Didier Stevens

Saturday 3 November 2007

Quickpost: Scanning Scripts

Filed under: Quickpost — Didier Stevens @ 10:32

After reading my zero byte padding post, someone asked me how McAfee intercepted scripts.

The Microsoft VB script and JS script engines are COM objects. Looking at the CLSID registry data for these COM objects, you’ll find this info (Windows XP SP2):

VB Script Language
HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}
InprocServer32 -> C:\WINDOWS\system32\VBScript.dll

JScript Language
HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
InprocServer32 -> C:\WINDOWS\system32\JScript.dll

When McAfee VirusScan with ScriptScan is installed, the InprocServer32 reference for both COM objects is modified: C:\Program Files\Network Associates\VirusScan\scriptproxy.dll

This is how VirusScan intercepts script execution. They install a “proxy” (scriptproxy.dll) that will scan the scripts before they are passed on to the appropriate scripting engine (VBScript.dll or JScript.dll).

One important implication of this mechanism, is that ScriptScan will only protect script execution when the scripts are executed with the MS COM objects, like IE does. But Firefox doesn’t work with COM, it has its own JS engine (SpiderMonkey), so ScriptScan does not scan scripts executed by Firefox.

There are documented cases where scriptscan causes problems on servers, the proposed solution is to remove the proxy: regsvr32 /u scriptproxy.dll

I wonder if there is malware out there using this trick? And one can also write his own proxy DLL to intercept scripts.

Of course, McAfee VirusScan is not the only AV providing protection against malicious scripts, most modern AV provide this. For example, Kaspersky’s Anti-Virus uses the same technique, but their proxy DLL is scrchpg.dll.

3 Comments »

  1. […] quiserem ver um caso mais prático e a inspiração para este artigo visitem este site […]

    Pingback by Como funciona um antivirus | António Campos — Saturday 3 November 2007 @ 15:09

  2. FYI, Panda Security’s retail and corporate products do the same. Not the same way to “un-register” it though and to remove it you will have to know the registry default values. However, so far I have not had any incidents that needed this particular protection module to be de-activated.

    Cheers!

    Comment by excE — Monday 5 November 2007 @ 10:03

  3. […] different needs. Take McAfee for example. McAfee VirusScan Enterprise has a feature called ScriptScan that will intercept and scan each VBScript and JavaScript before it is execute by the Microsoft […]

    Pingback by “Only X Out of 32 Antivirus Products Detect This!” « Didier Stevens — Monday 21 April 2008 @ 6:47


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.