Security Incidents mailing list archives

RE: Worms and CScript/WScript

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 22 May 2002 17:04:30 +1200

mwright () allcovered com wrote:

The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
Incidents" actually recommends disabling Windows Scripting Host by removing
both cscript.exe and wscript.exe.


And that makes it "correct" or "a good idea"?

I have added that to my logon script so that every time a user logs onto one
of my networks, WSH is disabled.  Add that to a managed anti-virus solution
that filters attachments by extension, and does real-time protection of both
servers and workstations and you have a very effective virus/worm/trojan
defense.


In the corporate arena you often can get away without either of these 
"advanced" scripting mechanisms, but Windows Update -- which is 
rather critical to SOHO users having any chance of staying vaguely 
up-to-date with security patches -- used to and presumably still does 
depend on WSH (I think VBS specifically).  Thus, suggesting disabling 
it as a blanket recommendation may not be a wise thing...  (And, even 
in the corporate arena, you may better off restricting access to it 
rather than removing it -- if your admin group uses VB scripts for 
advanced system admin, certainly let them continue to run it so long 
as scripts can be run under a suitably privileged security context 
without introducing other unwanted problems but lock down your 
ordinary users' access to the EXEs.)

You can download the afore mentioned NSA guide directly here:
http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf


I won't comment further on this (and probably nor here but on the 
focus-virus list if I ever do) until I've read it...

or browse through all the NSA guides at http://www.nsa.gov


Let's see -- the NSA gives out security advice from a site that 
_requires_ browser scripting to be enabled?

Hmmmm -- do you think we may be able to make an informed estimate of 
the likely quality and thoroughness of that advice from just this one 
data point??


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange scan on 1433 Pavel Lozhkin (May 21)
- Re: Strange scan on 1433 dr john halewood (May 21)
  - Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
  - RE: Strange scan on 1433 Deus, Attonbitus (May 21)
  - RE: Strange scan on 1433 Blake Frantz (May 21)
    - Re: Strange scan on 1433 George Bakos (May 21)
    - Worms and CScript/WScript Blake Frantz (May 21)
    - Re: Worms and CScript/WScript Ryan Russell (May 21)
    - RE: Worms and CScript/WScript Michael Wright (May 21)
    - RE: Worms and CScript/WScript Nick FitzGerald (May 22)
    - RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
    - RE: Worms and CScript/WScript Nick FitzGerald (May 27)
    - RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- RE: Strange scan on 1433 Ken Pfeil (May 21)
- RE: Strange scan on 1433 James (May 21)
  - Re: Strange scan on 1433 Johannes Ullrich (May 21)
- <Possible follow-ups>
- RE: Strange scan on 1433 Quarantine (May 21)
- RE: Strange scan on 1433 Dias Sgt Kristin F (May 21)