How Does Your AV Handle Unknown Scripts ?

[hjlbx]

Hello,

Malicious scripts are one of the greatest security threats.

Each AV handles them in different ways.

Here is what I have observed when testing various AV against malicious scripts:

NOTE:

Interpreter = cmd.exe, wscript.exe, cscript.exe, java.exe, javaw.exe, javaws.exe, powershell.exe, powershell_ISE.exe...

Comodo Internet Security

• Signature detection
• Unknown scripts are "Run Virtually" sandboxed by default (user can further restrict script access rights within the virtual sandbox)
• HIPS alert (must be enabled by user)
• Firewall alert for the specific script file when it makes outbound connection (user has option to block all Unrecognized files by default)
• Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)*
• Viruscope can reverse some script actions
• Default-Deny configuration will block all Unrecognized files**, including scripts

* Currently, a few portable installers (file extension .pfa) can by-pass Default-Deny; has been reported to development.

Kaspersky Internet Security

• Signature detection
• No virtual sandbox
• Will contain Unrecognized scripts with Low or High Restricted access to system resources
• HIPS alert
• Firewall alert only for the interpreter - but only if user creates "Prompt" firewall rule for that interpreter for outbound connections
• Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
• System Watcher does not reverse script actions
• Default-Deny configuration* will block all Unrecognized files, including scripts

* Default-Deny configuration may cause Application Control to malfunction on some systems; reported to development.

Webroot

• Signature detection
• No virtual sandbox
• Unknown script will be monitored for malicious activity; might be terminated and rolled-back automatically - or - user can block and reverse
• No firewall alert
• Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
• Default-Deny configuration will block any script not rated as "Safe" in Webroot Intelligence Network

Avira Free and Pro

• Signature detection
• No virtual sandbox
• No HIPS
• No firewall alert
• Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
• No block and reverse possible
• No Default-Deny configuration possible

** Generally only includes malware > 3 days old\previously black-listed by AV vendor

If anyone sees any mistakes let me know; I will correct.

* * * * *

Please add your AV of choice.

 

[Janl92l]

Dosnt run COMODO unknown scripts automatic into the sandbox?

 

[hjlbx]

Dosnt run COMODO unknown scripts automatic into the sandbox?

Yes.

Thank you, I forgot.

Updated OP.

 

[nsm0220]

Yes.

Thank you, I forgot.

Updated OP.

One more thing about Comodo it only runs it in partly limited at default.

 

[kiric96]

Emsisoft

• Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
• BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
• if the malware tries to dial a known compromised host connection will be blocked.
• a firewall alert for the outbound connection
• actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.

*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process

 

[hjlbx]

One more thing about Comodo it only runs it in partly limited at default.

Current version Proactive Security default setting is "Run Virtually" with no further restrictions enabled.

 

[hjlbx]

Emsisoft

• Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
• BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
• if the malware tries to dial a known compromised host connection will be blocked.
• a firewall alert for the outbound connection
• actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.

*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process

Yes. This is what I have seen.

With most malicious scripts, Surf Protection would alert to malicious host... e.g. download-attach.com.

I never saw a Behavior Blocker alert for scripts - but that doesn't mean they don't occur.

 

[EmiLLiaN]

Hi hjlbx

How about 360 Total Security ?

 

[Koroke San]

so wut will u recommend me protection against scripts? Will comodo firewall work?

 

[hjlbx]

so wut will u recommend me protection against scripts? Will comodo firewall work?

Right now I use Comodo with anti-executable: NVT ERP, VS or AG.

 

[Koroke San]

Right now I use Comodo with anti-executable: NVT ERP, VS or AG.

I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page

 

[hjlbx]

I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page

Anti-executable will block the running of anything - both malicious and safe files newly introduced to system.

I like all three, but if you are new to using anti-executable then VS or NVT ERP would be good start.

You will find all three main AEs - VS, NVT ERP and AG are good. Comes down to personal preference.