Script Blocker mystery

I can hardly evaluate the risk of not having Script Blocker and simply using Avast Home 4.8.
Does anyone know how?

I don’t really get what you mean…

Are you asking what is the point of the script blocker?

If that’s the question, there are lots of reasons. Just look around the forum for people that have had iFrame detections and a bunch of other obfuscated scripts on webpages that they’ve visited.

Just use avast (all providers that you can possibly use).

Are those obfuscated scripts JavaScripts, VB scripts, or ActiveX codes? Do you mean Avast Home, especially Web Shield, can do nothing against malicious web page scripts? I contacted Avast Tech support by mail, but I was unable to draw conclusion and to understand the clearly defined role of Script Blocker as to evaluate how risky to run Avast Home 4.8 without it. If Avast Tech support does not object to this, I will post the email discussion proceedings of ticket PIN-945700 so that you may help bridge the gap of understanding.

Well, avast! has Script Blocker since version 4.0, while Web Shield was introduced much later (in v4.6).
Now, Web Shield detects most things Script Blocker would have (including obfuscated scripts)… and much more. However, yes, there are also (minor, I’d say) situations when Script Blocker may detect something more.

In particular:

  1. If the file doesn’t come from web, but rather from disk (i.e. if you load an infected web page from disk, which includes browser cache - even though in that case you must have visited the site previously anyway), then it cannot be detected by Web Shield, of course.
  2. In very specific cases (and I am not aware of any at the moment), it’s possible that the Script Blocker detects a malicous script after decryption (if WebShield doesn’t detect the encrypted parent)
  3. Script Blocker works even for encrypted connections (HTTPS), where Web Shield doesn’t see the traffic.

Now I’m confused ???

I read somewhere that Script Blocker either does not work in Vista or is un-necessary.

I have avast! Professional Edition that I have on my XP Pro system that I purchased back in February when there was the 75 million user promotion and was thinking of putting it on my new Vista Home Premium system but now I’m not sure that it will work.

I do know that on my XP Pro system a very brief popup opens showing the Script Blocker is active when I open IE8 or a new tab is opened.

Whatever the outcome avast! is hard do beat.

Vista has IE8 running in Protected Mode.
Script Blocker is not loaded in this situation (or at least not effective). I do not see the splash screen, for instance.

Here is the email message I sent to Avast! tech support around 37 hours ago.
The date stamps like (2009/5/5) and (2009/5/6) are the dates Avast sent in the email answers.

Let me summarize what I have received with regard to the function of Script
Blocker:

  1. Even without Script Blocker, your protection will be the same because of
    the same scan engine with PRO(2009/5/5).
  2. Script blocker avoids to execute scripts… scriptblocker is protecting
    computer in source code(2009/5/6).
  3. script is being stopped when loading web page with script
    content…Script blocker detects script viruses and it is in the Avast virus
    catalog(2009/5/7).
  4. You are protected against JavaScript codes and VBScript codes but there
    is some small number of scripts using advanced technologies (eg. cooperation
    with rootkits or saving in the hidden folders) when only scriptblocker is
    able to detect them(2009/5/13).

While I have kept asking since 2009/5/7, “Where can I find, at your site or
in your documents, how many different types of malicious JavaScript codes,
VB scripts, or ActiveX codes that Script Blocker can detect and block?”, I
have not received well referenced answers to show the types of scripts or
even name list of malcious scripts that Script Blocker can stop as to help
me evaluate how risky to run Avast Home 4.8 without it.
When I responded to your 5/13’s explanation with “Should Script Blocker be
called Advanced Rootkit Blocker?” and “Is there a list of rootkits which can
be detected only by Script Blocker but not by the built-in GMER
anti-rootkit?”, I got no direct response.

If you can provide answers with sources of reference and help respond to my
returning questions to your answers, then we may converge faster to
something that makes sense to both of us.

<<

, and the very last response I got from Avast on (2009/5/19) was:

Script blocker hasn’t anything related to anti-rootkit. They are two separated components with absolutely different function.
<<

Hope someone can help bridge the gap.

I’ve turned the notifications of script blocker on. When the protected mode of IE8 is on, there is no notification as it should be. But when i turn the protected mode off, i can see the notifications while surfing, that is, it works. But the splash screen doesn’t appear. So we can conclude that there is no a splash scrren feature for script blocker on Vista.

Here is a similar topic which i opened before: http://forum.avast.com/index.php?topic=39673.0

You may ask on an on, but you won’t receive an answer - because such an information is not available. Script Blocker doesn’t block any specific types of scripts - it’s an antivirus scanner, using the same virus database/signatures as the other scanners; the difference is where it receives the data to scan from. Nobody has ever counted different “types” (whatever it should mean) of scripts it may detect.

Again - the question doesn’t have much sense, because Script Blocker has nothing to do with GMER or rootkits.
So, there’s certainly no such list.

But yes, as I wrote previously, there are certain situations when Script Blocker may be the one detecting the infection (but I really don’t know whether such a malware exists for real today).

