Author Topic: Script Blocker mystery  (Read 70817 times)

0 Members and 1 Guest are viewing this topic.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #15 on: May 21, 2009, 08:16:26 AM »
But from my quite extensive knowledge of avast! technologies, avast! doesn't just blindly block all scripts but relies on internal database which is updated through regular VPS updates to block just scripts that are known to be malicious or bad.
According to Avast Tech support's 5/13 email explanation - "You are protected against JavaScript codes and VBScript codes but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them" , it seems there is something extra played into AV programming than the regular VPS updates even though I did not get the source reference of that explanation either. Do you think Script Blocker may get its update via Avast program updates as well?

I tried to avoid hearsay by asking for source references. I did not ask for anything more than necessary to evaluate the risk of not having Script Blocker, or the risk of simply using Avast Home. Please find http://www.velocityreviews.com/forums/t306748-avast-questions.html, and do you agree with this paper's suggestion to use Microsoft AntiSpyware(or something newer) if Script Blocker is not available for Avast Home users?
« Last Edit: May 21, 2009, 08:52:34 AM by dude2 »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Script Blocker mystery
« Reply #16 on: May 21, 2009, 08:18:27 AM »
Milions are using avast! Home and no one really bothers with lack of Script Blocker. Besides, it's not like script malware is in majority anyway...
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #17 on: May 21, 2009, 09:13:12 AM »
Are you Avast engineers?

Yes, I am.

Or, where can I look into your referenced documents so that I can learn whether Script Blocker simply blindly blocks all scripts or scans scripts against a different virus DB from Web Shield's virus DB?

You can't.
I really don't understand what you are trying to achieve. As I wrote multiple times already, Script Blocker is just another avast! scanner - so it doesn't block "blindly" anything, it looks for specific virus signatures. However, whether these signatures are related to an exploit or not, it doesn't matter at all.

According to Avast Tech support's 5/13 email explanation - "You are protected against JavaScript codes and VBScript codes but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them" , it seems there is something extra played into AV programming than the regular VPS updates even though I did not get the source reference of that explanation either.

You wanted an answer - so Tech Support guys started to imagine strange scenarios (like you have an active rootkit on your system which hides a script file. So, it's on your disk, so Web Shield is out of question, it's hidden from Standard Shield... so Script Blocker may be the last instance to detect it). However, I doubt a rootkit would hide script files (instead of ordinary executables) - besides, if you have an active rootkit on your system (which the antirootkit scanner should detect, btw), blocking or not blocking the script execution would probably be the least of your problems.

Do you think Script Blocker may get its update via Avast program updates as well?

Erm, Script Blocker is a part of avast!... so of course it gets updated with avast! program updates (and its detection is updated with VPS updates)... why shouldn't it?

I did not ask for anything more than necessary to evaluate the risk of not having Script Blocker, or the risk of simply using Avast Home.

I'm afraid such a risk is really hard to estimate. We believe that Web Shield should be sufficient for most of the users... but yes, there is some possibility that sometimes it's not. And I won't deny that we are also trying to encourage the users to buy the Professional version...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #18 on: May 21, 2009, 09:16:53 AM »
Besides, it's not like script malware is in majority anyway...

I wouldn't agree with that. Seing the trend in the last few months, I'd say the script malware is the biggest threat these days. Yes, the script eventually passes execution to a real executable, but that can be server-generated (changing every minute or so, so an antivirus program may easily miss it) - so I'd say detecting the scripts is very important.

Actually, we were originally planning to drop the Script Blocker for avast! 5.0 because it looked rather useless for some time - but with the latest development in the malware world, it won't happen (and there may be some bigger updates in the future).

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Script Blocker mystery
« Reply #19 on: May 21, 2009, 09:30:36 AM »
Well, i meant in terms that script actually makes malicious actions, not just redirecting or serving EXE files. I know that s a problem by itself because they can spawn new versions every minute...

Btw, while we're at it, will Script Blocker free/pay policy apply to avast! 5 like it does for avast! 4.8 ?
I mean will Script Blocker still be only Professional Edition feature or will also end up in Home Edition when avast! 5 hits the final version?
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #20 on: May 21, 2009, 09:45:36 AM »
I really have no idea.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #21 on: May 21, 2009, 10:52:55 AM »
I'm afraid such a risk is really hard to estimate. We believe that Web Shield should be sufficient for most of the users... but yes, there is some possibility that sometimes it's not. And I won't deny that we are also trying to encourage the users to buy the Professional version...
So doesn't matter what, getting the Professional edition with Script Blocker seems will get you on the safe side.

But, for those Avast Home users before their upgrade to the Professional edition, any comment on the remarks from this page?
http://www.velocityreviews.com/forums/t306748-avast-questions.html
>>
Script blocking is a good thing to have in a layered defense - Microsoft
AntiSpyware does this too. I'm not sure whether having two script blockers
running simultaneously is a good idea, so this would be redundant for me. If
you don't use MSAS, and if you run IE without IE-SpyAd, script blocking could be
very protective.
<<

YoKenny

  • Guest
Re: Script Blocker mystery
« Reply #22 on: May 21, 2009, 11:26:44 AM »
Believing posts from 06-27-2005 are like being in a coma for 4 years and after awakening asking if you have missed much.

I think you are suffering from a terrible affliction:
http://redwing.hutman.net/~mreed/warriorshtm/ferouscranus.htm

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #23 on: May 21, 2009, 11:31:27 AM »
If the two script blockers work similarly (that is, scan the scripts for virus signatures), then it migth be redundant. However, some script blockers (I mean more "browser-" than antivirus- oriented) may work differently (I don't know... blocking according to the script origin, things like that)... it may bring something new... and get you another protection layer.

