Complete

Script Protection/Control!!


Userlevel 6
Badge +27
Hi,
 
Webroot desperatly needs script controls to alert/block/terminate against Active Script, Powershell, and Macros. Webroot is falling behind in this area where there are now malware that can almost run completely in scripts.

Having a client recently that opened a J-script attachment and it walked right past the Webroot agent was really disappointing. Other next gen AV vendors are now introducing measures to protect against this and Webroot needs to see that allowing the scripts to run in hops it can catch a possible PE file isn't good enough.
 
Thanks
John Hart
Nerds On Site

This topic has been closed for comments

6 replies

Userlevel 7
Badge +56
We do already have blocking in place for that.  Not to say that there won't be some that slip past, but we do inspect the scripting code for those to look for malicious behavior.
 
Did you work with support to figure out how it slipped by?  We might need to tweak our script inspectino for this particular instance.
Userlevel 6
Badge +27
Hey Nic,
 
Yes, I was on with support immediately when the infection occurred and the client had their data encrypted. It was a J-Script file that I have a copy of, they took a copy of after their remote session as well.
 
The script file was fully allowed to run, from what I can see, without any restrictions.
 
I still have a copy of that malicious J-script file and to this day, over a month later, right clicking that file and scanning it, doesn't result in any detection of being malicious. I can even run it and it goes to work. Webroot will block some of the crap it pulls down, but in the end it still encrypts the user data.
 
John
Userlevel 7
Badge +56
Do you have a ticket number or can you send me the script?  If we're still not blocking it then I'll get it over to the threat team and the devs and make sure it gets taken care of properly.
Userlevel 6
Badge +27
How can I send those scripts to you?
 
 
Userlevel 7
Badge +56
I'll PM you my email address
Userlevel 7
Badge +35
Feature already exists.

Cookie policy

We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

Accept cookies Cookie settings