Vulnerability Development mailing list archives
Re: ScriptGuard
From: tim () BIZTONE COM (Tim Wort)
Date: Tue, 16 May 2000 08:51:05 -0600
The seem to mellow the claims a bit in the "END USER LICENSE AGREEMENT" quote: WARRANTY-FREE: DCS disclaims any warranties concerning works of this copy. DCS does not warrant that the software is error free, identifies all known, unknown, or yet-to-be-written worms and hostile scripts, or may occasionally report alarms in a file that is not hostile. On Tue, 16 May 2000, Crispin Cowan wrote:
Thierry Zoller wrote:I can understand that users like to feel safe and cosy, and are ready to pay for it, but how can you offer any guarantee that these users will not be affected by the latest permutation of, say, LoveLetter.* ? It is impossible to detect new viruses which are not yet in your database, and heuristics will of course only work to a limited extent.Nope it's not impossible, proof http://www.tlsecurity.net/cleaner/scriptguard.htm This is a _Generic_ Script Protector, it get's all variants of Loveletter and (probably) all coming vbs,hta worms as it does NOT rely on Fingerprints.Interesting tool. Definitely sounds like an approach that needs more attention.Heuristics work pretty good for VBS scripts as the supposed "malicious" commands are static. Perhaps one could code an algorithm obscuring the commands and thus escaping Scriptguard, but this has not been made (yet)As you say, scripts can be written that appear obscured, and then de-cloak themselves as they run. The documentation on the http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs to have it's claims softened. In particular, someone should explain Alan Turing's Halting Problem to them :-) Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Tim Wort BizTone.Com = = Network Administration tim () biztone com = = 2329 West Main Street Littleton Colorado = = voice 303-707-4505 fax 303-707-4545 = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Re: New worm?, (continued)
- Re: New worm? Bluefish (May 05)
- Re: New worm? mick chang (May 04)
- Re: New worm? Rich Corbett (May 04)
- Re: New worm? Edwin Concepcion (May 04)
- Re: New worm? Todd C. Campbell (May 10)
- Re: New worm? Dan Schrader (May 11)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Thierry Zoller (Apr 13)
- ScriptGuard Crispin Cowan (May 16)
- Re: ScriptGuard Thierry Zoller (Mar 16)
- Re: ScriptGuard Tim Wort (May 16)
- Re: ScriptGuard Chon-Chon Tang (May 16)
- warftpd exploit? Martin Ixter (May 16)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Bernie Cosell (May 12)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator (fwd) Bluefish (May 13)