Author Topic: Script Blocker mystery  (Read 63304 times)

0 Members and 1 Guest are viewing this topic.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #45 on: May 26, 2009, 08:31:08 AM »
Let me sum up the subject and list the million dollar questions:

1. If "JS?" and "VB?" in the Default extension list stand for JavaScript and VBScript respectively, then will the files with the extension names ".htm", ".html", and ".mht" or maybe even all files be scanned for the possible embeded exploiting JavaScript codes? Do users need to add any more extensions to the default extension list? I thought Default extension list should have included all known types that can be recognized and detected by Avast except those surely non-executable file types.

2. What's the difference between enabling "Always scan WSH-script files" and selecting "WS?" file extension other than "the condition/time to scan"(either On File Open or On File being Created/Modified)? I though VBScript is one type of WSH scripts.

3. If it is true that WSH script files(e.g., VBS files) and the embeded browser script(e.g., JavaScript) web pages including most of the locally cached/saved web page files can be scanned and mostly detected by the Avast Home once it is properly configured, then what extra settings users will see in the Avast Professional configurations so that users can tell that extra Script Blocker scanning options are now available?

4. When Script Blocker is activated, will it only provide some extra capabilities to detect polymorphed, advanced, or encrypted scripts without incurring duplicated scan effort for the common(i.e., neither polymorphed, nor advanced) scripts? Or, will Script Blocker built in with some extra capabilities run in tandem with the existing Avast Home shields so each web page will be scanned twice against the common script fingerprints and once against the polymorphed/advanced script fingerprints?

5. Will using IE-SpyAd, Script Sentry, WormGuard, RegRun Guard, or ScriptDefender as a supplement to Avast Home help somewhat mitigate the possible vulnerabilities exploited by polymorphed or advanced scripts even though Script Blocker of PRO would probably be the best choice?
« Last Edit: May 26, 2009, 08:52:21 AM by dude2 »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Script Blocker mystery
« Reply #46 on: May 26, 2009, 01:10:05 PM »
Now that you have sorted out the questions dude2, I think it is time for you to do some research of your own. Up to you of course. You can put 'Script blocker' through the hoops and run comparatives with the performance of Avast Home. Whatever you cannot find that is not available through documentation and product range that Alwil put out to the market, is obviously not yours to demand. Unless Avast team wish to make a special case for you, which they may do (their prerogative). But you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses.

If you decide to do this, then you can post your findings in the Avast forum, or on the internet somewhere, and I'm sure you will have audience enough to help you get to the bottom of the matter. This seems to be the best way for you to tackle your problem, and the ideal method by which you will have complete control of the whole process. I certainly would await the outcome of your possible undertaking with much interest, although I have to say that I am quite happy with the lengths that Avast team have gone to make their product range available to people like me.    
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #47 on: May 26, 2009, 04:12:20 PM »
I think it is time for you to do some research of your own. Up to you of course. You can put 'Script blocker' through the hoops and run comparatives with the performance of Avast Home. Whatever you cannot find that is not available through documentation and product range that Alwil put out to the market, is obviously not yours to demand. Unless Avast team wish to make a special case for you, which they may do (their prerogative). But you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses.
Your suggestion is thoughtful. But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. For now, even Script Blocker's extra capability to detect polymorphed, advanced, or encrypted types of scripts is merely a hearsay without the sources of reference. Nor have any mal-script instances been illustrated for those different types of scripts. That is why some of my questions starting with an "if...". How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec?

Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with. For instance, it would be great if Alwil can provide the following info:

1. Which common scripts(e.g., WSH scripts or browser scripts) will be scanned by both Home and PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.

2. What extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) can be scanned by Avast! PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
« Last Edit: May 26, 2009, 04:46:48 PM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #48 on: May 26, 2009, 06:51:05 PM »
can you trust that developers tell you about Avast? Why you insist in more information? You question had been answered. Now is your turn and test it, almost every website use scripts, so you can test it.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #49 on: May 27, 2009, 03:57:22 AM »
Since I asked in the beginning "I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8. Does anyone know how?", here is related info gathered:

(1). According to http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)".

(2). According to http://forum.avast.com/index.php?topic=45438.msg380636#msg380636, Igor believes "Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more."
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
**According to http://forum.avast.com/index.php?topic=45438.msg381748#msg381748, lukor agreed with Igor on Script Blocker's capability to scan mal-script "No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.". Script Blocker achieved this advanced script scan capability by "executing it via some scripting trick - e.g. evaluate( ) method".

(3). According to http://forum.avast.com/index.php?topic=45438.msg381615#msg381615, calcu007 disagreed with Igor on Avast Home's lack of capability to scan scripts for locally cached/saved web pages, and he further provided info on how to set it up in http://forum.avast.com/index.php?topic=45438.msg381818#msg381818 and http://forum.avast.com/index.php?topic=45438.msg381865#msg381865.

(4) According to http://forum.avast.com/index.php?topic=45438.msg382023#msg382023, mkis suggested "you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses."
**But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec? Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with. For instance, it would be great if Alwil can provide the following info:
1. Which common scripts(e.g., WSH scripts or browser scripts) will be scanned by both Home and PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
2. What extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) can be scanned by Avast! PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.

In summary, the gathered info (2) and (3) are still conflicted with each other regarding "Avast Home's capability to scan scripts for locally cached/saved web pages". There are no illustrated types and instances of the so called "polymorphed, advanced, or encrypted types of scripts" which can only be detected by Script Blocker. The only official source of reference is (1) or http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html. With this limited info on hand, I do not know how to test and evaluate the risk of not having Script Blocker as recommended in (4).
« Last Edit: May 27, 2009, 07:59:33 AM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #50 on: May 27, 2009, 04:43:50 AM »
Do you know what do the Resident shield(Standard shield)? It scan EVERY file that is accessed in the hard disk. SOOOOOOOO it scan EVERYYYYY scripts executed in the hard disk. What part you don understand?  The Webshield scan EVERY files that is streamed in your comoputer through HTTP protocol. BOTH provider use the virus db, not behavior detection, there is not heuristics in the script or webshield provider.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #51 on: May 27, 2009, 04:53:29 AM »
About you point 3, I don't disagree with Igor. Your problem is that you dont understand what is the difference between provider.Webshield, scan http traffic, script blocker scan scripts, resident shield scan VERY FILES including scripts. As Lukor said the Script blocker scan the script code before it is executed, both Script blocker and resident shield scan scripts with diferent methods
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #52 on: May 27, 2009, 04:59:25 AM »
About you point 3, I don't disagree with Igor. Your problem is that you dont understand what is the difference between provider.Webshield, scan http traffic, script blocker scan scripts, resident shield scan VERY FILES including scripts. As Lukor said the Script blocker scan the script code before it is executed, both Script blocker and resident shield scan scripts with diferent methods
How do you evaluate and test the difference without knowing the types or instances of these so called "polymorphed, advanced, or encrypted types of scripts" which can only be detected by Script Blocker via a different scan method? If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
« Last Edit: May 27, 2009, 10:00:18 AM by dude2 »

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #53 on: May 27, 2009, 07:01:38 PM »
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?

Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

PRG

  • Guest
Re: Script Blocker mystery
« Reply #54 on: May 27, 2009, 07:57:06 PM »
I find this discussion very interesting, as I am also attempting to evaluate how to protect my husband against being infected during his web browsing.  I still don't know what method _qbot used to get on his computer, but I feel certain that it was some sort of hijack of a normally trustworthy website, or *maybe* some random item on eBay that he viewed.

As I cannot find any reference to this particular malware in Avast's current database, and as several posts in this discussion mention that all of Avast's engines are using the database to flag malware, I am now wondering if the WebShield or the ScriptBlocker actually would have protected him last Thursday had I had the foresight to have chosen to install it.

I had actually gotten the impression that the WebShield and, perhaps especially, the ScriptBlocker were using some behavioral detection techniques to perhaps prevent this sort of drive-by infection.  If not, then I think I must expand my search for something that may do the job.  I still don't know what the infecting "vehicle" was, but I have been assuming it to be JavaScript related.  I really distrust javascript as I have no real way of knowing what any java is, and no real way of using the internet without permitting it to run.  NoScript helps, but it cannot protect me if a trustworthy site gets bad code somehow injected.

So, if ScriptBlocker simply relies on using the same database for its detections, regardless of when they occur, it may not be providing the more advanced protection from drive-by infections from hacked sites that I might be expecting.  I would love to send one of you to test it out, if I only knew which sites for sure.  Unfortunately, I haven't dared reopen IE nor have I found the correct tool to look at the Temp internet files. :D

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Script Blocker mystery
« Reply #55 on: May 27, 2009, 08:52:26 PM »
Do you know how to access event viewer?

- either in Avast - rightclick 'a' icon in the tray bottom righthand of screen and choose avast! Log Viewer.

- or Windows - Control Panel > Administrative Tools > Event Viewer > Antivirus

Look through your logs for warnings and errors to get a better indication of what, when and where things have happened on your computer. You can post details here if you want.

Have you posted a Hijack This log yet?

I dont think 'Script Blocker' has anything to do with this matter.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #56 on: May 27, 2009, 09:16:15 PM »
The webshield and scrip blocker use virus database and not behavioral detection techniques. If you husband got infected then that virus was not in the virus database of Avast. There is not a anti-virus that detect everything so sometime will fail to detect something, like every antivirus in the market
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

PRG

  • Guest
Re: Script Blocker mystery
« Reply #57 on: May 28, 2009, 01:11:42 AM »
Sorry - let me clarify.

I do not have Avast installed.  I was using a different AV provider.

I am here because I am "shopping" for a better AV, and those features lead me to believe that Avast might be "IT". :)

The greatest danger for the ordinary and careful, IMO, is random hijacking of websites, and because of the high usage of Javascript and it's "intertwining" with everything - that seems the most likely vector to me.  However, I could be mistaken.

p.s. yes, I have posted an HJT log at malwareremoval.com if you're curious - same ID, search _qbot or Qakbot

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86518
  • No support PMs thanks
Re: Script Blocker mystery
« Reply #58 on: May 28, 2009, 01:52:56 AM »
avast is one of the very few that are even checking for this hacked site issue and is all over it like a rash (even us using the Home version). With many sites totally unaware that they have been hacked until an avast user has informed them. Even the US Forestry site was hacked and didn't know until an avast user reported it.

Of all those reported in the viruses and worms forum, all that I have checked have proven to be correct. So far avast has proven to be very accurate in this regard.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

PRG

  • Guest
Re: Script Blocker mystery
« Reply #59 on: May 29, 2009, 03:12:26 AM »
That is great to know, DavidR.  And as I have now confirmed that Avast! does detect this particular infection, I believe I have found my best solution for his protection in Avast!  (I worry about this one because he's likely to visit wherever-it-was again.)

Now, what would anyone recommend as the best free always-on protection that would complement Avast! (of the anti-spyware sort) for a person on dial-up - if any?  I think the OP is asking that, also (though without the dial-up restriction).  Mainly for web-browsing safety - he is not likely to download or install anything, nor does he frequent "questionable" sites.  I can't get him to use Firefox *sigh*