Knowledge Base

Disable execution of script files

  • 4 October 2017
  • 0 replies
  • 6659 views
Disable execution of script files
Userlevel 7
Badge +48
Webroot has discovered ransomware variants delivered through email attachments as well. These malicious attachments are often a zip archive that contain a script, which serves the purpose of downloading/executing a ransomware/malware payload.

Webroot recommends preventing the execution of script file types to avoid this type of attack.

Example Spam Email:

In order to prevent these types of documents and scripts from running we recommend choosing the most appropriate solution for your environment below.

Block WSF, VBS, WSH, HTA, VBS and JS files:


There are three options to prevent script files from running on a system.

Option 1: REDIRECT SCRIPT FILE EXTENSIONS VIA GPO

To enable this policy setting, access the system set up for policy control and navigate to the following setting:

User Configuration - Preferences - Control Panel - Settings
Right-click on Folder Options and navigate to New > Open With.

Type in the each unwanted extension, i.e. wsf, js, vbs into the "File extension" box, then input the path of a program you want to have as default to open the file.
Tick Set as default and press OK.

Example of redirecting the extension .wsf, .js, and .vbs to notepad:


We recommend redirecting the file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, and .ps1.

If a system administrator needs to run a WSF, VBS, JS, or any other script file, this can still be achieved by starting the WScript program with the script file as an argument.

For example:

: C:WindowsSystem32WSCRIPT.exe C:example.vbs

Option 2: REDIRECT SCRIPT FILE EXTENSIONS VIA WEBROOT CONSOLE

If there is not a policy controller available, as an alternative, you can redirect file extensions with the utility below. By downloading the utility, you acknowledge that you agree to the https://download.webroot.com/UtilityEula.html.

If you have an existing agreement with Webroot governing your use of this utility software, then such agreement will supersede the above terms and conditions in the event of any conflicting terms between the agreement and such terms and conditions.

1. Sign into the Webroot Enterprise Console and click Group Management.
2. Select the hostnames which you would like to have this applied to, and then navigate to Agent Commands > Advanced > Customer Support Diagnostics.
3. Input the following link into the URL field:
For the Command Line Options field, the following commands can be used:

-disable - This command will redirect the default action for the following file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, to instead show a message box like so:


To apply this from the Webroot Endpoint Console, refer to the screenshot below:


-disable “Custom Message” – This command will allow you to redirect the default action for the same file types, however it also allows you to specify the message you would like the user to see. Where “”Custom Message”” is the message you would like to display to a user that opens a script file. Quotes are required around this text. Optionally you may include %1 in your custom message. This will show the file that was blocked like so:


To apply this from the Webroot Endpoint Console, refer to the screenshot below:


-enable - This command restores the default execution program for the file types mentioned above.

To apply this from the Webroot Endpoint Console, refer to the screenshot below:


4. Click “Download and Execute” to send the command to the system.

Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”.

5. Ensure script files are blocked by attempting to open a file with a blocked file type.

Option 3: DISABLE WSCRIPT HOST

WScript Host (C:WindowsSystem32WSCRIPT.exe) is an application within Windows that interprets .vbs, .vbe, .js, .jse, .wsf and other types of script files. When a script is run, it will execute the script through this program. Because of this, you may want to disable WScript Host entirely. To do so, use one of the following procedures. By downloading the utility, you acknowledge that you agree to the https://download.webroot.com/UtilityEula.html . If you have an existing agreement with Webroot governing your use of this utility software, then such agreement will supersede the above terms and conditions in the event of any conflicting terms between the agreement and such terms and conditions.

From the Webroot Console:

1. Sign into the Webroot Enterprise Console and click Group Management.
2. Select the hostnames that you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download, and execute a file.
3. Enter the following link into the URL field:
4. For the Command Line Options field, the following commands can be used:

-disable - This command will disable WScript and disallow execution of script files.

-enable - This command will enable WScript and allow execution of script files.

5. Click “Download and Execute” to send the command to the system.

Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”.

6. Ensure WScript is blocked by opening a command prompt, typing “WScript”, and pressing enter. You should be presented with the following message:

Manually - 64 BIT:To disable Windows Script Host, execute the following in an elevated command prompt:
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 0 /f /reg:32
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 0 /f /reg:64
To re-enable Windows Script Host, execute the following:
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 1 /f /reg:32
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 1 /f /reg:64
Manually - 32 BIT:To disable Windows Script Host, execute the following in an elevated command prompt:
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 0 /f
To re-enable Windows Script Host, execute the following:
  • REG ADD "HKLMSoftwareMicrosoftWindows Script HostSettings" /v Enabled /t REG_DWORD /d 1 /f


The information presented in this article has been taken from the Malware Prevention Guide.

This topic has been closed for comments