Author Topic: Script Blocker mystery  (Read 70813 times)

0 Members and 1 Guest are viewing this topic.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #75 on: May 30, 2009, 03:20:45 PM »
I am saying it over and over again, and Lukor said basically the same.
Script Blocker gets the data [to be scanned] from the browser itself - so, that's the source here. Of course, the browser may have performed some decryption in between. That is certainly not the case for Web Shield or Standard Shield that get the raw data from web or disk.

The data flow is basically something like:
Internet --> WebShield --> Browser --> Script Blocker --> Scripting engine (Windows or back in browser again)

So, Script Blocker gets different data - after they were partially processed by the browser itself. This may have removed some encryption layers, for example.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #76 on: May 30, 2009, 03:42:35 PM »
Dude, it is very tiring to read all those resumes since apparently you lack some knowledge required to understand this topic.

Otherwise you would not be able to ask such a question repeatedly. As an example please see this:

Based on lukor's version, before the encrypted, obfuscated or disected scripts can do any harm, it needs to be decrypted and merged together and executed to do any harm. But, then, based on your version, "those scripts that the current virus database is unable to detect in encrypted form, but it is able [to detect them] after decryption.", wouldn't the bad scripts still end up being caught by Avast! Home after being decrypted and merged together and before doing any harm?

So the answer is: if the decryption created a file on your disk (which is highly unlikely), then it could be caught by the file scanner; otherwise NOT!
« Last Edit: May 30, 2009, 03:48:28 PM by igor »

dude2

  • Guest
Re: Script Blocker mystery
« Reply #77 on: May 30, 2009, 04:27:47 PM »
Lukor, trust me it is exhausting to put this mystery into perspective as well. If there is a document which well explains the risk of not having Script Blocker, this tiring process wouldn't be needed. Not many Avast! users know the data flow as just noted by Igor.

I used to script some web pages with JavaScripts(for collapsable menu), but I don't know any method to encrypt embedded script snippets in the web page. Where can users learn what ecryption techniques you are referring to? Nor do I know the difference between a received html file via a network capable program or by a browser so that I can understand the significance of the Web Shield location in the data flow. Why not move Web Shield toward the downstream of the data flow right after "browser" to intercept decrypted bad scripts if it helps?

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #78 on: May 30, 2009, 04:46:33 PM »
How exactly do you suggest WebShield (local HTTP proxy) could be moved "toward the downstream" to help blocking things Web Browser is doing with downloaded content ? (here by content I mean scripts, and the activity done with them is "running them")

What is once downloaded can not be undownloaded later.


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Script Blocker mystery
« Reply #79 on: May 30, 2009, 04:46:56 PM »
Why not move Web Shield toward the downstream of the data flow right after "browser" to intercept decrypted bad scripts if it helps?

- because it wouldn't be a "Web" Shield then
- it would have access only to the scripts, not to the surrounding HTML code (where there can be many exploits as well)
- it would work only in specific browsers where Script Blocker is currently supported

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Script Blocker mystery
« Reply #80 on: May 30, 2009, 05:10:00 PM »
it would work only in specific browsers where Script Blocker is currently supported
Of course, NOBODY wants that... keep WebShield where it is, please.
The best things in life are free.

dude2

  • Guest
Re: Script Blocker mystery
« Reply #81 on: May 30, 2009, 05:15:26 PM »
Is it possible to move the new one "toward the downstream" to help blocking decrypted things by implementing a merged version of the current Web Shield and Script Blocker? Or, is it possible to employ heuristic or proactive protection by applying some virtual machine techniques used by other antivirus products? I can not say it for sure because you have not explained to me what encryption techniques you referred to.

In calcu007's version(with some unanswered parts), he said that even Web Shield may not be able to block encrypted things at the first line of defense, he believes that Resident Shield will still be the last line of defense with the help of the properly configured settings and that all types of specified scripts will be scanned as efficiently as done by Script Blocker when files/scripts are either created, accessed(opened), or modified. Agree?
« Last Edit: May 30, 2009, 06:02:09 PM by dude2 »

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #82 on: May 30, 2009, 06:09:19 PM »
Is it possible to move the new one "toward the downstream" to help blocking decrypted things by implementing a merged version of the current Web Shield and Script Blocker?

Not possible.

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #83 on: May 30, 2009, 06:19:58 PM »
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?

Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.

Can you explain Avast claim that Script Blocker "watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla)" in http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html, while you claim that Script Blocker is not needed to achieve the same goal?

