Code: Select all
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct)
Deny INC
Yes in NoScriptbarbaz wrote:With NoScript?(that's suposed to be all one line but the forum is breaking it up for some weird reason.)Code: Select all
Site ^(?:[0-9A-Za-z-]+tp|wss)://.*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct) Deny INC
If you don't even want able to download these manually/yourself, change Deny INC to just Deny
EDIT oops, forgot to say what to do with that code
NoScript Options > Advanced > ABE > USER
paste that in
Maybe - this is up to Giorgio. I don't think this is exactly a frequently asked question though (note that I did not know enough to even come up with the idea until reading & replying your post), but what do I knowruy.benton wrote:Since this block most of the virus ... put your code in FAQ?
No reason to create another ruleset for a rule like that. Just put it at the *very top* of USER. It's the same effect & (I think) more performance efficient than creating another ruleset because ABE processes each ruleset independently, why make it process more than needed for what will be a Deny?ruy.benton wrote:Add this to about:config noscript.ABE.rulesets.Block_Files
and add your code
You're welcomeruy.benton wrote:Thank you for your code and comments
line 3:6 no viable alternative at character '?'barbaz wrote: (?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct)
Well this is my work, all day ... Servers, Computers, security and delete virus and worms ... if NoScript help ... Thank you.barbaz wrote: Maybe - this is up to Giorgio. I don't think this is exactly a frequently asked question though (note that I did not know enough to even come up with the idea until reading & replying your post), but what do I know
Simple - My computer is free - Virus, Worms ... and 1000 computers I Admin and setupbarbaz wrote: Anyway, can you please expand on that suggestion a little:
1) What question would you suggest that is understandable to even average users to which this is the answer?
barbaz wrote: 2) What evidence do you have for that those file extensions are "most" of online virus? I personally have heard that it's exploits of plugins (e.g. Flash) that result in viruses, this is the first I've heard that can loading these type files to cause virus...
Thank ... save the advicebarbaz wrote: ... more performance efficient than creating another ruleset because ABE processes each ruleset independently, why make it process more than needed for what will be a Deny?
Yeah, sorry, that's supposed to be on the same line as the Site line. That's what I meant my comment about the forum breaking it up.ruy.benton wrote:line 3:6 no viable alternative at character '?'barbaz wrote: (?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct)
Ah, so the plugin exploit isn't generally itself the virus but it's just a way to deliver & run the virus.ruy.benton wrote:Well this is my work, all day ... Servers, Computers, security and delete virus and worms ... if NoScript help ... Thank you.barbaz wrote: Maybe - this is up to Giorgio. I don't think this is exactly a frequently asked question though (note that I did not know enough to even come up with the idea until reading & replying your post), but what do I know
Simple - My computer is free - Virus, Worms ... and 1000 computers I Admin and setupbarbaz wrote: Anyway, can you please expand on that suggestion a little:
1) What question would you suggest that is understandable to even average users to which this is the answer?
barbaz wrote: 2) What evidence do you have for that those file extensions are "most" of online virus? I personally have heard that it's exploits of plugins (e.g. Flash) that result in viruses, this is the first I've heard that can loading these type files to cause virus...
In Linux, MacOSX, W$n and many other O.S.
1 - The Ani-Virus check all files, WE or the Browser Download in ForeG. or Background ... If I have a blocker for most files ... great
2- /etc/hosts, resolv The root own and is read only ... I check everyday the file.
Firefox - Proxy - > I check everyday
3 - Scripts - > NoScript block most of invasions
Flash and other plugins - > in the final stage (infection) ... they Download files -> O.S. - DLL, SH, EXE, DMG ...
I'm not sure I'm understanding this question. Sure you can add xpi to the list if you think it'd help (I think you can figure howruy.benton wrote:And to protect Firefox ... .XPI?
