Author Topic: Script Blocker mystery  (Read 70812 times)

0 Members and 1 Guest are viewing this topic.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #30 on: May 24, 2009, 07:09:13 PM »
(1)when someone loads a bad browser script infected web page from disk cache, only Script Blocker can protect him
Quote

Wrong. The bad scripts from disk will be catch by the resident shield too, so if you have the home version you are protected too. You are requesting 'secret' technical information that can't be share with public, so dont ask the same things again, again. Dont complicate things.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #31 on: May 25, 2009, 03:47:57 AM »
Wrong. The bad scripts from disk will be catch by the resident shield too, so if you have the home version you are protected too. You are requesting 'secret' technical information that can't be share with public, so dont ask the same things again, again. Dont complicate things.
No, definitively not. I don't seek for 'secret' technical information or any secret answer without source of reference. Where Web Shield and Script Blocker "seem" both capable of scanning "browser scripts", but from http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, I am not so sure about how Resident Shield handle browser scripts. How do you draw the conclusion that computer file system protection implies Resident Shield scan engine capable of scanning locally cached "browser scripts"? If your version can be verified, I will modify my current conclusion at Reply#28 to reflect that:
http://forum.avast.com/index.php?topic=45438.msg381542#msg381542

To avoid a back and forth hearsay campaign, please back your words with an official source of reference.
« Last Edit: May 25, 2009, 04:11:19 AM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #32 on: May 25, 2009, 05:55:34 AM »
Are you m...n or what? It is common sense.  Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS
« Last Edit: May 25, 2009, 06:05:35 AM by calcu007 »
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #33 on: May 25, 2009, 07:15:31 AM »
Are you m...n or what? It is common sense.  Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS

Don't be nasty unless you can get a bonus for that. People come and discuss things that are not very clear to them. So, please focus on the subject "the difference with/without Script Blocker". You may not agree with my summary quoted from Igor's regarding Script Blocker:
http://forum.avast.com/index.php?topic=45438.msg380636#msg380636
>>
Script Blocker may detect something more.
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
<<

You think things are already built in for Resident Shield. But, are you sure that Script Blocker is not needed to be installed for the advanced scanner option to scan for WSH scripts or to deal with locally cached or saved web pages' browser scripts? Besides, I was still unable to find your mentioned settings from my Avast! Home 4.8 Simple User Interface.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #34 on: May 25, 2009, 01:03:04 PM »
Hi dude,

I still have a feeling you are missing one important difference between script blocker and other file/URL based scanners in avast (on-demand, resident standard shield, webshield).

Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.

The database is the same, but the content which is scanned may be different.

This also includes various means of generating the script code (be it Javascript, VBS script or other registered script language) on the fly and then executing it via some scripting trick - e.g. evaluate( ) method.


dude2

  • Guest
Re: Script Blocker mystery
« Reply #35 on: May 25, 2009, 03:34:00 PM »
Script blocker checks the script code just before it gets executed. No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.

The database is the same, but the content which is scanned may be different.

This also includes various means of generating the script code (be it Javascript, VBS script or other registered script language) on the fly and then executing it via some scripting trick - e.g. evaluate( ) method.
Hi Lukor,

So eventually, what's the difference with and without Script Blocker in addition to WSH scripts scanning and protection? I like to know Script Blocker's functions first and then maybe its methods if needed and allowed. For example, without Script Blocker, won't Web Shield or Resident Shield sift through online or locally cached/saved web pages and check for bad scripts? I haven't found much online document exploring this subject.
« Last Edit: May 25, 2009, 03:47:40 PM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #36 on: May 25, 2009, 05:06:19 PM »
Are you m...n or what? It is common sense.  Each file that is executed, accessed or opened from your hard disk(including scripts) is scanned by the resident shield. You want prove, then open resident provider settings screen, open customise, open scanner(advanced), you will see a option called "always scan WSH script files". Also you can open the HELP of avast (click F1) and search the word WHS

Don't be nasty unless you can get a bonus for that. People come and discuss things that are not very clear to them. So, please focus on the subject "the difference with/without Script Blocker". You may not agree with my summary quoted from Igor's regarding Script Blocker:
http://forum.avast.com/index.php?topic=45438.msg380636#msg380636
>>
Script Blocker may detect something more.
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
<<

You think things are already built in for Resident Shield. But, are you sure that Script Blocker is not needed to be installed for the advanced scanner option to scan for WSH scripts or to deal with locally cached or saved web pages' browser scripts? Besides, I was still unable to find your mentioned settings from my Avast! Home 4.8 Simple User Interface.

Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #37 on: May 25, 2009, 06:03:07 PM »
Hi Lukor,

So eventually, what's the difference with and without Script Blocker in addition to WSH scripts scanning and protection? I like to know Script Blocker's functions first and then maybe its methods if needed and allowed. For example, without Script Blocker, won't Web Shield or Resident Shield sift through online or locally cached/saved web pages and check for bad scripts? I haven't found much online document exploring this subject.


Here we come again. The Webshield scan EVERY file accessed by the browser through  internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #38 on: May 25, 2009, 06:21:44 PM »
Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
Got that screen. Thanks calcu007! The "Always scan WSH-script files" box is already selected as default. But, does it mean I don't need Script Blocker or Avast PRO to have WSH script scanning and protection function kick in and work in the background? Not quite the same as advertised by Avast PRO.

