Security Incidents mailing list archives
RE: Worms and CScript/WScript
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 22 May 2002 17:04:30 +1200
mwright () allcovered com wrote:
The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code Incidents" actually recommends disabling Windows Scripting Host by removing both cscript.exe and wscript.exe.
And that makes it "correct" or "a good idea"?
I have added that to my logon script so that every time a user logs onto one of my networks, WSH is disabled. Add that to a managed anti-virus solution that filters attachments by extension, and does real-time protection of both servers and workstations and you have a very effective virus/worm/trojan defense.
In the corporate arena you often can get away without either of these "advanced" scripting mechanisms, but Windows Update -- which is rather critical to SOHO users having any chance of staying vaguely up-to-date with security patches -- used to and presumably still does depend on WSH (I think VBS specifically). Thus, suggesting disabling it as a blanket recommendation may not be a wise thing... (And, even in the corporate arena, you may better off restricting access to it rather than removing it -- if your admin group uses VB scripts for advanced system admin, certainly let them continue to run it so long as scripts can be run under a suitably privileged security context without introducing other unwanted problems but lock down your ordinary users' access to the EXEs.)
You can download the afore mentioned NSA guide directly here: http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf
I won't comment further on this (and probably nor here but on the focus-virus list if I ever do) until I've read it...
or browse through all the NSA guides at http://www.nsa.gov
Let's see -- the NSA gives out security advice from a site that _requires_ browser scripting to be enabled? Hmmmm -- do you think we may be able to make an informed estimate of the likely quality and thoroughness of that advice from just this one data point?? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange scan on 1433 Pavel Lozhkin (May 21)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
- RE: Strange scan on 1433 Deus, Attonbitus (May 21)
- RE: Strange scan on 1433 Blake Frantz (May 21)
- Re: Strange scan on 1433 George Bakos (May 21)
- Worms and CScript/WScript Blake Frantz (May 21)
- Re: Worms and CScript/WScript Ryan Russell (May 21)
- RE: Worms and CScript/WScript Michael Wright (May 21)
- RE: Worms and CScript/WScript Nick FitzGerald (May 22)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
- RE: Worms and CScript/WScript Nick FitzGerald (May 27)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Johannes Ullrich (May 21)
- <Possible follow-ups>
- RE: Strange scan on 1433 Quarantine (May 21)
- RE: Strange scan on 1433 Dias Sgt Kristin F (May 21)