned by Script blocker, but if you dont have that shield, that it will be cathed in the moment that it is written to hdd by resident shield. So the only way you can be infected by a bad script is in 2 cases:

1. The script is not in the Virus db yet.
2. You have the resident shield disabled.

How I can explain you better?

For your raised two cases:
1. The script is not in the Virus db yet.  -> Start thinking heuristicly
2. You have the resident shield disabled.  -> Define how encryption/decryption works and the data flow of all components

If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?

It will be always that last line of defense. It will catch the bad file or script before it made the damage, because to do damage it needs to be write in hdd.

If lukor or Igor does not oppose, it seems like your points are well made there. But, lukor's IN YOUR MEMORY attack is still possible if his hypothetical tactic finds a way to elude GMER.

After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.

[calcu007]

CREATING SOMETHING IN MEMORY ON THE FLY sounds like the one to beat Avast! Home. But, in your example why did anti-rootkit (GMER) allow "database of viruses in scripts stored in some undetected file" to happen on your system?

Because, the anti-rootkit it is a scanner, it is integrated in the on-demand scanner not in on-access shields(like the resident shield,script shield,etc). it scan when you power up your Pc and when you make a scan. Get informated before make assumptions.

[calcu007]

For your raised two cases:
1. The script is not in the Virus db yet.  -> Start thinking heuristicly
2. You have the resident shield disabled.  -> Define how encryption/decryption works and the data flow of all components


After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.

1. Start thinking and reading again. There is NO heuristics. Only the mail and outlook scanners have it.
2. The resident dont decrypt nothing, the data flow the same way if you dont have antivirus in your PC, but it will NOT scanned for malware,

As lukor said think and use your proclaimed knowledge.

[dude2]

An old story goes like this:

Two famous Chinese philosophers once stood on a bridge and looked into the river down below.
"Don't you see how happy those fish are to swim in the river?", one asked.
"You are not the fish; how could you tell if they are happy?", the other challenged.
"You are not me; how could you tell if I don't know whether they are happy or not?" one replied.
It went on and on for several more rounds. Finally, this story ends up in the history book.

I believe we can end up accomplishing more even may not be as glorious.

Because, the anti-rootkit it is a scanner, it is integrated in the on-demand scanner not in on-access shields(like the resident shield,script shield,etc). it scan when you power up your Pc and when you make a scan. Get informated before make assumptions.

I thought lukor said the mal-script DB is already planted somewhere in undetected files and waiting to be called for and then synthesized in memory for the GRAND EVIL SCHEME. So, won't on-demand GMER or on-access Resident Shield find the undetected source files before they get a chance to be used as an arsenal ON THE FLY?

[dude2]

For your raised two cases:
1. The script is not in the Virus db yet.  -> Start thinking heuristicly
2. You have the resident shield disabled.  -> Define how encryption/decryption works and the data flow of all components


After this round of questions and answers, I feel like I must be at the bottom if a popularity contest is held now. Hopefully, at the end truth will forgive our ignorance. NO! MY IGNORANCE.

1. Start thinking and reading again. There is NO heuristics. Only the mail and outlook scanners have it.
2. The resident dont decrypt nothing, the data flow the same way if you dont have antivirus in your PC, but it will NOT scanned for malware,

As lukor said think and use your proclaimed knowledge.

According to this 2009 report - http://www.anti-malware-test.com/?q=node/77, Avast! proactive component was praised for the satisfactory heuristic test result, and it never mentioned about Avast heuristic function only found in mail and outlook scanners.
>>
Products in the dark orange (80-100%) and light orange (60-80%) zones demonstrated excellent and good detection levels of new viruses (aged from 1 to 5 weeks, see methodology).
The majority of them (Avira Antivir Premium, Sophos Anti-Virus, Dr.Web, Kaspersky, Eset Nod32, BitDefender Antivirus, AVG Anti-Virus, Avast Professional Edition and Norton Anti-Virus) attained that level based on the contribution of their proactive component.
<<

Here is a recently discussed topic: "What happened to Avast in the latest AV-Comparatives Pro-active Test"
http://forum.avast.com/index.php?topic=45663.0
with the reference of av-comparatives Proactive Test (May 2009):
http://www.av-comparatives.org/comparativesreviews/main-tests
In av-comparatives tests, the 2009/5 result showed 42% overall heuristic detection rate, garnered a 2% increase comparing to 2008/11 report. I am not even sure if this 42% has ruled out common signatures based detections.

