Hostile Scripting?

[eXShadow]

I just sent my bot to a friend for testing and he sent me a screenshot of mcfee saying it has hostile scripting or something. Now i know what its picking up, its picking up my anti-tamper function but how do i make this not a "hostile script".

My anti-tamper function simply reads the registry for an existing key, if the key isnt found it allows access to the bot. If the key is found with a value of 1 it disallows access to the bot. When i removed this feature for testing, mcfee had no proberly. Is there anyway to make it not a "hostile script".

Thanks

[hismajesty]

Is there anyway to make it not a "hostile script".

Yes!

[eXShadow]

haha you people here have a great sense of humour  

could you care to help me out? maybe an example or howd i go about this, any examples i can download or anything?

[Adron]

Post the exact information from McAfee. Perhaps McAfee will say that about anything accessing the registry? Perhaps it's just saying that this script accesses the registry, and that some hostile scripts do that?

[Stealth]

Was it McAfee that labeled anything with the FileSystemObject in it "hostile" ?

[eXShadow]

i dont know the exact message, as it was my friend that recieved the alert and i dont have mcafee. The only thing im using that MODIFYS the registry is;

Code Select Expand


CreateKey "HKEY_CURRENT_USER\Software\..........................", "1"


[iago]

Tell him to delete McAfee and get a real scanner :/

[effect]

Tell him to delete McAfee and get a real scanner :/

Mcafee Security Center is great , Scanner/Firewall/Anti-Spam/Privacy , i only use the scanner and firewall and both up until now have worked flawlessly.

[eXShadow]

so there is no way to fix it from the coding? He just needs to allow it or whatever? Hmmm this wouldnt look to good when i release it to the public  

[effect]

Maybe an expressed warning on your software describing exactly what it does and WHY?

I dont think you will find a work-around for this (As long as you continue to edit the registry at run-time) Mcaffe , Norton or any decent scanner for that matter  will/should pick up changes done to the registry at run-time.

[iago]

But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?

[MyndFyre]

I think it's the fact that the program is using the Windows Scripting Host.  McAfee and Norton tend to frown on the accessing of the registry or the file system through the WSH because there is easy potential for exploitation there.

Although, I would tend to think this could go to the general programming forum, not just here.  

[iago]

Why can't he just use the standard API for reading/writing the registry?  Or even the special VB commands, which I forget, SaveSetting and LoadSetting or something.

[effect]

But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?

[MyndFyre]

But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?

No, IIRC, any Script object that attempts to access a Registry object through WSH is flagges as potentially malicious.