Emsisoft Now Has Script\Interpreter Protections

Status
Not open for further replies.
H

hjlbx

Thread author
Posted by Fabian Wosar, Emsisoft Development at Wilders Security:

The support for script interpreters and host processes is inside the stable version already, correct. VBS is supported by the way:

vbs_parsing-png.250076

To give you a full list of what script interpreters and host processes are supported at the moment:
  • cmd.exe (Batch scripts)
  • cscript.exe (VBS, VBE, ...)
  • wscript.exe (VBS, VBE, ...)
  • mshta.exe (HTML applications)
  • regsvr32.dll (DLLs)
  • mmc.exe (Management Console Plugins)
  • regedit.exe (Registry scripts)
  • regedt32.exe (Registry scripts)
  • rundll32.exe (DLLs)
  • rundll.exe (DLLs)
  • powershell.exe (PowerShell scripts, currently incomplete due to the many ways PowerShell can be used for scripting)
  • msiexec.exe (MSI installers)
  • java.exe (JAVA applications)
  • javaw.exe (JAVA applications)
There are a few missing, but I think we cover most of what is shipping with Windows.

[URL="http://www.wilderssecurity.com/threads/emsisoft-anti-malware-emsisoft-internet-security-10-available.376071/page-14#post-2532798"]Emsisoft Anti-Malware & Emsisoft Internet Security 10 available[/URL]
 

Online_Sword

Level 12
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
cmd.exe (Batch scripts)

What kind of bat file could EIS block?
Just now I have tried to double click a bat file that will delete some files in the current directory, and it is not prevented by EAM.
Then...consider a bat file that contains malicious commands like "format C", could it be blocked or not?
 
L

LabZero

Thread author
This should help against cross site scripting type "reflected" on client-side : JavaScript, VBScript, Flash, HTML of our browsers that already have this protection ?
 
H

hjlbx

Thread author
What kind of bat file could EIS block?
Just now I have tried to double click a bat file that will delete some files in the current directory, and it is not prevented by EAM.
Then...consider a bat file that contains malicious commands like "format C", could it be blocked or not?

EAM\EIS is not anti-executable like AppGuard, NoVirus Thanks Exe Radar Pro or VooDooShield.

If a malicious script triggers the Behavior Blocker, then it will generate an alert. So, in other words, unless a file does something covered by the BB, EAM\EIS will not alert. I have submitted a really nasty WinKill script to Emsi that deletes the entire disk. The reply was they can't do anything about that (since there are valid scripts that perform deletions...). It is new feature, so let 'em figure it out...

Command line\host process parser attributes actions to the file (script) directly and if file (script) actions trigger Behavior Blocker, then you will get an alert like Fabian shows above. Deletion of objects is not covered by the Behavior Blocker ... and you can easily envision why that is...

By the way, you can block all interpreters in EAM\EIS, but this will break some apps... currently, there is no way to "Alert" upon interpreter execution like NVT ERP. Knowing Emsisoft, I highly doubt they would ever add such functionality as their stated goal is to reduce the number of alerts - not add more.
 
H

hjlbx

Thread author
This should help against cross site scripting type "reflected" on client-side : JavaScript, VBScript, Flash, HTML of our browsers that already have this protection ?

The command line parser is tied to the Behavior Blocker; it is not a classic anti-executable, but I would imagine most drive-by downloaded scripts would trigger the BB.

Everybody... we need malicious script samples !!!

Where's @Petrovic ? He always finds and supplies the best Evil.Scripts from the wild... ;)
 
I

illumination

Thread author
They need to focus on current issues/bugs in the internet suite before adding any more features to their product. You know, like maybe that misplaced Firewall rule that keeps the product itself from updating, and also stops windows updates.. In the forum, they said to wait until the next Beta release and they should have this fixed, I'm like what??? o_O I would assume you would find this a priority and patch it right away :rolleyes:
 
H

hjlbx

Thread author
They need to focus on current issues/bugs in the internet suite before adding any more features to their product. You know, like maybe that misplaced Firewall rule that keeps the product itself from updating, and also stops windows updates.. In the forum, they said to wait until the next Beta release and they should have this fixed, I'm like what??? o_O I would assume you would find this a priority and patch it right away :rolleyes:

I didn't know about it. What firewall rule ? User can fix it themselves or is it unexposed firewall policy ?

I haven't experienced a hiccup on W8.1.

Any how, yeah I've kind of noticed a little bit of a change with Emsi. Not sure what precisely is up.
 
I

illumination

Thread author
I didn't know about it. What firewall rule ? User can fix it themselves or is it unexposed firewall policy ?

I haven't experienced a hiccup on W8.1.

Any how, yeah I've kind of noticed a little bit of a change with Emsi. Not sure what precisely is up.
It is under unexposed policy. I did not dig far enough to find which one, after testing the product on my machine. I installed it, and was setting it up, went to run a update for the program and it failed, repeatedly.. I then went to test other softwares, and browsers could connect ect, but windows update failed as well repeatedly..

You can find a few threads on it..

EIS cause Windows Update unable to connect to the internet. - Emsisoft Internet Security
 
H

hjlbx

Thread author
It is under unexposed policy. I did not dig far enough to find which one, after testing the product on my machine. I installed it, and was setting it up, went to run a update for the program and it failed, repeatedly.. I then went to test other softwares, and browsers could connect ect, but windows update failed as well repeatedly..

You can find a few threads on it..

EIS cause Windows Update unable to connect to the internet. - Emsisoft Internet Security

If it is unexposed, internal EIS firewall policy then ... yeah ... user cannot fix. Andrew, the Emsi firewall module manager is good about pushing fixes out fast.

Beta update for this sort of issue is typically released within hours to days ... but maybe it is a little complicated.
 

SloppyMcFloppy

Level 13
Verified
Sep 12, 2015
617
It is under unexposed policy. I did not dig far enough to find which one, after testing the product on my machine. I installed it, and was setting it up, went to run a update for the program and it failed, repeatedly.. I then went to test other softwares, and browsers could connect ect, but windows update failed as well repeatedly..

You can find a few threads on it..

EIS cause Windows Update unable to connect to the internet. - Emsisoft Internet Security

That sucks, and there no ETA when the next beta is release. Thats why i am using Qihoo 360 TSE atm, and all i can say this software is great so far.
 
H

hjlbx

Thread author
By the way, turn off beta updates for the time being. Latest one can cause issues if you mess with Application Rules.
 
I

illumination

Thread author
By the way, turn off beta updates for the time being. Latest one can cause issues if you mess with Application Rules.
I just laughed out loud at this post... Turn on Beta updates to update your program and windows, oppss, never mind, if you mess with application rules you may want to turn it back off..

Sorry, I couldn't resist. Do not get me wrong, I'm an old lover and user of emsisoft products, and typically they have been decent about fixes for issues, but this recent one is pretty serious, if one can not update the product itself and or windows updates, without disabling protection and re-enabling it, this is a problem, one that should hold priority over everything else including new features.

I had EIS V10 on my system for less then 12 hours before pulling it back off. I had to give them props, I remember OA causing instant blue screens upon install at one time, the installation with V10 was pretty smooth, once polished it will hold its own weight in this market and then some.
 
H

hjlbx

Thread author
I just laughed out loud at this post... Turn on Beta updates to update your program and windows, oppss, never mind, if you mess with application rules you may want to turn it back off..

Sorry, I couldn't resist. Do not get me wrong, I'm an old lover and user of emsisoft products, and typically they have been decent about fixes for issues, but this recent one is pretty serious, if one can not update the product itself and or windows updates, without disabling protection and re-enabling it, this is a problem, one that should hold priority over everything else including new features.

I had EIS V10 on my system for less then 12 hours before pulling it back off. I had to give them props, I remember OA causing instant blue screens upon install at one time, the installation with V10 was pretty smooth, once polished it will hold its own weight in this market and then some.

I'm not sure what the problem is with Emsi as of late. Maybe it's just coincidence, maybe staffing shortage, ... , who knows.

I just reverted to stable v 10.0.0.5735 by de-selecting "Enable beta updates" and performed a successful Windows update.

Just like virtually everything else, it is probably a system specific quirk...
 