).Now I don't get the error but ...barbaz wrote:Yeah, sorry, that's supposed to be on the same line as the Site line. That's what I meant my comment about the forum breaking it up.ruy.benton wrote:line 3:6 no viable alternative at character '?'barbaz wrote: (?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct)
barbaz wrote:Ah, so the plugin exploit isn't generally itself the virus but it's just a way to deliver & run the virus.
So you're saying that you've had personal experience with administering a LOT of computers where inclusions of files with these extensions are causing virus... so something like this Faq suggestion?
"I've seen that many viruses in the end come from native executable files & such being included by pages in an exploit scenario. I only need to download such files directly when I want, I don't ever need my browser or a plugin to display them, so how to use NoScript to block them from being embedded?"
ruy.benton wrote:And to protect Firefox ... .XPI?
Yes, most of the time I see the warning ... and we click in preferences ...barbaz wrote:I'm not sure I'm understanding this question. Sure you can add xpi to the list if you think it'd help (I think you can figure how
The main threat to Firefox with XPIs is those side-loaded by the file types already blocked by the rule as is. A page trying to install an XPI in Firefox through Firefox is going to be blocked & throw either A) a doohanger and/or B) a scary warning in the user's face when they don't expect it. So I guess whether it's worth to add it depends on who your end user is.
Oh phooey, I just can't get this right can I?ruy.benton wrote:Now I don't get the error but ...
For ex. if we want to block PDF ... in "https://noscript.net/abe/abe_rules.pdf"
I can block with:
Site ^(?:https|wss)://.*\.(?:pdf)
Deny
With your code:
Site ^(?:[0-9A-Za-z-]+tp|wss)://.*\.(?:pdf)
Deny
Don't work
Something is wrong ... in [0-9A-Za-z-]+tp
Code: Select all
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct)
Deny INCWhen don't you see any warning when trying install extension in Firefox through Firefox?ruy.benton wrote:Yes, most of the time I see the warning ... and we click in preferences ...
This is an example ... if you know other treats ... updates in main kernel
You're welcome, thank you for the explanations.ruy.benton wrote:Thank you for your comments
ruy.benton wrote:Yes, most of the time I see the warning ... and we click in preferences ...
... if you know other treats ... updates in main kernel
The malicious code could bypass the warning ... and install any codebarbaz wrote:When don't you see any warning when trying install extension in Firefox through Firefox?
And what do you mean "if you know other treats ... updates in main kernel"?
SURE, DONEruy.benton wrote:TO MODERATOR - > PLEASE MOVE THIS TO ABE SUB-FORUM
OK try this:ruy.benton wrote:Add .com, need change:
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*/.*\.(?:gz|com)
Deny
Or he blocks all domains with .com
Code: Select all
Site ^(?:[0-9A-Za-z-]+tps?|wss)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INCwhat?ruy.benton wrote:And if lots of dots in the file name puff
In what way?ruy.benton wrote:ftp ... don't work
Not unless it's already got a full hold of the browser, at which point the user anyway has bigger problems than an unwanted xpi and the malicious code could do more than just bypassing the warning to and installing an xpi.ruy.benton wrote:The malicious code could bypass the warning ... and install any code
Well for Windows there exists a program called sandboxie that Tom T. used to recommend (I know nothing of it myself being that I'm not a Windows user.)ruy.benton wrote:"if you know other treats ... updates in main kernel"
The main part of Firefox ... the program and the lib ex: libnspr4.so, libssl3.so and many others
I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work
Thank you very muchbarbaz wrote:SURE, DONEruy.benton wrote: TO MODERATOR - > PLEASE MOVE THIS TO ABE SUB-FORUM
ruy.benton wrote:Add .com, need change:
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*/.*\.(?:gz|com)
Deny
Or he blocks all domains with .com
Ex.barbaz wrote:OK try this:Code: Select all
Site ^(?:[0-9A-Za-z-]+tps?|wss)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$ Deny INC
ruy.benton wrote:The malicious code could bypass the warning ... and install any code
Yeap and any code not only the XPIbarbaz wrote:Not unless it's already got a full hold of the browser, at which point the user anyway has bigger problems than an unwanted xpi and the malicious code could do more than just bypassing the warning to and installing an xpi.
ruy.benton wrote:I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work
I have several products for enclose the OS and Delete the OS and FS after use ... and save only the bookmarkbarbaz wrote:Well for Windows there exists a program called sandboxie that Tom T. used to recommend (I know nothing of it myself being that I'm not a Windows user.)
Don't have any ideas for other OSes, sorry.
Hmm is what you want to not able to even download these manually? Then change Deny INC to Deny & remember to disable that rule when you actually want to download those type of code. (Then it is indeed useful to keep it in its own ruleset.)ruy.benton wrote:Ex.
http://products.kaspersky-labs.com/engl ... 4en-gb.exe
I can't Download ...
ftp://ftp.us.dell.com/network/
Any exe ... I can Download
Oh.. yeah, I use VirtualBox too & it's awesome. I was thinking that didn't require booting another OS - for use in a VM so that can have a REALLY disposable environment.ruy.benton wrote:I have several products for enclose the OS and Delete the OS and FS after use ... and save only the bookmark
Ex. https://www.virtualbox.org/wiki/Screenshots
I use this in some class and college. We setup a virtual machine ... and as the class close we delete the virtual machine and copy a fresh HD.
Used to be Mac OS X Lion until recently when I had to switch to Lubuntu 14.04.ruy.benton wrote:I use BSD, MacOSX, Linux ... your main OS ... ?
I need to test your code ...barbaz wrote: Hmm is what you want to not able to even download these manually? Then change Deny INC to Deny & remember to disable that rule when you actually want to download those type of code. (Then it is indeed useful to keep it in its own ruleset.)
Need switch to Lubuntu in a INTEL MAC?barbaz wrote:Used to be Mac OS X Lion until recently when I had to switch to Lubuntu 14.04.
But I've played with a lot of different OSes - I've got (or had) VM's for most popular Linux distros as well as OpenBSD & NetBSD (never could make FreeBSD work). Also have a pre-built OpenSolaris VM somewhere...
Nooooooo ... you sug. Sandbox ...barbaz wrote:Oh.. yeah, I use VirtualBox too & it's awesome. I was thinking that didn't require booting another OS - for use in a VM so that can have a REALLY disposable environment.
ABE is specifically for filtering HTTP requests. It's a web firewall, not a general-purpose one. FTP is out of scope.ruy.benton wrote: FTP
Ex.
ftp://ftp.us.dell.com/network/
Any .exe ... DON'T BLOCK ANY .EXT ... DON'T WORK
Code: Select all
Site ^(?:[0-9A-Za-z-]+tps?|wss?)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INCYep. (Well, had to dual boot anyway, but using Lubuntu as my main OS.) I'd rather not get into the details of why here.ruy.benton wrote:Need switch to Lubuntu in a INTEL MAC?
I've tried to set up a FreeBSD VM for myself from the install CD, and I just couldn't get it going in the way I wanted... my machine doesn't have the specs to compile tons of stuff (& building things from source almost always goes wrong for me) and all I could do with FreeBSD in any case was a basic install and then use the resulting system exactly as it was. I simply could not find a way to add software to the machine, see what software was on it, or even update the machine's existing software... all the suggestions I found on the Internet failed one way or another.ruy.benton wrote:FreeBSD don't work? ... I have several servers ...
Well a sandbox will know everything that's written through it... so am I misunderstanding what you're wondering about?ruy.benton wrote:Nooooooo ... you sug. Sandbox ...
"I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work"
This link looks very interesting to me for a number of reasons. Thanks!ruy.benton wrote:There is several Sandbox for Mac, Linux:
[...]
https://l3net.wordpress.com/projects/firejail/
Oh, so it doesn't intercept any non-HTTP requests at all? I'm not aware of how ABE is implemented internally.Thrawn wrote:ABE is specifically for filtering HTTP requests. It's a web firewall, not a general-purpose one. FTP is out of scope.