lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 04 Mar 2005 12:49:06 +0000
From: "alex cottle" <eddie5659@...mail.com>
To: joe@...tsecurityconsulting.com, bugtraq@...urityfocus.com
Subject: RE: Microsoft AntiSpyware Beta and Windows Scripting Host


Hiya

The same applies to all script blocking AV's like KAV & Norton etc unless 
they are set to prompt on running any script. To turn this on/off, do this:

click on realtime protection

manage agents/application agents/ script blocking/tun off or mange 
allowed/blocked events

This is a feature, not a bug.

Regards

Alex

>From: "Joe Stocker" <joe@...tsecurityconsulting.com>
>To: <bugtraq@...urityfocus.com>
>Subject: Microsoft AntiSpyware Beta and Windows Scripting Host
>Date: Thu, 3 Mar 2005 08:41:37 -0800
>
>The Scripting Guys wrote a good article on Technet yesterday summarizing 
>how System Administrators can work around the script-blocking feature of 
>Microsoft AntiSpyware. After reading the article it is also evident that it 
>would be just as easy for Spyware to take the same hints to dodge the MS 
>AntiSpyware Beta software.
>
>The final release of this product needs to overcome the challenge of safely 
>blocking harmful scripts while at the same time providing a manageable way 
>for System Administrators to remotely manage workstations.
>
>The article points out that you can bypass the script blocker by simply 
>calling cscript or wscript in front of the script, ex: cscript myscript.vbs 
>would avoid the script blocker from blocking a potentially harmful script.
>
>Also, a spyware program could simply take the name of a valid script and 
>then antispyware would never prompt the user: example: 
>c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then 
>c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and 
>executed without prompting the user. This assumes that the malicious 
>program would have access to the proprietary database that antispyware 
>stores its acceptable programs, which are located in the .GCD files in the 
>AntiSpyware installation root directory. The proprietary database could 
>possibly be replaced with a tampered .GCD file containing an entry for the 
>harmful script, ex: c:\run.vbs.
>
>http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
>
>
>
>Joe Stocker, CISSP
>iNet Security Consulting
>www.iNetSecurityConsulting.com
><< smime.p7s >>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