How Does Your AV Handle Unknown Scripts ?

H

hjlbx

Thread author
Hello,

Malicious scripts are one of the greatest security threats.

Each AV handles them in different ways.

Here is what I have observed when testing various AV against malicious scripts:

NOTE:

Interpreter = cmd.exe, wscript.exe, cscript.exe, java.exe, javaw.exe, javaws.exe, powershell.exe, powershell_ISE.exe...

Comodo Internet Security
  • Signature detection
  • Unknown scripts are "Run Virtually" sandboxed by default (user can further restrict script access rights within the virtual sandbox)
  • HIPS alert (must be enabled by user)
  • Firewall alert for the specific script file when it makes outbound connection (user has option to block all Unrecognized files by default)
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)*
  • Viruscope can reverse some script actions
  • Default-Deny configuration will block all Unrecognized files**, including scripts
* Currently, a few portable installers (file extension .pfa) can by-pass Default-Deny; has been reported to development.

Kaspersky Internet Security
  • Signature detection
  • No virtual sandbox
  • Will contain Unrecognized scripts with Low or High Restricted access to system resources
  • HIPS alert
  • Firewall alert only for the interpreter - but only if user creates "Prompt" firewall rule for that interpreter for outbound connections
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • System Watcher does not reverse script actions
  • Default-Deny configuration* will block all Unrecognized files, including scripts
* Default-Deny configuration may cause Application Control to malfunction on some systems; reported to development.

Webroot
  • Signature detection
  • No virtual sandbox
  • Unknown script will be monitored for malicious activity; might be terminated and rolled-back automatically - or - user can block and reverse
  • No firewall alert
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • Default-Deny configuration will block any script not rated as "Safe" in Webroot Intelligence Network
Avira Free and Pro
  • Signature detection
  • No virtual sandbox
  • No HIPS
  • No firewall alert
  • Real-time protection frequently detects dropped files\hidden malicious download (us. temp\data folders)**
  • No block and reverse possible
  • No Default-Deny configuration possible
** Generally only includes malware > 3 days old\previously black-listed by AV vendor

If anyone sees any mistakes let me know; I will correct.

* * * * *

Please add your AV of choice.
 
Last edited by a moderator:

kiric96

Level 19
Verified
Well-known
Jul 10, 2014
917
Emsisoft
  • Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
  • BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
  • if the malware tries to dial a known compromised host connection will be blocked.
  • a firewall alert for the outbound connection
  • actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.
*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process
 
H

hjlbx

Thread author
Emsisoft
  • Signature based detection (no heuristics at least for emsi engine, Bitdefender may as well use heuristics) .
  • BB alert (however if the script is a VBS (for example) file and uses WSCRIPT.exe, BB may not detect that, but if it starts something malicious, ie: download more malware, the user will see an alert). *
  • if the malware tries to dial a known compromised host connection will be blocked.
  • a firewall alert for the outbound connection
  • actually most of the dropped files are detected by signatures by Bitdefender or emsi as well.
*BB ask the cloud to verify if a program is black listed or not, it doesnt use user rep anymore, also BB will monitor all unknown process

Yes. This is what I have seen.

With most malicious scripts, Surf Protection would alert to malicious host... e.g. download-attach.com.

I never saw a Behavior Blocker alert for scripts - but that doesn't mean they don't occur.
 

Koroke San

Level 29
Verified
Jan 22, 2014
1,804
Right now I use Comodo with anti-executable: NVT ERP, VS or AG.
I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page :)
 
  • Like
Reactions: Venustus
H

hjlbx

Thread author
I see. last question, will anti-executable like voodooshield or NVT ERP will work against malicious scriptors? If so then which one u prefer me, comodo or anti-executable? Btw bookmarked this page :)

Anti-executable will block the running of anything - both malicious and safe files newly introduced to system.

I like all three, but if you are new to using anti-executable then VS or NVT ERP would be good start.

You will find all three main AEs - VS, NVT ERP and AG are good. Comes down to personal preference.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top