DOnt change my statements. I didn't say that the Script blocker is no needed. I said that you are protected with webshield and the resident shield. If you access a bad script and it is in the virus db, you will be protected depending where or how you accessed it(internet by webshield, or resident shield) KEEP IN MIND if the questionable script is not in the virus db it will not detected.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

dude2

  • Guest
Re: Script Blocker mystery
« Reply #84 on: May 31, 2009, 04:40:07 AM »
If you know it for sure that Resident Shield is effective for scanning EVERY file that is accessed in the hard disk and EVERYYYYY scripts to be executed, then how many percentages of mal-scripts(including WSH script files and browser script snippets) can be detected by Avast Home's Resident Shield and Web Shield when compared with Avast PRO? Sources of reference?
Home edition and PRo edition both use the same virus db, so neither detect more virus than the other. It is COMMON SENSE the resident shield is there watching your computer for any files accessed or executed, like any resident shield in any antivirus.
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
« Last Edit: May 31, 2009, 05:39:25 AM by dude2 »

PRG

  • Guest
Re: Script Blocker mystery
« Reply #85 on: May 31, 2009, 05:46:09 AM »
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?
No one said it couldn't.  They said they didn't want it to.  The Web Shield is much more like a first line of defense - and that's the best way for it to be, IMO.  I'd far rather a nasty was caught while it was still "in transit" and before it is saved to my hard drive!  :o

dude2

  • Guest
Re: Script Blocker mystery
« Reply #86 on: May 31, 2009, 05:59:51 AM »
The Web Shield is much more like a first line of defense - and that's the best way for it to be, IMO.  I'd far rather a nasty was caught while it was still "in transit" and before it is saved to my hard drive!  :o
If you access a bad script and it is in the virus db, you will be protected depending where or how you accessed it(internet by webshield, or resident shield) KEEP IN MIND if the questionable script is not in the virus db it will not detected.
I don't think Resident Shield provide protection only after the damage is done. But, can Resident Shield scan the decrypted and reassmbled scripts before they pass through the script engine(i.e., WSH or browser script engine)? Won't web pages coming from internet be loaded into the temporary internet folder/cache? Why doesn't Resident Shield work there? If those encrypted files or web pages are to be decrypted and/or reassembled to do any harm, is there no way for Resident Shield to play as the last line of defense to intercept the decrypted scripts?
« Last Edit: May 31, 2009, 06:35:01 AM by dude2 »

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #87 on: May 31, 2009, 06:49:32 AM »
Dude2, come in, think a bit!

Lets say I today create a program that has a database of viruses in scripts stored in some undetected file. I randomly choose one, syntesize its source code (by guessing, pure programatic creation, decryption, decompressing, downloading by parts from the internet etc.) and create a script source code in memory and then I call Windows Scripting Engine to execute my script -- do you with all your proclaimed knowledge and systematic approach see the point that this will never get written to the disk and hence could never be scanned by resident shield?



Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Script Blocker mystery
« Reply #88 on: May 31, 2009, 06:50:26 AM »
If Script Blocker uses the same virus DB as used in Avast! Home by Web Shield and Resident Shield, why can't Resident Shield if properly configured provide the last line of defense against the decrypted scripts?

Did you try repling yourself before posting the same question AGAIN?

Offline calcu007

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 482
  • I'm lamma!
Re: Script Blocker mystery
« Reply #89 on: May 31, 2009, 07:16:41 AM »
I think this guy is 12 year old. He is asking the same question in difference ways, and even he received the answer he didn't understand yet.

I don't think Resident Shield provide protection only after the damage is done. But, can Resident Shield scan the decrypted and reassmbled scripts before they pass through the script engine(i.e., WSH or browser script engine)? Won't web pages coming from internet be loaded into the temporary internet folder/cache? Why doesn't Resident Shield work there? If those encrypted files or web pages are to be decrypted and/or reassembled to do any harm, is there no way for Resident Shield to play as the last line of defense to intercept the decrypted scripts?

The resident shield SCAN EVERY FILE THAT IS WRITE IN THE HARD DISK, SOOOOOOOOOOOO it will scan the temporary internet folder/cache, in case that you dont have the Webshield activate. Webshield and script blocker are first line of defense, if you dont have those shield activated it will be catch by resident shield even they are decrypted scripts, because the resident USE the virus signature to detect themmmmm.

Following Lukor example, that file is scanned by Script blocker, but if you dont have that shield, that it will be cathed in the moment that it is written to hdd by resident shield. So the only way you can be infected by a bad script is in 2 cases:

1. The script is not in the Virus db yet.
2. You have the resident shield disabled.

How I can explain you better?

« Last Edit: May 31, 2009, 07:43:22 AM by calcu007 »
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS