Author Topic: Blocking encoded scripts  (Read 2290 times)

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Blocking encoded scripts
« on: July 20, 2002, 01:39:19 PM »
Yesterday i got a virus alert, once more caused by an encoded script.
So this filter blocks them all together.

[Patterns]
Name = "<script>: Block encoded scripts"
Active = TRUE
Bounds = "$NEST(<script,</script*>)"
Limit = 8000
Match = "(?)++{0,20}language=$AV((JScript|VBScript)1.Encode) (src=$AV(2)|$SET(2=inline))*"
Replace = "<center><span class=prox style=display:inline;>[encoded 1 killed: 2]</span></center>"

If you caught one and want to decode it, here is a console app:
http://www.virtualconspiracy.com/index.php?page=scrdec/download

Of course there is an encoder too:
http://msdn.microsoft.com/downloads/default.asp?URL=/downloads/sample.asp?url=/msdn-files/027/001/789/msdncompositedoc.xml

AFAIK this is an IE only matter.

sidki


 
 

JD5000

  • Full Member
  • ***
  • Posts: 241
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://home.satx.rr.com/jd5000/
    • Email
Blocking encoded scripts
« Reply #1 on: July 23, 2002, 01:50:02 AM »
Another filter to add to the collection.

Thx Sidki (a.k.a., filter factory)

--------
Infopros Joint :: Computer Related Links And Discussion