Valhalla Legends Forums Archive | Battle.net Bot Development | Hostile Scripting?

AuthorMessageTime
eXShadow
I just sent my bot to a friend for testing and he sent me a screenshot of mcfee saying it has hostile scripting or something. Now i know what its picking up, its picking up my anti-tamper function but how do i make this not a "hostile script".

My anti-tamper function simply reads the registry for an existing key, if the key isnt found it allows access to the bot. If the key is found with a value of 1 it disallows access to the bot. When i removed this feature for testing, mcfee had no proberly. Is there anyway to make it not a "hostile script".

Thanks
May 2, 2004, 1:42 PM
hismajesty
[quote]Is there anyway to make it not a "hostile script".[/quote]

Yes!
May 2, 2004, 1:47 PM
eXShadow
haha you people here have a great sense of humour :)

could you care to help me out? maybe an example or howd i go about this, any examples i can download or anything?
May 2, 2004, 1:58 PM
Adron
Post the exact information from McAfee. Perhaps McAfee will say that about anything accessing the registry? Perhaps it's just saying that this script accesses the registry, and that some hostile scripts do that?
May 2, 2004, 4:49 PM
Stealth
Was it McAfee that labeled anything with the FileSystemObject in it "hostile" ?
May 2, 2004, 11:23 PM
eXShadow
i dont know the exact message, as it was my friend that recieved the alert and i dont have mcafee. The only thing im using that MODIFYS the registry is;
[code]
CreateKey "HKEY_CURRENT_USER\Software\..........................", "1"
[/code]

May 3, 2004, 3:19 AM
iago
Tell him to delete McAfee and get a real scanner :/
May 3, 2004, 4:03 AM
Null
[quote author=iago link=board=17;threadid=6618;start=0#msg58221 date=1083557028]
Tell him to delete McAfee and get a real scanner :/
[/quote]

Mcafee Security Center is great , Scanner/Firewall/Anti-Spam/Privacy , i only use the scanner and firewall and both up until now have worked flawlessly.
May 3, 2004, 4:19 AM
eXShadow
so there is no way to fix it from the coding? He just needs to allow it or whatever? Hmmm this wouldnt look to good when i release it to the public :'(
May 3, 2004, 5:40 AM
Null
Maybe an expressed warning on your software describing exactly what it does and WHY?

I dont think you will find a work-around for this (As long as you continue to edit the registry at run-time) Mcaffe , Norton or any decent scanner for that matter will/should pick up changes done to the registry at run-time.
May 3, 2004, 5:45 AM
iago
But lots of programs access the registry fine, though. Where exactly are you making the change? In your own key, or in a system key?
May 3, 2004, 12:09 PM
Myndfyr
I think it's the fact that the program is using the Windows Scripting Host. McAfee and Norton tend to frown on the accessing of the registry or the file system through the WSH because there is easy potential for exploitation there.

Although, I would tend to think this could go to the general programming forum, not just here. ;)
May 3, 2004, 1:26 PM
iago
Why can't he just use the standard API for reading/writing the registry? Or even the special VB commands, which I forget, SaveSetting and LoadSetting or something.
May 3, 2004, 2:24 PM
Null
[quote author=iago link=board=17;threadid=6618;start=0#msg58247 date=1083586160]
But lots of programs access the registry fine, though. Where exactly are you making the change? In your own key, or in a system key?
[/quote]

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?
May 3, 2004, 11:26 PM
Myndfyr
[quote author=effect link=board=17;threadid=6618;start=0#msg58325 date=1083626792]
[quote author=iago link=board=17;threadid=6618;start=0#msg58247 date=1083586160]
But lots of programs access the registry fine, though. Where exactly are you making the change? In your own key, or in a system key?
[/quote]

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?
[/quote]

No, IIRC, any Script object that attempts to access a Registry object through WSH is flagges as potentially malicious.
May 3, 2004, 11:30 PM
iago
[quote author=Myndfyre link=board=17;threadid=6618;start=0#msg58327 date=1083627019]
[quote author=effect link=board=17;threadid=6618;start=0#msg58325 date=1083626792]
[quote author=iago link=board=17;threadid=6618;start=0#msg58247 date=1083586160]
But lots of programs access the registry fine, though. Where exactly are you making the change? In your own key, or in a system key?
[/quote]

