OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mike Arnold (mike_at_midkaemia.fsnet.co.uk)
Date: Mon Oct 07 2002 - 17:24:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Monday 07 Oct 2002 6:02 pm, REAVA, JEFFREY [IT/0200] wrote:

    This may come across as harsh, but it wasn't supposed to be. Honest, just my
    2penneth.

    > Would it make sense to change the default association with *.vbs files so
    > that you can logically filter which scripts are allowed to run?

    As I've said in a previous post - the wscript executable is still there. I'm
    not entirely sure someone intent on breaking into your system is going to
    give 2 hoots what file associations are present. They are gonna run "cscript
    //b <h4x0rurb0x.vbs>" with a full path. Renaming it is not likely to fool
    them for long either. This will stop the macro viruses, email viruses, etc.
    so it might be worth it if you get a lot of them. But stopping the hardened
    hacker, deleting it is probably best. Mind you, make sure it doesn't get
    auto-repaired by that wonderful new win2k/XP subsystem :)

    I'd delete it, I haven't but it's on my list of good things to do.

    > Replace the original association in the registry with this:
    > HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
    > C:\WINNT\System32\WScript.exe C:\WINNT\System32\wshcheck.vbs "%1" %*
    >
    > where wshcheck.vbs first opens the vbs file, checks for the string
    > "ApprovedByRubio" on the top line. If it isn't there, warn the user that an
    > unsigned script attempted to execute, call the help desk, etc.

    Sorry, but if I'm intent on getting in and out as fast as possible - I'm not,
    but if I were! - then I wouldn't be trying to load explorer across a dialup
    being routed through 4 continents just to use the file associations it
    provides, i'd be on command line.

    > HTH,

    If your sure it's them and not some helpless drone.

    > Jeff

    Mike
    - --
            By three methods we may learn wisdom:
                    First, by reflection, which is noblest;
                    Second, by imitation, which is easiest;
                    and third by experience, which is the bitterest.

                            --Confucius
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9ogml8EqADYNpcNQRAlWLAJ42xmq3T3YSWUeKDfXXU+8l0tS/UACfbEp3
    pGaf//UDJ5GdPCalcl0lH9s=
    =MMvA
    -----END PGP SIGNATURE-----