If no types of scripts can be clearly defined as Script Blocker’s target, can we look from the Windows vulnerability perspective? Based on Microsoft’s “Threats and Countermeasures Guide.doc”, using XP SP2 or a more recent Windows OS will be much safer because it locks down the Local Machine zone. It said, “Many of the exploits that involve the Local Machine zone were mitigated by other changes to Internet Explorer in Windows XP SP2.”
Does Script Blocker help users who are using older Windows OS? If not, then what types of vulnerability will be mitigated by Script Blocker?

That question came up simply trying to clarify Avast’s 5/13 notes - “but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them”.
Do you understand how Script Blocker ends up like an advanced rookit blocker?

Web Shield and Standard Shield detect scripts before execution, Script Blocker detects scripts that are already being executed and is looking for known script strings. Thats mostly through WSH or Windows Scripting Host, but is not limited only to that as far as i know.

As for the rootkits, i don’t know how exactly you think they are related. If any script that is known tries to install rootkit (which is not detected as file in the first place) it may detect the actions of the bad script. But in the end Anti-rootkit feature will most probabl kick in.
But primary function of Script Blocker is not rootkit detection, just the same as Internet Mail provider is not intended for HTTP scanning…

Script Blocker scans scripts just before they are executed - that’s all.
If there’s anything bad in that script (where “bad” is defined by avast! virus database, i.e. something that can be updated from day to day), the script execution is blocked. Whether the script is “ordinary” and just does something you wouldn’t want it to, or whether it exploits some javascript engine vulnerability - doesn’t matter (as far as the vulnerability doesn’t occur even before the script is started - such as a vulnerability in the HTML parser, for example).
So again - I can’t answer your question (and I don’t think anybody can); there is no list of vulnerabilities this may prevent. There are lots of detections of avast! database, and if any new [java]script malware appears, we can add another.

How long is a piece of string?
http://www.zyra.org.uk/string0.htm

Are you Avast engineers? Or, where can I look into your referenced documents so that I can learn whether Script Blocker simply blindly blocks all scripts or scans scripts against a different virus DB from Web Shield’s virus DB?

I’m not an avast! engineer, i just work as forum tech support (non official).
I don’t think anyone will exlain you Script Blocker in such detail because to be honest, there is no need to.
Script Blocker is there to protect from malicious scripts during (before) execution. And thats it. I don’t think any company would explain its features in detail as deep as you seem to expect.
But from my quite extensive knowledge of avast! technologies, avast! doesn’t just blindly block all scripts but relies on internal database which is updated through regular VPS updates to block just scripts that are known to be malicious or bad.

According to Avast Tech support’s 5/13 email explanation - “You are protected against JavaScript codes and VBScript codes but there is some small number of scripts using advanced technologies (eg. cooperation with rootkits or saving in the hidden folders) when only scriptblocker is able to detect them” , it seems there is something extra played into AV programming than the regular VPS updates even though I did not get the source reference of that explanation either. Do you think Script Blocker may get its update via Avast program updates as well?

I tried to avoid hearsay by asking for source references. I did not ask for anything more than necessary to evaluate the risk of not having Script Blocker, or the risk of simply using Avast Home. Please find http://www.velocityreviews.com/forums/t306748-avast-questions.html, and do you agree with this paper’s suggestion to use Microsoft AntiSpyware(or something newer) if Script Blocker is not available for Avast Home users?

Milions are using avast! Home and no one really bothers with lack of Script Blocker. Besides, it’s not like script malware is in majority anyway…

Yes, I am.

You can’t.
I really don’t understand what you are trying to achieve. As I wrote multiple times already, Script Blocker is just another avast! scanner - so it doesn’t block “blindly” anything, it looks for specific virus signatures. However, whether these signatures are related to an exploit or not, it doesn’t matter at all.

You wanted an answer - so Tech Support guys started to imagine strange scenarios (like you have an active rootkit on your system which hides a script file. So, it’s on your disk, so Web Shield is out of question, it’s hidden from Standard Shield… so Script Blocker may be the last instance to detect it). However, I doubt a rootkit would hide script files (instead of ordinary executables) - besides, if you have an active rootkit on your system (which the antirootkit scanner should detect, btw), blocking or not blocking the script execution would probably be the least of your problems.

Erm, Script Blocker is a part of avast!.. so of course it gets updated with avast! program updates (and its detection is updated with VPS updates)… why shouldn’t it?

I’m afraid such a risk is really hard to estimate. We believe that Web Shield should be sufficient for most of the users… but yes, there is some possibility that sometimes it’s not. And I won’t deny that we are also trying to encourage the users to buy the Professional version…

I wouldn’t agree with that. Seing the trend in the last few months, I’d say the script malware is the biggest threat these days. Yes, the script eventually passes execution to a real executable, but that can be server-generated (changing every minute or so, so an antivirus program may easily miss it) - so I’d say detecting the scripts is very important.

Actually, we were originally planning to drop the Script Blocker for avast! 5.0 because it looked rather useless for some time - but with the latest development in the malware world, it won’t happen (and there may be some bigger updates in the future).

Well, i meant in terms that script actually makes malicious actions, not just redirecting or serving EXE files. I know that s a problem by itself because they can spawn new versions every minute…

Btw, while we’re at it, will Script Blocker free/pay policy apply to avast! 5 like it does for avast! 4.8 ?
I mean will Script Blocker still be only Professional Edition feature or will also end up in Home Edition when avast! 5 hits the final version?