Security Incidents mailing list archives
RE: Worms and CScript/WScript
From: "Michael Wright" <mwright () allcovered com>
Date: Tue, 21 May 2002 19:25:47 -0400
The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code Incidents" actually recommends disabling Windows Scripting Host by removing both cscript.exe and wscript.exe. I have added that to my logon script so that every time a user logs onto one of my networks, WSH is disabled. Add that to a managed anti-virus solution that filters attachments by extension, and does real-time protection of both servers and workstations and you have a very effective virus/worm/trojan defense. You can download the afore mentioned NSA guide directly here: http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf or browse through all the NSA guides at http://www.nsa.gov
-----Original Message----- From: Blake Frantz [mailto:blake () mc net] Sent: Tuesday, May 21, 2002 5:45 PM To: incidents () securityfocus com Subject: Worms and CScript/WScript Hello, A majority of the worms (even SQLsnake) that have been going around lately take advantage of cscript and wscript. What ramifications would be felt on vanilla installs of common services (MS SQL, Exchange, IIS, etc.) if these two files were moved or deleted? It seems like a fairly easy way to help mitigate the 'success' of Internet worms. Any thoughts? Blake Frantz A+, CNA, CCNA, MCSE Network Security Analyst mc.net 720 Industrial Drive #121 Cary, IL 60013 phn: (847)-594-5111 x5734 fax: (847)-639-0097 mailto:blake () mc net http://www.mc.net -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange scan on 1433 Pavel Lozhkin (May 21)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
- RE: Strange scan on 1433 Deus, Attonbitus (May 21)
- RE: Strange scan on 1433 Blake Frantz (May 21)
- Re: Strange scan on 1433 George Bakos (May 21)
- Worms and CScript/WScript Blake Frantz (May 21)
- Re: Worms and CScript/WScript Ryan Russell (May 21)
- RE: Worms and CScript/WScript Michael Wright (May 21)
- RE: Worms and CScript/WScript Nick FitzGerald (May 22)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
- RE: Worms and CScript/WScript Nick FitzGerald (May 27)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- Re: Strange scan on 1433 dr john halewood (May 21)
- Re: Strange scan on 1433 Johannes Ullrich (May 21)
- <Possible follow-ups>
- RE: Strange scan on 1433 Quarantine (May 21)
- RE: Strange scan on 1433 Dias Sgt Kristin F (May 21)