RE: Microsoft AntiSpyware Beta and Windows Scripting Host

["alex cottle" <eddie5659 () hotmail com>]

Hiya

The same applies to all script blocking AV's like KAV & Norton etc unless 
they are set to prompt on running any script. To turn this on/off, do this:

click on realtime protection

manage agents/application agents/ script blocking/tun off or mange 
allowed/blocked events

This is a feature, not a bug.

Regards

Alex

> From: "Joe Stocker" <joe () inetsecurityconsulting com>
> To: <bugtraq () securityfocus com>
> Subject: Microsoft AntiSpyware Beta and Windows Scripting Host
> Date: Thu, 3 Mar 2005 08:41:37 -0800
>
> The Scripting Guys wrote a good article on Technet yesterday summarizing 
> how System Administrators can work around the script-blocking feature of 
> Microsoft AntiSpyware. After reading the article it is also evident that it 
> would be just as easy for Spyware to take the same hints to dodge the MS 
> AntiSpyware Beta software.
>
> The final release of this product needs to overcome the challenge of safely 
> blocking harmful scripts while at the same time providing a manageable way 
> for System Administrators to remotely manage workstations.
>
> The article points out that you can bypass the script blocker by simply 
> calling cscript or wscript in front of the script, ex: cscript myscript.vbs 
> would avoid the script blocker from blocking a potentially harmful script.
>
> Also, a spyware program could simply take the name of a valid script and 
> then antispyware would never prompt the user: example: 
> c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then 
> c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and 
> executed without prompting the user. This assumes that the malicious 
> program would have access to the proprietary database that antispyware 
> stores its acceptable programs, which are located in the .GCD files in the 
> AntiSpyware installation root directory. The proprietary database could 
> possibly be replaced with a tampered .GCD file containing an entry for the 
> harmful script, ex: c:\run.vbs.
>
> http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
>
>
>
> Joe Stocker, CISSP
> iNet Security Consulting
> www.iNetSecurityConsulting.com
> << smime.p7s >>