Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: RE: Microsoft AntiSpyware Beta and Windows Scripting Host

RE: Microsoft AntiSpyware Beta and Windows Scripting Host

From: alex cottle <eddie5659_at_hotmail.com>
Date: Fri, 04 Mar 2005 12:49:06 +0000

Hiya

The same applies to all script blocking AV's like KAV & Norton etc unless
they are set to prompt on running any script. To turn this on/off, do this:

click on realtime protection

manage agents/application agents/ script blocking/tun off or mange
allowed/blocked events

This is a feature, not a bug.

Regards

Alex

>From: "Joe Stocker" <joe_at_inetsecurityconsulting.com>
>To: <bugtraq_at_securityfocus.com>
>Subject: Microsoft AntiSpyware Beta and Windows Scripting Host
>Date: Thu, 3 Mar 2005 08:41:37 -0800
>
>The Scripting Guys wrote a good article on Technet yesterday summarizing
>how System Administrators can work around the script-blocking feature of
>Microsoft AntiSpyware. After reading the article it is also evident that it
>would be just as easy for Spyware to take the same hints to dodge the MS
>AntiSpyware Beta software.
>
>The final release of this product needs to overcome the challenge of safely
>blocking harmful scripts while at the same time providing a manageable way
>for System Administrators to remotely manage workstations.
>
>The article points out that you can bypass the script blocker by simply
>calling cscript or wscript in front of the script, ex: cscript myscript.vbs
>would avoid the script blocker from blocking a potentially harmful script.
>
>Also, a spyware program could simply take the name of a valid script and
>then antispyware would never prompt the user: example:
>c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then
>c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and
>executed without prompting the user. This assumes that the malicious
>program would have access to the proprietary database that antispyware
>stores its acceptable programs, which are located in the .GCD files in the
>AntiSpyware installation root directory. The proprietary database could
>possibly be replaced with a tampered .GCD file containing an entry for the
>harmful script, ex: c:\run.vbs.
>
>http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx
>
>
>
>Joe Stocker, CISSP
>iNet Security Consulting
>www.iNetSecurityConsulting.com
><< smime.p7s >>
Received on Mar 04 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos