Avast Script Blocker

Why is Script blocker not included in all products? Doesn’t Avast know that most drive by downloads are from script viruses. Proved at www.remove-malware.com

Erm… there has to be some difference between the free and paid-for product, right?

I’m not sure what Remove Malware proved (to be honest he’s not exactly conducting scientific tests), but script malware is clearly not the dominating form of malware, not even in drive by downloads. iframes and redirection scripts, but they aren’t malicious by themself.
The payload is whats malicious and thats usually in form of Win32 binary (EXE file). Either a trojan/backdoor or a fake AV.

If you read this: http://www.dslreports.com/forum/r21926093-Blocking-Scripts-with-ScriptSentry-ScriptDefender~start=20
You will find that drive by attack was not that efficient in his tests. The definition of “Script” is the crux of the whole thing. Depending on your target is local script files (VBS, HTA, etc.) or browser scripts (JavaScript, ActiveX), they will have different implications. But, it seems Avast is not ready to elaborate on that.

I think you’re underestimating the Script Blocker and, specially, the whole functions of avast protection.

If we’re talking about IE, then “script” is anything IE sends into the scripting engine. So certainly VBscript and JavaScript, and certainly not ActiveX.

But, won’t those mostly-executed-by-Browser’s IE scripts’ capability be much more restrained than locally initiated VB script files? I wonder how many types of IE scripts may need Script Blocker’s intervene when those IE scripts lost the rein and Web Shield cannot help either. If Web Shield can not stop recognized mal-JavaScript or other IE scripts but only Script Blocker can, then wouldn’t Avast Home users need an immediated upgrade to PRO or find an alternative for the Script Blocking function?

Welcome to comment on my research of alternatives for the Script Blocking function:
http://forum.avast.com/index.php?topic=45438.msg380955#msg380955

I’m afraid I give up… really don’t know what you want to hear or ask about.

What part you dont understand? If the script is a BAD-javascript or whatever script and it is in the signatures data base then it will be catch by WebShield if you are browsing). If is not detected by Webshield, then is not in the virus database and will not detected by Script blocker. I am talking of IE scripts.

I’ve been trialling Avast Pro on one computer, and I like the script blocker function.

All other computers run Avast Home. I have USB wireless modem, only work single computer at a time, no network, so run standalone computers, different internet at different times, all have same web connect, and basically same desktop platform (XP Home or Pro), same exposure and protections, resident Avast shield at startup, add range of anti-malware when want / need, don’t go there when warned not to, and no worthwhile false postives to talk about since last year.

No bottom-line difference between Avast Home and Pro to date.

But this may depend on the nature of your workload. If you are professional IT environment, then preferable to work with Pro, which is design for more technical types (record and research and retrieve or reset exposure and protections). Some IT wont load Avast Home only because they need be protected from adverse user behavioral, so Pro with after-sales service is good option for them. But yet to find one that says Avast Home is any lesser effective.

My rule is for home user who is worried about whether their workload means too big exposure for Home to cover, then they should go Pro. Also, if they can afford Pro, then go Pro. That said, my workload and exposure is big and yet I find Avast Home ideal. Granted I also protect against host file intrusion and protect against spyware and the like. All the protections I use can be found in Avast forum.

By running Avast Home I can keep abreast of what picture my people see on their screen and understand what problem they are talking about. Some know Avast, others can barely use MSWord, one only uses the web to bet electronically on the horse races. None of them get viruses anymore, not since they brought their infected PCs around to be fixed. I believe I have had a few brushes with malware, that might have led to infection, but then you would expect that with my exposure.

Trial time is up soon, and I might buy Pro this time around. Since there is work being lined up which may require more depth IT monitor and maintain. With larger external party, extra conditions to consider.

But otherwise, Avast Home seems adequate for computer user.