I know Avast used to be heuristic but only limited on mail analysis as shown in this thread:
"AVAST RESIDENT SCANNER is using Heuristic analysis?" http://forum.avast.com/index.php?topic=37044.0
But, has Avast just started employing more heuristic analysis?
See this thread: "PnkBstrB.exe malware infection heuristic method used"
http://forum.avast.com/index.php?topic=43076.0
and this: "Heuristic scanner detects TrustedInstaller.exe as suspicious"
http://forum.avast.com/index.php?topic=39310.0

Where is heuristic component located? In the Resident Shield, Web Shield, or Script Blocker? Or, is it a separate component shared by others?

[calcu007]

Here is a recently discussed topic: "What happened to Avast in the latest AV-Comparatives Pro-active Test"
http://forum.avast.com/index.php?topic=45663.0
with the reference of av-comparatives Proactive Test (May 2009):
http://www.av-comparatives.org/comparativesreviews/main-tests
In av-comparatives tests, the 2009/5 result showed 42% overall heuristic detection rate, garnered a 2% increase comparing to 2008/11 report. I am not even sure if this 42% has ruled out common signatures based detections.

If you read well that topic, especially post #14 and #15, you will confirm that Avast not has heuristics, it use generic signatures for this proactive detections. That test was made using 3 month old database with new viruses.

I know Avast used to be heuristic but only limited on mail analysis as shown in this thread:
"AVAST RESIDENT SCANNER is using Heuristic analysis?" http://forum.avast.com/index.php?topic=37044.0
But, has Avast just started employing more heuristic analysis?
See this thread: "PnkBstrB.exe malware infection heuristic method used"
http://forum.avast.com/index.php?topic=43076.0
and this: "Heuristic scanner detects TrustedInstaller.exe as suspicious"
http://forum.avast.com/index.php?topic=39310.0

Where is heuristic component located? In the Resident Shield, Web Shield, or Script Blocker? Or, is it a separate component shared by others?

In those topic the poster used the wrong term to explain his problem, there is no heuristic in the resident shield.
As explained in topic http://forum.avast.com/index.php?topic=37044.0   the resident shield only use signatures for its detections. There is not confirmation if in version 5 will be heuristics. Only the mail and outlook shield use heuristics.

[dude2]

Igor, lukor, and calcu007, correct me if the following synthesized result is wrong.

Avast Home! and PRO provide almost the same level of protection, and both will work when someone loads a bad browser script infected web page from disk cache or from saved local files if Resident Shield is set up properly.

But, as for loading encrypted pages or reassembled pages, it is a different matter. If the web browser engine or a script engine receives its source from (temporary) local file/files, then these files must have been scanned, upon their creation or access, by both Home and PRO before browser engine or script engine executing the scripts. But if the web content or the script content is synthesized in memory to produce dangerous scripts(even though how it is done is still hazy to me), then there is no way Avast Home can scan and detect it. Thus, Script Blocker, acting like the script engine goalie, assumes the last line of defense to intercept the "in memory" mal-scripts.

With regard to the heuristic analysis, I wonder if there is a way to handle the conflicting reports dialectically. Before I mail my questions to anti-malware-test.com for their report's(http://www.anti-malware-test.com/?q=node/77) accuracy, regarding their casting Avast proactive protection test result to 40+% effect of signature component and 50+% effect of heuristic component. May I ask for Igor's or lukor's second opinion? You may work for Avast, but it would help make the case strong if you provide your answers with sources of reference. Maybe anti-malware-test.com simply took "generic signatures", as referred by calcu007, to a broader explanation or even somewhat heuristic.

Igor, if the email heuristic analysis can work on html format mails, why not port this function to Web Shield or Resident Shield?