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?
[/quote]

No, IIRC, any Script object that attempts to access a Registry object through WSH is flagges as potentially malicious.
[/quote]

So can't he do that without it?
May 4, 2004, 12:19 AM
Myndfyr
[quote author=iago link=board=17;threadid=6618;start=15#msg58339 date=1083629961]
[quote author=Myndfyre link=board=17;threadid=6618;start=0#msg58327 date=1083627019]
[quote author=effect link=board=17;threadid=6618;start=0#msg58325 date=1083626792]
[quote author=iago link=board=17;threadid=6618;start=0#msg58247 date=1083586160]
But lots of programs access the registry fine, though. Where exactly are you making the change? In your own key, or in a system key?
[/quote]

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?
[/quote]

No, IIRC, any Script object that attempts to access a Registry object through WSH is flagges as potentially malicious.
[/quote]

So can't he do that without it?
[/quote]

You could probably create a COM component or provide a function in the script host (I'm not sure how VBA works, but the VSA "Visual Studio for Applications" spec for .NET *claims* to let you provide your own objects as globals to the script) that would do the same thing -- but as compiled code it would be trusted. I imagine WSH registry functions are hooked by the virus software.
May 4, 2004, 8:24 AM
Networks
[quote author=iago link=board=17;threadid=6618;start=0#msg58221 date=1083557028]
Tell him to delete McAfee and get a real scanner :/
[/quote]

Negative, Mcafee is awsome. Updates by itself and removed a trojan I had in 5 minutes of scanning. Probably the best I've seen when you get trojanned.

Mcafee > Norton
May 4, 2004, 1:53 PM
Myndfyr
[quote author=Networks link=board=17;threadid=6618;start=15#msg58414 date=1083678811]
[quote author=iago link=board=17;threadid=6618;start=0#msg58221 date=1083557028]
Tell him to delete McAfee and get a real scanner :/
[/quote]

Negative, Mcafee is awsome. Updates by itself and removed a trojan I had in 5 minutes of scanning. Probably the best I've seen when you get trojanned.

Mcafee > Norton
[/quote]

Yeah -- if you like your computer to become insanely unstable and slow.

Norton > McAfee. :P

[edit] I formed this opinion after using Norton Internet Security 2003, then McAfee Internet Security 2003. MIS caused my computer to crash many a time.
May 4, 2004, 4:19 PM
iago
[quote author=Networks link=board=17;threadid=6618;start=15#msg58414 date=1083678811]
[quote author=iago link=board=17;threadid=6618;start=0#msg58221 date=1083557028]
Tell him to delete McAfee and get a real scanner :/
[/quote]

Negative, Mcafee is awsome. Updates by itself and removed a trojan I had in 5 minutes of scanning. Probably the best I've seen when you get trojanned.

Mcafee > Norton
[/quote]

So you got a trojan while using Mcafee, and you still think it's good? I'm confused, isn't it supposed to PREVENT viruses?
May 4, 2004, 4:27 PM
Dyndrilliac
[quote author=Myndfyre link=board=17;threadid=6618;start=15#msg58423 date=1083687588]
[quote author=Networks link=board=17;threadid=6618;start=15#msg58414 date=1083678811]
[quote author=iago link=board=17;threadid=6618;start=0#msg58221 date=1083557028]
Tell him to delete McAfee and get a real scanner :/
[/quote]

Negative, Mcafee is awsome. Updates by itself and removed a trojan I had in 5 minutes of scanning. Probably the best I've seen when you get trojanned.

Mcafee > Norton
[/quote]

Yeah -- if you like your computer to become insanely unstable and slow.

Norton > McAfee. :P

[edit] I formed this opinion after using Norton Internet Security 2003, then McAfee Internet Security 2003. MIS caused my computer to crash many a time.
[/quote]

I have to agree. I tried using Mcaffee AV in place of Norton for a while but it didn't work out well at all.... I don't know what was wrong but when I installed Mcaffee(Legit Version) on my Windows XP Pro machine the bootup time went from ~40 seconds to 10 minutes O.o". Insane how badly my computer performed while running Mcaffee. I tried several more installs and different bootup methods and even removing items from my startup registry(the Run key), yet my final solution was to simple uninstall and take it back to the store.
May 4, 2004, 6:54 PM

Search