See it for yourself:
http://www.avast.com/eng/avast-4-professional-antivirus-antispyware.html
It said,

The resident protection of the Professional Edition includes an additional module, not contained in the Home Edition, called Script Blocker. This module watches all scripts being executed in the operating system (so-called WSH scripts - Windows Scripting Host), and scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla).
<<

WSH scripts(e.g., VBScript) is clear to everyone as Script Blocker’s targets. But, which brower scripts(e.g., advanced JavaScript) can only be scanned and detected by Script Blocker but not by the ordinary Web Shield is part of the mystery.

For WSH scripts protection, does anyone have a comment on Script Blocker alternatives for those Avast! Home users as the second best choice? http://forum.avast.com/index.php?topic=45438.msg380955#msg380955

To be honest, you’re complicating way too much around Script Blocker provider. It’s there, it’s designed to check scripts and thats it.

Script Blocker with PUSH Update is already a big update with the other that inclued on Pro.

Silly. Silly. Forgot to mention about media access point - USB plugin is not able to carry malware. :slight_smile:

It is not a a mystery. Script Blocker scan EVERYYYYYYYYYYYYY browser scripts and WSH scripts. The Webshield scan the javascript and any script that pass through your browser. If the script if in your computer already then it is scanned by ScripBlocker, because the WEbshield scan http traffic ONLY. What part you dont understand? Do you need a map?

READ AGAIN EVERY RESPONSE THAT YOU RECEIVED.

Read this for the explanations regarding the function of Script Blocker I received from Avast Tech Support by mail.
http://forum.avast.com/index.php?topic=45438.msg380729#msg380729

If anyone has explained with a source of reference that Script Blocker simply acts as Web Shield(with some minor differences) + WSH shield, then I would not repeatly point to the same mystery. Igor’s advice in http://forum.avast.com/index.php?topic=45438.msg380636#msg380636 explained the minor differences, except the not-so-palpable encryption/decryption parts, but it went without source of reference. Plus, are you aware of any instance where damage is done by JavaScripts or other browser scripts when someone loads an infected web page from disk with only Web Shield protection turned on?

Nevertheless, I still want to know what Avast Home users can do to somewhat mitigate the WSH vulnerability before they get a chance to upgrade to PRO for full protection. Any comment on my proposed alternatives in http://forum.avast.com/index.php?topic=45438.msg380955#msg380955 from you?

Well, if by “acts as” you mean “scans for viruses”, then yes. Otherwise, Script Blocker and Web Shield have (technically) nothing in common, they work in a completely different way (regarding the way they get their data; yes, the final virus scanner is the same again).

Avast alerts on url - Hxxp://www.georgedillon.com/freeware/scriptsentry.shtml

Second link down on page Google search - ‘script sentry’


I have secured 4 instances of alert in the virus chest.
Event viewer reads:

Sign of “Win32:Tipa [Cryp]” has been found in “C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif[UPX]” file.

Sign of “Win32:Tipa [Cryp]” has been found in “C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif[UPX]” file.

Sign of “Win32:Tipa [Cryp]” has been found in “C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif[UPX]” file.

Sign of “Win32:Tipa [Cryp]” has been found in “C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif[UPX]” file.

First analysis from virustotal

MD5: 6e139b35a2a2803cf7d93f9607e7586b
First received: 2009.05.23 00:50:17 UTC
Date: 2009.05.23 00:50:17 UTC [<1D]
Results: 0/40
Permalink: analisis/945ea3afff21067d5d0d4ade8c5460d583e0ed87a379accf218f0b42a0afa30a-1243039817

So I dont know as I’m not an expert.
Have emailed the instances to Alwil as potential malware anyway.

I’ll secure my PC first then I’ll retun to virustotal and Avast forum.

False positives?

Alerts perhaps triggered by some of George Dillons examples of malware?

Well with firefox I didn’t get an alert on that page (hXXp://www.georgedillon.com/freeware/scriptsentry.shtml), however WOT doesn’t like that site either, see http://www.mywot.com/en/scorecard/georgedillon.com.