Here we come again. The Webshield scan EVERY file accessed by the browser through  internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times

I didn't see whether JavaScript or other browser pages scripts would be handled by the look of the Resident Shield configuration screen, at least not as obvious as WSH scripts, and not sure about how much difference between the Resident Shield engine, the Web Shield engine, or the Script Blocker engine. If scan engines are different, could it make any difference even if the virus signature DB is the same? Plus, does any scan engine use heuristic analysis for proactive protection so that the scan results will not be limited to the virus DB? Lukor seems to have touched that subject and noted Script Blocker is capable of handling polymorphic or encrypted scripts; hopefully, he will share more.

I hope Igor can join the discussion.
« Last Edit: May 25, 2009, 06:39:06 PM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #39 on: May 25, 2009, 08:37:16 PM »
Right click in the Avast icon, then On-Access Protection control, then select standard shield, then chose customize, then tab Scanner(advanced)
Got that screen. Thanks calcu007! The "Always scan WSH-script files" box is already selected as default. But, does it mean I don't need Script Blocker or Avast PRO to have WSH script scanning and protection function kick in and work in the background? Not quite the same as advertised by Avast PRO.

Here we come again. The Webshield scan EVERY file accessed by the browser through  internet traffic including scripts.What part you dont understand? The locally cached/saved web pages are scanned by the resident shield when they are accessed. Remember they are detected using the virus signatures. You are asking the same thing. it was answered lot of times

I didn't see whether JavaScript or other browser pages scripts would be handled by the look of the Resident Shield configuration screen, at least not as obvious as WSH scripts, and not sure about how much difference between the Resident Shield engine, the Web Shield engine, or the Script Blocker engine. If scan engines are different, could it make any difference even if the virus signature DB is the same? Plus, does any scan engine use heuristic analysis for proactive protection so that the scan results will not be limited to the virus DB? Lukor seems to have touched that subject and noted Script Blocker is capable of handling polymorphic or encrypted scripts; hopefully, he will share more.

I hope Igor can join the discussion.

If you check the resident confg screen there is a option "scan modified/created file" below that option appears only files with selected extension. There you will see the extension of the scripts(JS for javascript) ect. Also you can add more extension if you know the extension of other scripts. Or you can chose the option "scan all files".  There are heuristics in the mail and outlook providers, but it only give you a alert about a "suspicious message" alert, it uses the virus db to give you a virus alert.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Script Blocker mystery
« Reply #40 on: May 25, 2009, 09:11:40 PM »
The bottom line is that the Script Blocker is able to check scripts more thoroughly (generally speaking). That is, it checks them after they're decrypted, reassembled etc.

There are numerous attacks towards the traditional script scanners that cannot be efficiently shielded without the Script Blocker (at least in the case of Avast).
If at first you don't succeed, then skydiving's not for you.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #41 on: May 26, 2009, 12:17:16 AM »
If you check the resident confg screen there is a option "scan modified/created file" below that option appears only files with selected extension. There you will see the extension of the scripts(JS for javascript) ect. Also you can add more extension if you know the extension of other scripts. Or you can chose the option "scan all files".  There are heuristics in the mail and outlook providers, but it only give you a alert about a "suspicious message" alert, it uses the virus db to give you a virus alert.
Amazing! In addition to "JS?" in the Default extension list, I also found "VB?" and "WS?", are they VB scripts and WSH scripts? I noticed all Shields are up and running except Outlook/Exchange, and its status is read as "The provider is waiting for a subsystem to start". I checked all tabs in [Outlook/Exchange>Customize...] and found [Heuristics - Advanced] options are greyed out. The note on that tab reads [The following settings affect handling of outbound messages and are relevant only when the sensivity is set to "High" or "Custom"]. In the [Outlook/Exchange>Customize...>Heuristics] tab, the sensitivity is shown set to "High". I went to [Standard Shield>customize...>Scanner(advanced)] and selected/checked [Scan created/modified files] and [Only files with selected extension] with [Default extension set(recommended)] plus verified [show ...] and found EML on the list. After I made the modification by selecting [Scan created/modified files], Standard Shield security level jumped from Normal to High. But, the Outlook/Exchange Shield is still showing the same "waiting for a subsystem to start" with both Outlook/Exchange and Standard Shield now set to High. Any idea?

The bottom line is that the Script Blocker is able to check scripts more thoroughly (generally speaking). That is, it checks them after they're decrypted, reassembled etc.

There are numerous attacks towards the traditional script scanners that cannot be efficiently shielded without the Script Blocker (at least in the case of Avast).

Since XP SP2 and up Microsoft has beefed up its browser security via "local machine zone lockdown", how does JavaScript or other browser scripts work around Microsoft's defense by encrypting or reassmbling? Do those rare cases happen only when someone tries to open a locally cached/saved web pages? If the difference of Script Blocker is the capability of handling polymorphed scripts, why don't name it so? Thus, Avast Home users know that they are still protected from bad WSH scripts and other browser scripts except polymorphed scripts.

Will using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home help somewhat mitigate the possible vulnerabilities exploited by polymorphed or advanced scripts even though Script Blocker of PRO would probably be the best choice?
« Last Edit: May 26, 2009, 03:13:59 AM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #42 on: May 26, 2009, 01:58:28 AM »
"Waiting for subsytem" message is because Outlook is not opened. This provider will work when you open outlook
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #43 on: May 26, 2009, 03:18:04 AM »
I don't have an IM client, a SMTP server, or a web browser opened on the PC, but Instant Messaging Shield, Internet Mail Shield, and Web Shield are all actively running as default though. How about the greyed out [Heuristics - Advanced] options?
« Last Edit: May 26, 2009, 03:19:53 AM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #44 on: May 26, 2009, 03:39:57 AM »
It is normal if you have Outlook in your PC. Outlook is a email client program not a IM program
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS