Re: ScriptGuard

[relloz () VO LU (Thierry Zoller)]

Crispin Cowan wrote:

> Thierry Zoller wrote:
>
> > > I can understand that users like to feel safe and cosy, and are
> > > ready
> > > to pay for it, but how can you offer any guarantee that these users
> > > will not be affected by the latest permutation of, say, LoveLetter.*
> > >
> > > ?  It is impossible to detect new viruses which are not yet in your
> > > database, and heuristics will of course only work to a limited
> > > extent.
> >
> > Nope it's not impossible, proof
> > http://www.tlsecurity.net/cleaner/scriptguard.htm
> > This is a _Generic_ Script Protector, it get's all variants of
> > Loveletter and (probably) all coming vbs,hta worms as it does NOT rely
> > on Fingerprints.
>
> Interesting tool.  Definitely sounds like an approach that needs more
> attention.
>
> > Heuristics work pretty good for VBS scripts as the supposed
> > "malicious" commands are static.
> > Perhaps one could code an algorithm obscuring the commands and thus
> > escaping Scriptguard, but this has not been made (yet)
>
> As you say, scripts can be written that appear obscured, and then
> de-cloak themselves as they run.  The documentation on the
> http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs
> to have it's claims softened.  In particular, someone should explain
> Alan Turing's Halting Problem to them :-)

Hehe:)
The description is simply copied from the readme.
The original site (does more claims) is here :
http://scriptguard.diamondcs.com.au

Thierry

> Crispin
> -----
> Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
> Free Hardened Linux Distribution:                 http://immunix.org
>                   JOBS!  http://immunix.org/jobs.html