Endpoint Protection

 View Only
Expand all | Collapse all

Protection of JS scripts running via wscript.exe

  • 1.  Protection of JS scripts running via wscript.exe

    Posted Jul 19, 2016 11:13 AM

    Greetings to all,

     

    I am trying via SEPM to create a rule on application control to block all JS scripts running via wscript.exe. I tried a simple "Hello world" script, and the attempt is not logged.

    The procedure to replicate is as follows:
     

    • Create a new Rule Set
    • Create a new Rule, where wscript.exe is being monitored.
      I also checked and unchecked the "Sub-processes inherit conditions" checkbox with the same result
    • Create a new condition under the above rule, blocking all JS scripts. The process i added is: *.js

    Launching the basic JS script does not log the attempt to execute it.
    Any idea why?

    Any help is appreciated, thank you in advance.

    Best Regards



  • 2.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 19, 2016 11:30 AM

    Hi a.selvaggi-lutech,

    There are many malicious .js in circulation right now, most being delivered as mail attachments.  Rather than try to fight them on the endpoint, block them at the mail server!

    Support Perspective: W97M.Downloader Battle Plan
    https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

    Hope this helps!

    Mick

     



  • 3.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 19, 2016 11:35 AM

    Hello Mick, thank you for your quick reply.

    That is a fine suggestion, but not really in my scope. I will surely suggest this to my superiors though.
    I am administering the SEP solution and while I understand your point, i have been assigned to this task.
    Any ideas on how to achieve what I'm trying to do?

    Thanks again



  • 4.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 19, 2016 11:50 AM

    Also if the sepm is not logging and you have it configured and installed then there maybe some logs that need to be looked at. Do you see any errors in the tomcat logs? scm-server-0.log or scm-server-1.log?



  • 5.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 03:16 AM

    Hello Kimberly, thank you for your response.

    I'm not sure but I think your reply came incomplete.
    Anyhow i checked the machine where my SEP is connected to, but there are no scm-server-x logs. The only folder i find under /tomcat is /webapps, no /logs.
    I checked on the other machines, but i don't see any errors related to the issue I'm having.
    Also, by checking the SEP endpoint console under View Logs/Client Management/Control Log there is no entry whatsoever.
    Any other ideas?



  • 6.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 04:01 AM

    Edit: I tried to set the rule for blocking, and the JS scripts are not blocked.
    I tried connecting my machine to another management server and the logs do not appear to contain any info on my JS execution attempts.



  • 7.  RE: Protection of JS scripts running via wscript.exe
    Best Answer

    Posted Jul 20, 2016 05:05 AM

    Perhaps you did choose the wrong condition type?

    The following settings are working fine for me:

    adc03.png

    Don't use the "Launch Process Attempts" condition:

    adc04.png

    And here the Actions. You must enable logging for read attempt actions in the control log:

    adc05.png



  • 8.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 06:18 AM

    Hello Greg,

    Many thanks! Your approach worked. I am thus marking it as solution.

    I am though curious as to why it doesn't work with "Launch Process Attempts" and it works with "File and folder access".
    Could you please explain?

    Thanks again



  • 9.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 07:01 AM

    I am though curious as to why it doesn't work with "Launch Process Attempts" and it works with "File and folder access".
    Could you please explain?

    I think the reason is the difference between compiled applications (.exe files) and scripts. Compiled apps can be launched by nearly every program. In most cases it's the Windows Explorer, but that's only one possibility. You can even code a very simple own program to launch other programs.

    But scripts do need an interpreter or scripting host. Your .js file cannot be run without wscript.exe. So the ADC rule must prevent the interpreter to read, load, compile and run the script. That's a slightly different task than preventing .exe files from starting.

    BTW, there is a default ruleset called "Block access to scripts" in the ADC policy which is a rather universal approach to block scripts.



  • 10.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 07:10 AM

    Many thanks for your clear explanation Greg, much appreciated.

    I know of that ruleset, however in here we don't want to block all the scripts, we only want to block some of them (in this case, JS scripts launched via wscript.exe).

    Thanks again,


    Alessandro



  • 11.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 08:21 AM

    Greg's solution looks good.  &: )

    Note that .js files need to be run by another file- it can be either cscript.exe or wscript.exe.



  • 12.  RE: Protection of JS scripts running via wscript.exe

    Posted Jul 20, 2016 10:11 AM

    Thank you also for your suggestion, Mick!

    Best Regards



  • 13.  RE: Protection of JS scripts running via wscript.exe

    Posted Aug 03, 2016 06:08 AM

    Readers of this thread may also like:

    Strengthening anti-virus security to prevent Ransom-ware derivative (Trojan.Cryptolocker family, etc.) infections
    https://www.symantec.com/connect/articles/strengthening-anti-virus-security-prevent-ransom-ware-derivative-trojancryptolocker-family-#comment-11657571