Shoutbox

quote:

---

Originally posted by jeff0806
Can I just uninstall Norton Antivirus and dont get another one?
Cause I am using Zone Labs with Norton Antivirus now..

---

those happen to be the worst two products on the market

quote:

---

Originally posted by vikke
Actually there are a lot of viruses using WSH scripting (.vbs & .js files). And if they get access to the memory (and the ability to create/remove files), you'll never know what happens. That's why the anti-virus is blocking the registry interface, to prevent these malwares that actually exists. This is a good protection, too bad it blocks Messenger Plus!.

However Messenger Plus!'s scripts are using these interfaces in a good way. If there's an option to ignore it just for that process (msnmsgr.exe), that would be great for you.

---

except... hey, wait a minute, virus scanners already have the capability to check executable files for virus signatures and monitor important registry locations! gee, that sort of makes blocking any use of activex in WSH useless, doesn't it?

quote:

---

Originally posted by ShawnZ

quote:

---

Originally posted by vikke
Actually there are a lot of viruses using WSH scripting (.vbs & .js files). And if they get access to the memory (and the ability to create/remove files), you'll never know what happens. That's why the anti-virus is blocking the registry interface, to prevent these malwares that actually exists. This is a good protection, too bad it blocks Messenger Plus!.

However Messenger Plus!'s scripts are using these interfaces in a good way. If there's an option to ignore it just for that process (msnmsgr.exe), that would be great for you.

---

except... hey, wait a minute, virus scanners already have the capability to check executable files for virus signatures and monitor important registry locations! gee, that sort of makes blocking any use of activex in WSH useless, doesn't it?

---

Nope. New viruses are created everyday, and if Symantec wouldn't have added this block, you would have got infected since you get the virus before Symantec's updates. Also, you cannot be sure these checks on the PE-file is working correct. If I'm not mistaken a lot of programs has been identified as viruses when they're not.
It's a well-used technology, it's recommended to block these objects.

It's better having this block than getting infected by the virus.

so your logic is that executable files themselves are more trustworthy than scripts that create executable files?

quote:

---

Originally posted by ShawnZ
so your logic is that executable files themselves are more trustworthy than scripts that create executable files?

---

Not at all, but they can be.

[OFF TOPIC]

quote:

---

Originally posted by vikke
Edit: Patchou can solve this problem by creating his own object for registry access instead of forcing the scripts to use the WSH object.

---

No need, use the Windows registry APIs. You can even do a lot more with them.

[/OFF TOPIC]

so then why should ALL registry/file system access be blocked to scripts, whereas only suspicious things are flagged in real executables (when it's just as easy to do this for scripts too?)?

quote:

---

Originally posted by CookieRevised


    quoteriginally posted by vikke
    Edit: Patchou can solve this problem by creating his own object for registry access instead of forcing the scripts to use the WSH object.

No need, use the Windows registry APIs. You can even do a lot more with them.

---

They're a pain in the arse! I might just wrap it up into a JavaScript-class later.

quote:

---

Originally posted by ShawnZ
so then why should ALL registry/file system access be blocked to scripts, whereas only suspicious things are flagged in real executables (when it's just as easy to do this for scripts too?)?

---

Because if you block the registry access in executables Windows would stop working. This doesn't mean I don't think it shouldn't be blocked in executables, but hopefully the anti-virus will find the virus, and remove it.

1% of all executables are viruses. 25% of all scripts are viruses. These values may be incorrect, but I hope you understand what I mean.

quote:

---

Originally posted by vikke
if you block the registry access in executables Windows would stop working.

---

obviously, i didn't mean executables that are part of the system

quote:

---

Originally posted by vikke
I hope you understand what I mean.

---

not really.

quote:

---

Originally posted by ShawnZ

quote:

---

Originally posted by vikke
if you block the registry access in executables Windows would stop working.

---

obviously, i didn't mean executables that are part of the system

quote:

---

Originally posted by vikke
I hope you understand what I mean.

---

not really.

---

Viruses are often part of the system. Either injected or running as a service. And any executable which is blocked from registry will stop working as every Win32 application is independent of the registry.
Blocking every program (with PE-files) would just be stupid, all programs would stop working. However if you block it from scripts, there's a chance you actually stop a virus.
There could be other methods which are more accurate than registry blocking, but Symantec chose to apply this block, and I don't see why to remove a block that actually blocks viruses quite often.

quote:

---

Originally posted by vikke
Blocking every program (with PE-files) would just be stupid, all programs would stop working. However if you block it from scripts, there's a chance you actually stop a virus

---

if you block registry and file access from every user-mode application, there's a chance you'd stop a virus too. in fact, a much higher chance. but you don't. you just check executables for virus signatures and suspicious activities that a virus might perform. so why not do that with scripts if it works so effectively?