Microsoft AntiSpyware Beta and Windows Scripting Host

["Joe Stocker" <joe () inetsecurityconsulting com>]

The Scripting Guys wrote a good article on Technet yesterday summarizing how System Administrators can work around the 
script-blocking feature of Microsoft AntiSpyware. After reading the article it is also evident that it would be just as 
easy for Spyware to take the same hints to dodge the MS AntiSpyware Beta software.

The final release of this product needs to overcome the challenge of safely blocking harmful scripts while at the same 
time providing a manageable way for System Administrators to remotely manage workstations. 

The article points out that you can bypass the script blocker by simply calling cscript or wscript in front of the 
script, ex: cscript myscript.vbs would avoid the script blocker from blocking a potentially harmful script. 

Also, a spyware program could simply take the name of a valid script and then antispyware would never prompt the user: 
example: c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then c:\mydir\myHarmfulScript.vbs could be 
renamed to MyValidScript.vbs and executed without prompting the user. This assumes that the malicious program would 
have access to the proprietary database that antispyware stores its acceptable programs, which are located in the .GCD 
files in the AntiSpyware installation root directory. The proprietary database could possibly be replaced with a 
tampered .GCD file containing an entry for the harmful script, ex: c:\run.vbs. 

http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx



Joe Stocker, CISSP
iNet Security Consulting
www.iNetSecurityConsulting.com

Attachment: smime.p7s
Description: