A few questions before I get this...

[Feeling Good]

Forgive me if this is the wrong board to be asking newbie questions/dumb stuff I wouldn't be asking if I were more computer literate. I'm really looking forward to installing NoScript; it has the kind of security I've been dreaming of for the past 4 years (Will be 5 years in February). I've read the FAQ, the features page, and several topics on this forum, and I have just a few questions left before downloading and installing NoScript.

I already plan on disabling (and uninstalling, as soon as I figure out how to) the McAfee SiteAdvisor extension, because I read about how buggy it can be, but what about McAfee ScriptScan? Can I keep the McAfee ScriptScan extension, or is that known to cause problems with NoScript, too?

Will NoScript affect my Animated Firefox Persona?

And will NoScript interfere with any automatic updates such as Adobe Flash Player updates, Firefox updates, and updates for other extensions and plug-ins?

[Tom T.]

This is exactly the right board.

I already plan on disabling (and uninstalling, as soon as I figure out how to) the McAfee SiteAdvisor extension, because I read about how buggy it can be, but what about McAfee ScriptScan? Can I keep the McAfee ScriptScan extension, or is that known to cause problems with NoScript, too?

Not familiar with it, but if it scans scripts for malice, which it sounds like it does, it shouldn't be a problem, because NoScript operates at a level of your deciding whether to let a web page request a script from the script source. If denied, such as by NS's default-deny policy, there is not any script for the other tool to see. Only if allowed to do so does the script load and run in your browser, upon which presumably the other product will do whatever it does. Please do let us know the results.

Will NoScript affect my Animated Firefox Persona?

Can't imagine why. Don't use personae myself, but even if they were script-based, you'd merely allow them in NS. Don't remember seeing anyone complain of this issue.

And will NoScript interfere with any automatic updates such as Adobe Flash Player updates, Firefox updates, and updates for other extensions and plug-ins?

No.

Now aren't you glad you asked?

[Thrawn]

To elaborate a bit: anything internal to the browser, including plugins etc, is off-limits for NoScript. There's a special protocol that they use, chrome://, and NoScript deliberately leaves it alone, only targeting web pages.

I don't use antivirus either, but I use Linux, so there's not much virus threat anyway. You might want to investigate a sandboxing tool, like Sandboxie, before disabling McAfee.

[Tom T.]

To elaborate a bit: anything internal to the browser, including plugins etc, is off-limits for NoScript. There's a special protocol that they use, chrome://, and NoScript deliberately leaves it alone, only targeting web pages.

I could be mistaken, but I fear that the above may confuse the OP (self-described as not very computer-literate), because NoScript most definitely can block plugins like Flash, Java, MS Silverlight, etc.
Granted that it blocks them at the request level from the browser (even earlier than from the web page itself), but discussing internal functions when the OP merely wants to know whether updates would be affected might be a bit much.

I don't use antivirus either, but I use Linux, so there's not much virus threat anyway. You might want to investigate a sandboxing tool, like Sandboxie, before disabling McAfee.

Again, I could be mistaken, but I didn't see that OP was disabling any anti-virus, McAfee or otherwise. Only the Site Advisor extension, and possibly the ScriptScan feature also. (But you do know that I personally use Sandboxie as part of defense-in-depth.)


@ Feeling Good: Please see FAQ 1.1 for the built-in site advisory service of NS:

NoScript offers a "Site Info" page which can help you to assess the trustworthyness of the web sites shown in your NoScript menu. You can access this service by middle-clicking or shift-clicking the relevant menu item.

[Thrawn]

To elaborate a bit: anything internal to the browser, including plugins etc, is off-limits for NoScript. There's a special protocol that they use, chrome://, and NoScript deliberately leaves it alone, only targeting web pages.

I could be mistaken, but I fear that the above may confuse the OP (self-described as not very computer-literate), because NoScript most definitely can block plugins like Flash, Java, MS Silverlight, etc.

Fair point.

I don't use antivirus either, but I use Linux, so there's not much virus threat anyway. You might want to investigate a sandboxing tool, like Sandboxie, before disabling McAfee.

Again, I could be mistaken, but I didn't see that OP was disabling any anti-virus, McAfee or otherwise. Only the Site Advisor extension, and possibly the ScriptScan feature also.

Whoops; didn't read carefully. Yeah, Site Advisor should be totally unrelated, and ScriptScan is not at all likely to use the same mechanism as NoScript, so there should be no conflict - although if it generates a lot of false positives, then you'll often find yourself doing double the work.

Btw, you can also scan links on-demand with addons like VTZilla and Dr Web Link Checker. After all, with NoScript active, links that simply point to web pages aren't likely to be any threat. It's only when you want to download something that you want to be sure it's safe. If you can train yourself to run download links through virus-scanning services, you should get at least the same level of protection as services like SiteAdvisor or WOT, with less false positives and bandwidth usage.

