It seems this all comes down to who you or what you are defending against. A
skilled attacker will load any/all tools they need, so deleting files
doesn't buy much.

W2K associations are still triggered from the command line
Type "c:\boot.ini" and notepad will probably pop up.

Anything that stops macro viruses frees up administrator time so that you
can spend more effort where it counts; facing a determined attacker. If you
don't layer and lock out the simple hacks, they can eat up your time with
simple fire fighting so that you're not able to dedicate youself to the
risks that really count.

So, I agree the determined attacker won't be stopped (or even annoyed) by
this method, but if it frees up more time to face those threats, its still
worth doing.

Jeff

P.S. Harsh is good. Nice people don't seem to accomplish as much.

-----Original Message-----
From: Mike Arnold [mailto:mikemidkaemia.fsnet.co.uk]
Sent: Monday, October 07, 2002 6:25 PM
To: focus-mssecurityfocus.com
Subject: Re: Can I delete Wscript.exe?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 07 Oct 2002 6:02 pm, REAVA, JEFFREY [IT/0200] wrote:

This may come across as harsh, but it wasn't supposed to be. Honest, just my

2penneth.

> Would it make sense to change the default association with *.vbs files so
> that you can logically filter which scripts are allowed to run?

As I've said in a previous post - the wscript executable is still there. I'm

not entirely sure someone intent on breaking into your system is going to
give 2 hoots what file associations are present. They are gonna run "cscript

//b <h4x0rurb0x.vbs>" with a full path. Renaming it is not likely to fool
them for long either. This will stop the macro viruses, email viruses, etc.

so it might be worth it if you get a lot of them. But stopping the hardened
hacker, deleting it is probably best. Mind you, make sure it doesn't get
auto-repaired by that wonderful new win2k/XP subsystem :)

I'd delete it, I haven't but it's on my list of good things to do.

> Replace the original association in the registry with this:
> HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
> C:\WINNT\System32\WScript.exe C:\WINNT\System32\wshcheck.vbs "%1" %*
>
> where wshcheck.vbs first opens the vbs file, checks for the string
> "ApprovedByRubio" on the top line. If it isn't there, warn the user that
an
> unsigned script attempted to execute, call the help desk, etc.

Sorry, but if I'm intent on getting in and out as fast as possible - I'm
not,
but if I were! - then I wouldn't be trying to load explorer across a dialup
being routed through 4 continents just to use the file associations it
provides, i'd be on command line.

> HTH,

If your sure it's them and not some helpless drone.

> Jeff

Mike
- --
        By three methods we may learn wisdom:
                First, by reflection, which is noblest;
                Second, by imitation, which is easiest;
                and third by experience, which is the bitterest.

                        --Confucius
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ogml8EqADYNpcNQRAlWLAJ42xmq3T3YSWUeKDfXXU+8l0tS/UACfbEp3
pGaf//UDJ5GdPCalcl0lH9s=
=MMvA
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]