How Does Your AV Handle Unknown Scripts ?

  • Thread starter Thread starter hjlbx
  • Start date Start date
H

hjlbx

Thread author
Hello,

Malicious scripts are one of the greatest security threats.

Each AV handles them in different ways.

Here is what I have observed when testing various AV against malicious scripts:

NOTE:

Interpreter = cmd.exe, wscript.exe, cscript.exe, java.exe, javaw.exe, javaws.exe, powershell.exe, powershell_ISE.exe...

Comodo Internet Security
  • Signature detection
  • Unknown scripts are "Run Virtually" sandboxed by default (user can further restrict script access rights within the virtual sandbox)
  • HIPS alert (must be enabled by user)
  • Firewall alert for the specific script file when it makes outbound connection (user has option to block all Unrecognized files by default)
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)*
  • Viruscope can reverse some script actions
  • Default-Deny configuration will block all Unrecognized files**, including scripts
* Currently, a few portable installers (file extension .pfa) can by-pass Default-Deny; has been reported to development.

Kaspersky Internet Security
  • Signature detection
  • No virtual sandbox
  • Will contain Unrecognized scripts with Low or High Restricted access to system resources
  • HIPS alert
  • Firewall alert only for the interpreter - but only if user creates "Prompt" firewall rule for that interpreter for outbound connections
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • System Watcher does not reverse script actions
  • Default-Deny configuration* will block all Unrecognized files, including scripts
* Default-Deny configuration may cause Application Control to malfunction on some systems; reported to development.

Webroot
  • Signature detection
  • No virtual sandbox
  • Unknown script will be monitored for malicious activity; might be terminated and rolled-back automatically - or - user can block and reverse
  • No firewall alert
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • Default-Deny configuration will block any script not rated as "Safe" in Webroot Intelligence Network
Avira Free and Pro
  • Signature detection
  • No virtual sandbox
  • No HIPS
  • No firewall alert
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • No block and reverse possible
  • No Default-Deny configuration possible
** Generally only includes malware > 3 days old\previously black-listed by AV vendor

If anyone sees any mistakes let me know; I will correct.

* * * * *

Please add your AV of choice.
 
Last edited by a moderator:
  • Like
Reactions: FreddyFreeloader, silversurfer, frogboy and 2 others
Emsisoft
  • Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
  • BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
  • if the malware tries to dial a known compromised host connection will be blocked.
  • a firewall alert for the outbound connection
  • actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.
*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process
 
  • Like
Reactions: Koroke San, silversurfer and omidomi
gricardo21 said:
Emsisoft
  • Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
  • BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
  • if the malware tries to dial a known compromised host connection will be blocked.
  • a firewall alert for the outbound connection
  • actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.
*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process
Click to expand...

Yes. This is what I have seen.

With most malicious scripts, Surf Protection would alert to malicious host... e.g. download-attach.com.

I never saw a Behavior Blocker alert for scripts - but that doesn't mean they don't occur.
 
  • Like
Reactions: Venustus, Koroke San, silversurfer and 1 other person
hjlbx said:
Right now I use Comodo with anti-executable: NVT ERP, VS or AG.
Click to expand...
I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page :)
 
  • Like
Reactions: Venustus
Koroke San said:
I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page :)
Click to expand...

Anti-executable will block the running of anything - both malicious and safe files newly introduced to system.

I like all three, but if you are new to using anti-executable then VS or NVT ERP would be good start.

You will find all three main AEs - VS, NVT ERP and AG are good. Comes down to personal preference.
 
  • Like
Reactions: Venustus, Koroke San and Moose
You must log in or register to reply here.

You may also like...