[calcu007]

 But if the web content or the script content is synthesized in memory to produce dangerous scripts(even though how it is done is still hazy to me), then there is no way Avast Home can scan and detect it. Thus, Script Blocker, acting like the script engine goalie, assumes the last line of defense to intercept the "in memory" mal-scripts.

In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.

[dude2]

In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.

calcu007, thank you for your continual dedication. Here are the ones to be further investigated with you:

1. Do you agree that if a web browser engine or script host engine is designed to always be fed from locally cached files or saved files, then a properly configured Resident Shield should just be sufficient for mal-scripts detection and prevention? If it is the case, then which web browsers will never be fed directly from memory? If the browser in use sometimes gets fed from memory, do you recommend disabling scripts functions for safety concern unless Script Blocker is in use as well?

2. Even though you said, "In Avast Home the 'in memory' mal-scripts will be catch(caught?) in moment that is written or cached in the hdd, in Pro it is catch(caught?) in memory by the Script blocker before it is write(written?) to the HDD.", could it still be possible that some 'in memory' mal-scripts can still work around Resident Shield's detection and manage to send itself to the script engine for execution to cause damages before anything getting written to hdd? As I said, this 'in memory' attack puzzles me most.

[calcu007]

In all cases the Resident shield will be you last line defense,the others shield are first line of defense. In Avast Home the "in memory" mal-scripts will be catch in moment that is written or cached in the hdd, in Pro it is catch in memory by the Script blocker before it is write to the HDD.

calcu007, thank you for your continual dedication. Here are the ones to be further investigated with you:

1. Do you agree that if a web browser engine or script host engine is designed to always be fed from locally cached files or saved files, then a properly configured Resident Shield should just be sufficient for mal-scripts detection and prevention? If it is the case, then which web browsers will never be fed directly from memory? If the browser in use sometimes gets fed from memory, do you recommend disabling scripts functions for safety concern unless Script Blocker is in use as well?

2. Even though you said, "In Avast Home the 'in memory' mal-scripts will be catch(caught?) in moment that is written or cached in the hdd, in Pro it is catch(caught?) in memory by the Script blocker before it is write(written?) to the HDD.", could it still be possible that some 'in memory' mal-scripts can still work around Resident Shield's detection and manage to send itself to the script engine for execution to cause damages before anything getting written to hdd? As I said, this 'in memory' attack puzzles me most.

1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.

2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.

[lukor]

1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.

2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.

ad 2) - can not agree with this one either, see SQL Slammer sample, this worm has done a lot of damage, yet has never been written to the disk.

http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)

(today SQL Slammer is catched by Network Shield)

[dude2]

1. The web browser fed from internet files, so you will protected with the web shield. Well, you can disable scripts to run a safer browser. Also you can try firefox with NoScripts add-on.

2. "in memory" attack (malware) need to read or write to the hdd to do the damage, so it can be caught by the resident shield.

Web pages DO get fed from internet, but aren't they supposed to be downloaded into [temporary internet files] per browser's GET REQUEST command? If the included javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly, then how can scripts do damage directly in memory without being detected by Resident Shield upon its creation(reception) or accessing(loading into memory) in the [temporary internet files] directory?

ad 2) - can not agree with this one either, see SQL Slammer sample, this worm has done a lot of damage, yet has never been written to the disk.

http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)

(today SQL Slammer is catched by Network Shield)

From that page, I see no bearing on the subject. Could you extract the relevant part of your reference and show us?

[calcu007]

You can make a search in wikipedia and sear for sql slammer worm

http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29

"Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected)."

[dude2]

You can make a search in wikipedia and sear for sql slammer worm

http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29

"Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be immediately reinfected)."

You are right, most home PCs shouldn't be affected. Generally, computer worm propagates itself and sends the replicated file through the network to infect other computers. Therefore, this specific worm seems unique.

How about "scripts handling" in my previous post Reply #102(http://forum.avast.com/index.php?topic=45438.msg384865#msg384865)? Wouldn't that be the focus of Script Blocker?
...javascript file can only be counted as received correctly when browser sends back an OK status code per HTTP protocol to indicate the file has been received correctly.