  • Like
Reactions: illumination

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
If script detection will also extend to Esmisoft Emergency kit this would be an important advance as neither of the two other major 2nd opinion scanners (MB and HMP) are very good at detecting active worm infections.

I'd like to flatter myself and think that Esmisoft reacted to my previous videos about the 2nd opinion scanners inability to react to Scriptors, but being a kind, gentle, and humble person I won't do so...
 
H

hjlbx

Thread author
If script detection will also extend to Esmisoft Emergency kit this would be an important advance as neither of the two other major 2nd opinion scanners (MB and HMP) are very good at detecting active worm infections.

I'd like to flatter myself and think that Esmisoft reacted to my previous videos about the 2nd opinion scanners inability to react to Scriptors, but being a kind, gentle, and humble person I won't do so...

Oh, I'm right there with you on that one, but Emsi will never incorporate BB functionality into EEK.

Their motivation... I think you pushed Christian Mairoll and Fabian Wosar right over the edge with your video ... :D

Hee, hee... it was on their "To Do" list, but, I think, way down... your video sent it right to the top, I think.
 

Moose

Level 22
Jun 14, 2011
2,271
Salutations, Friends!

For anyone to answer the following question below:

Post # 4.
Would any of the anti-executable listed below stop the really nasty WinKill Script that deletes the entire disk?
And how would you get rid of this WinKill Script?

AppGuard, NoVirus Thanks Exe Radar Pro and/or VooDooShield.

Kind regards,
 
H

hjlbx

Thread author
Salutations, Friends!

For anyone to answer the following question below:

Post # 4.
Would any of the anti-executable listed below stop the really nasty WinKill Script that deletes the entire disk?
And how would you get rid of this WinKill Script?

AppGuard, NoVirus Thanks Exe Radar Pro and/or VooDooShield.

Kind regards,

They all do... but Emsisoft does not. I submitted it to them, but a complete disk delete is not part of the BB detection. I will continue to work on getting it added, but I am not hopeful at this point in time.

How would you get rid of it ? ... don't execute it. If you're talking about the w_d.bat version, all you have to do is quickly close cmd.exe. However, whatever files have been deleted before you close cmd.exe are gone Buddy...

Run w_d.bat with UAC off and it really will kill your system... like pound it to dust.

If you run WinKill script inside Comodo sandbox, the only files deleted are in the downloads folder. However, you can virtualize the Downloads folder or add it to Protected Folders - which denies any access by any sandboxed file to user-defined folders. Comodo almost always gives user a way to work around problems... and... bugs... but some bugs have no fix. Hee, hee... had to take a jab... I've earned it the hard way ...
 
  • Like
Reactions: Moose

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
It is under unexposed policy. I did not dig far enough to find which one, after testing the product on my machine. I installed it, and was setting it up, went to run a update for the program and it failed, repeatedly.. I then went to test other softwares, and browsers could connect ect, but windows update failed as well repeatedly..

You can find a few threads on it..

EIS cause Windows Update unable to connect to the internet. - Emsisoft Internet Security
I haven't had any issue with updating Emsisoft or Windows Update.
 

Moose

Level 22
Jun 14, 2011
2,271
@hjlbx,

Wondering if Sandboxie would protect? Again WinKill Script?
And thank you for the fast response to my question.

Making to today a great day! And tomorrow an even better one.

And can you submitt the sample to sandboxie.

Kind regards,
 
H

hjlbx

Thread author
@hjlbx,

Wondering if Sandboxie would protect? Again WinKill Script?
And thank you for the fast response to my question.

Making to today a great day! And tomorrow an even better one.

And can you submitt the sample to sandboxie.

Kind regards,

Sandboxie... I have to test, but I would think it would - but only if properly configured. Sounds familiar, right ?

With Sandboxie there is a lot of configuration possible... like Comodo. So I would be surprised if advanced configured "Secure" box did not protect.

I have to find script sample again... I lost it... Hee, hee...

IF there is bypass, of course I would let SBIE know about it by giving Invincea the script. Whether they can, or will, fix it is an entirely different matter.

Default Sandboxie box, I think, will not protect...
 
  • Like
Reactions: Moose
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top