But I admit I personally didn't try to run another script blocker side-by-side, so I don't know if any conflicts might occur.

YoKenny

  • Guest
Re: Script Blocker mystery
« Reply #24 on: May 21, 2009, 01:33:28 PM »
igor, what I was trying to say in a round about way was that these are the ramblings of a troll and I am guilty of being a particular type of troll.

Please read the Home page:
http://redwing.hutman.net/~mreed/index.htm

My persona but watch out if I have a few beers and become Jekyll and Hyde:  ;D
http://redwing.hutman.net/~mreed/warriorshtm/eaglescout.htm

dude2

  • Guest
Re: Script Blocker mystery
« Reply #25 on: May 21, 2009, 01:44:47 PM »
If the two script blockers work similarly (that is, scan the scripts for virus signatures), then it migth be redundant. However, some script blockers (I mean more "browser-" than antivirus- oriented) may work differently (I don't know... blocking according to the script origin, things like that)... it may bring something new... and get you another protection layer.

But I admit I personally didn't try to run another script blocker side-by-side, so I don't know if any conflicts might occur.

I need to add a point to my previous comment. Even though XP SP2 is relatively safe because of the Local Machine zone lock down, but if you try to run an already downloaded VBS file or view an already-saved-to-local web page, then the hurt by mal-scripts is still unavoidable unless you got a Script Blocker. Isn't it?

Now, back to contemplating alternatives even they may not be as good as Script Blocker itself. If not running side by side with Script Blocker(i.e., running Avast Home only), would you recommend IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home to mitigate the threat from mal-scripts? Or, would you recommend using Symantec's Noscript.exe to turn off WSH and only to turn it back on when needed? Or, would you recommend simply disabling WSH in the registry like this?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]   
"Enabled"=dword:00000000

From a very old page: http://www.www.techzonez.com/forums/showthread.php?p=88655
>>
Peep's @Avast forum recommended the FREE program Script Sentry . Old but still does its job with scripts
<<
Agree?
« Last Edit: May 21, 2009, 04:32:08 PM by dude2 »

YoKenny

  • Guest
Re: Script Blocker mystery
« Reply #26 on: May 21, 2009, 01:59:54 PM »
dude2, why don't you want to update to SP3 as it has been available for almost a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.

Putting band aids on an old leaking operating system is about as effective as chewing gum in a leaky dam.

Using posts from March 13th, 2005 as a reference is about as good as 5 week old bread and about as hard to digest.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #27 on: May 21, 2009, 02:37:28 PM »
dude2, why don't you want to update to SP3 as it has been available for almost a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
I do not see major security difference between XP SP3 and a well updated and armed-to-teeth XP SP2, isn't XP3 just like a cumulatively updated XP SP2?

I am more interested in the effect of Script Blocker. It is supposed to be more WSH related. Isn't it? I mentioned about IE related security improvement on XP SP2 simply because I heard that Script Blocker's targets may not be limited to WSH VB scripts(see Avast PRO brochure or RejZoR's comment Reply #10) but may also apply to web page scripts. But, I got no clarification on what other scripts are scanned by Script Blocker in addition to VB scripts. Are Javascripts, ActiveX codes, and those other IE scripts the targets of Script Blocker? I don't know. Are you ready to open that can of worms once again? I just found that XP SP2 is safer for IE scripts in general.
« Last Edit: May 21, 2009, 04:26:29 PM by dude2 »

dude2

  • Guest
Re: Script Blocker mystery
« Reply #28 on: May 24, 2009, 07:14:56 AM »
Avast Home may be one of the best Free antivirus softwares. But, I really hope its users can rest assured that there is no tangible vulnerability unattended without Script Blocker. So far, my quest for the comprehensive understanding of Script Blocker has grinded to a halt at these two threads:

1. "Script Blocker mystery" http://forum.avast.com/index.php?topic=45438.0
2. "Avast Script Blocker" http://forum.avast.com/index.php?topic=45472.0

Regarding the function of Script Blocker:
Script Blocker simply acts as Web Shield(added with some minor differences) + WSH shield. Igor's advice in http://forum.avast.com/index.php?topic=45438.msg380636#msg380636 noted the minor differences including: (1)when someone loads a bad browser script infected web page from disk cache, only Script Blocker can protect him; (2)Script Blocker can detect encrypted pages or pages from encrypted web site.

What's missing:
(1)No sources of reference
(2)No instances available to illustrate the cases mentioned above
(3)How redundant to have both Web Shield and Script Blocker running together?

Regarding WSH shield:
I still want to know what Avast Home users can do to somewhat mitigate the WSH vulnerability before they get a chance to upgrade to PRO for the full protection. I proposed and seeked for advices on: (1)using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home to mitigate the threat from mal-scripts by detecting and stopping them from running; (2)using Symantec's Noscript.exe to turn off WSH and only to turn it back on when needed; (3)simply disabling WSH in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]   
"Enabled"=dword:00000000

No response yet.

Avast 5 is slated for this year. Hope these problems will be addessed by then.

Mr.Agent

  • Guest
Re: Script Blocker mystery
« Reply #29 on: May 24, 2009, 02:38:48 PM »
If they add their firewall and other thing to the pro and stay Home like that. I think its would be great for what im guessing.

But well let wait for what they offer us.

Be patient. Be awarded. :)

Mr.Agent