The Scripting Guys wrote a good article on Technet yesterday summarizing how System Administrators can work around the script-blocking feature of Microsoft AntiSpyware. After reading the article it is also evident that it would be just as easy for Spyware to take the same hints to dodge the MS AntiSpyware Beta software. The final release of this product needs to overcome the challenge of safely blocking harmful scripts while at the same time providing a manageable way for System Administrators to remotely manage workstations. The article points out that you can bypass the script blocker by simply calling cscript or wscript in front of the script, ex: cscript myscript.vbs would avoid the script blocker from blocking a potentially harmful script. Also, a spyware program could simply take the name of a valid script and then antispyware would never prompt the user: example: c:\mydir\myValidScript.vbs could be renamed to myValidScript.old, then c:\mydir\myHarmfulScript.vbs could be renamed to MyValidScript.vbs and executed without prompting the user. This assumes that the malicious program would have access to the proprietary database that antispyware stores its acceptable programs, which are located in the .GCD files in the AntiSpyware installation root directory. The proprietary database could possibly be replaced with a tampered .GCD file containing an entry for the harmful script, ex: c:\run.vbs. http://www.microsoft.com/technet/scriptcenter/resources/articles/antispy.mspx Joe Stocker, CISSP iNet Security Consulting www.iNetSecurityConsulting.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature