Re: Can I delete Wscript.exe?
From: Mike Arnold (mike@midkaemia.fsnet.co.uk)Date: 10/08/02
- Previous message: Moorhouse, Walt P: "RE: Security issues, purchasing a new, pre-loaded, Windows XP com puter"
- In reply to: REAVA, JEFFREY [IT/0200]: "RE: Can I delete Wscript.exe?"
- Next in thread: REAVA, JEFFREY [IT/0200]: "RE: Can I delete Wscript.exe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Arnold <mike@midkaemia.fsnet.co.uk> To: focus-ms@securityfocus.com Date: Mon, 7 Oct 2002 23:24:34 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 07 Oct 2002 6:02 pm, REAVA, JEFFREY [IT/0200] wrote:
This may come across as harsh, but it wasn't supposed to be. Honest, just my
2penneth.
> Would it make sense to change the default association with *.vbs files so
> that you can logically filter which scripts are allowed to run?
As I've said in a previous post - the wscript executable is still there. I'm
not entirely sure someone intent on breaking into your system is going to
give 2 hoots what file associations are present. They are gonna run "cscript
//b <h4x0rurb0x.vbs>" with a full path. Renaming it is not likely to fool
them for long either. This will stop the macro viruses, email viruses, etc.
so it might be worth it if you get a lot of them. But stopping the hardened
hacker, deleting it is probably best. Mind you, make sure it doesn't get
auto-repaired by that wonderful new win2k/XP subsystem :)
I'd delete it, I haven't but it's on my list of good things to do.
> Replace the original association in the registry with this:
> HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
> C:\WINNT\System32\WScript.exe C:\WINNT\System32\wshcheck.vbs "%1" %*
>
> where wshcheck.vbs first opens the vbs file, checks for the string
> "ApprovedByRubio" on the top line. If it isn't there, warn the user that an
> unsigned script attempted to execute, call the help desk, etc.
Sorry, but if I'm intent on getting in and out as fast as possible - I'm not,
but if I were! - then I wouldn't be trying to load explorer across a dialup
being routed through 4 continents just to use the file associations it
provides, i'd be on command line.
> HTH,
If your sure it's them and not some helpless drone.
> Jeff
Mike
- --
By three methods we may learn wisdom:
First, by reflection, which is noblest;
Second, by imitation, which is easiest;
and third by experience, which is the bitterest.
--Confucius
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9ogml8EqADYNpcNQRAlWLAJ42xmq3T3YSWUeKDfXXU+8l0tS/UACfbEp3
pGaf//UDJ5GdPCalcl0lH9s=
=MMvA
-----END PGP SIGNATURE-----
- Previous message: Moorhouse, Walt P: "RE: Security issues, purchasing a new, pre-loaded, Windows XP com puter"
- In reply to: REAVA, JEFFREY [IT/0200]: "RE: Can I delete Wscript.exe?"
- Next in thread: REAVA, JEFFREY [IT/0200]: "RE: Can I delete Wscript.exe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
