dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
283
mysec
Premium Member
join:2005-11-29

1 recommendation

mysec to Jrb2

Premium Member

to Jrb2

Re: Blocking Scripts with ScriptSentry, ScriptDefender

Sorry for the confusion, Jrb2. the tests were done at different times.

wscript
wscript.exe
wscript.exe /e:vbscript

are essentially the same command. The /e:vbscript is required when the command interpreter doesn't recognize the file type. If I spoof the file extension as finjan.xyz an error message displays:




But if I tell the command interpreter, "this is a vbs file so use the vbscript engine to open it":




At a command prompt, type: wscript /?

and you will see all of the options/arguments

You mentioned WormGuard blocks the file using the command prompt, but you didn't post the command you used.

First, it does block if you don't use wscript.exe because this invokes the VBS file association which WormGuard intercepts:




However, using wscript.exe bypasses the WormGuard intercept:




The same thing happens using autorun.inf:

WG intercepts with this code:

[autorun]
open=finjan.vbs
 

but does not when wscript.exe is used:

[autorun]
wscript.exe finjan.vbs
 

Therefore, WG has the same weakness as the other script blocking programs, and some other means of protection is needed if there is a concern that a malicious script file could somehow be run using the wscript.exe command.

Let me know if there is anything else about this that I haven't thought of.

----
rich