Since I asked in the beginning "I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8. Does anyone know how?", here is related info gathered:
(1). According to
http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)".
(2). According to
http://forum.avast.com/index.php?topic=45438.msg380636#msg380636, Igor believes "Web Shield detects most things Script Blocker would have (including obfuscated scripts)... and much more. However, yes, there are also (minor, I'd say) situations when Script Blocker may detect something more."
In particular:
1. If the file doesn't come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
2. In very specific cases (and I am not aware of any at the moment), it's possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn't detect the encrypted parent)
3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn't see the traffic.
**According to
http://forum.avast.com/index.php?topic=45438.msg381748#msg381748, lukor agreed with Igor on Script Blocker's capability to scan mal-script "No matter how it is encrypted, obfuscated or disected into tiny parts (e.g. in a web page) it must be eventually merged together and executed to do any harm - thats exactly when the script blocker checks the script.". Script Blocker achieved this advanced script scan capability by "executing it via some scripting trick - e.g. evaluate( ) method".
(3). According to
http://forum.avast.com/index.php?topic=45438.msg381615#msg381615, calcu007 disagreed with Igor on Avast Home's lack of capability to scan scripts for locally cached/saved web pages, and he further provided info on how to set it up in
http://forum.avast.com/index.php?topic=45438.msg381818#msg381818 and
http://forum.avast.com/index.php?topic=45438.msg381865#msg381865.
(4) According to
http://forum.avast.com/index.php?topic=45438.msg382023#msg382023, mkis suggested "you can test the products and their functions, because they are available to you at whatever Alwil deem to be the market value. Avast Home is clearly a good starting point. And Avast Pro is available for two months trial, surely time enough to run preliminary tests and build your hypotheses."
**But, it may not be as easy to simply start testing Script Blocker's capability without knowing what to expect. How can you find and test with the valid malscripts against Avast! Home and PRO while not even really sure about their differences according to the spec? Running some tests to verify what has been learned on paper is important, but in my opinion it still needs some bases to start with. For instance, it would be great if Alwil can provide the following info:
1. Which common scripts(e.g., WSH scripts or browser scripts) will be scanned by both Home and PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
2. What extra polymorphed, advanced, or encrypted types of scripts(e.g., WSH scripts or browser scripts) can be scanned by Avast! PRO?
It may include all recognized types of script files or various browser script snippets embedded in web page files. If possible, provide some instances for each type so that tests can be conducted.
In summary, the gathered info (2) and (3) are still conflicted with each other regarding "Avast Home's capability to scan scripts for locally cached/saved web pages". There are no illustrated types and instances of the so called "polymorphed, advanced, or encrypted types of scripts" which can only be detected by Script Blocker. The only official source of reference is (1) or
http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html. With this limited info on hand, I do not know how to test and evaluate the risk of not having Script Blocker as recommended in (4).