(But you do know that I personally use Sandboxie as part of defense-in-depth.)

Yes, I do .

[Tom T.]

Btw, you can also scan links on-demand with addons like VTZilla and Dr Web Link Checker. After all, with NoScript active, links that simply point to web pages aren't likely to be any threat. It's only when you want to download something that you want to be sure it's safe. If you can train yourself to run download links through virus-scanning services, you should get at least the same level of protection as services like SiteAdvisor or WOT, with less false positives and bandwidth usage.

I do a virus scan on the installer, video, or whatever after downloading it, but definitely before running it.

N.B.: Firefox has a major safety advantage over IE in not allowing "Run from the current location" for installers and other executables (at least, the last time I looked at IE). In other words, one must manually download and save it, which gives the opportunity for that AV scan. Add-ons (and their updates) produce the warning message that a site is trying to install software; do you trust it? -- at least, if so checked in Fx Tools > Options > Security > Warn me when sites try to install add-ons". IIRC, Firefox Add-ons is default-whitelisted there, and one could whitelist, say, https://secure.informaction.com if one wanted development builds without the warning. Else, I like the warning.

[Feeling Good]

Thanks so much for the replies, Tom T. and Thrawn. I installed NoScript today and I haven't had a single problem yet . I'm looking forward to being able to revisit certain sites that were made unsafe by malicious content being sneaked in with the advertisements. But, I'll still tread carefully, of course (I still get nightmares about the Spyware Protect 2009 malware).

And I might look into VTZilla and Dr Web Link Checker. Most of the files I download are just MP3s from trustworthy indie artists, who either don't sell their music or give out free tracks to promote their upcoming releases, but I don't always trust the file-sharing sites they use.

[Tom T.]

And I might look into VTZilla and Dr Web Link Checker. ... but I don't always trust the file-sharing sites they use.

And with good reason, in some cases.

I don't see how VTZilla would be able to scan the scripts that a site might call once you get there. Or the scripts that those scripts might then call , etc. That would be a common method of malice.

@ Thrawn, do you know if these tools could do this?
Still sounds useful for checking the downloads.

I forgot to answer your question about how to uninstall extensions. Open Firefox Tools > Add-ons > Extensions.
After each listed extension, you should see buttons for Options, Disable, Remove. I'm guessing that "Remove" would do the trick.
You'll have to restart the browser to complete the removal, in most cases.

You might want to look into Sandboxie. It "seals off" a portion of your hard drive -- the so-called "sandbox" -- so that malware inside a sandboxed browser gets dumped when you close it, and cannot permanently install itself on your machine. Nothing is perfect, and nothing can *ever* provide perfect security, but I get asked to go to some pretty scary places here, sometimes with NoScript disabled. That would be scary without Sandboxie. Freeware/nagware, with paid versions having extended features, but the free version might well suffice, and you can try it out before deciding whether to keep it and/or upgrade.

You can also run any application -- not just the browser -- inside Sandboxie. For example, a music player or video player could be run inside a sandbox, even if the browser is not running. Same with suspicious word docs from unknown sources, etc.

My pesky lawyer makes me add the following:

DISCLAIMER: Personal opinion only; not an official endorsement by this forum, its Admin/Developer, or any other person, nor can this site offer support for third-party products. Offered in the hope that it may be of some use, but because I can't control the product, your use of it, etc., I cannot accept any responsibility or liability from your use of it, or the consequences thereof. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT CONSIDER, HEED, OR USE THIS OPINION.

Also, I have no personal or financial connection to Sandboxie or its developer.

[Thrawn]

I don't see how VTZilla would be able to scan the scripts that a site might call once you get there. Or the scripts that those scripts might then call , etc. That would be a common method of malice.

@ Thrawn, do you know if these tools could do this?

No, but there's this great extension that neutralises all scripting that you haven't specifically allowed .

I don't know of anything that scans JavaScript for malice; generally the sandbox is considered to be sufficient, and it just gets patched as needed. Unless McAfee ScriptScan does that?

[Tom T.]

I don't see how VTZilla would be able to scan the scripts that a site might call once you get there. Or the scripts that those scripts might then call , etc. That would be a common method of malice.

@ Thrawn, do you know if these tools could do this?

No, but there's this great extension that neutralises all scripting that you haven't specifically allowed .

Um, yes. The problem is that the sites in question might require their scripting to be run, else the page breaks. (True of legit sites as well.)

I don't know of anything that scans JavaScript for malice; generally the sandbox is considered to be sufficient, and it just gets patched as needed. Unless McAfee ScriptScan does that?

It doesn't seem to (scan script for malice). Quick search brought up this interesting item:

Corporate KnowledgeBase
ScriptScan improvement to whitelist URLs for trusted web sites (Performance improvement for web-based applications that are script intensive)

Corporate KnowledgeBase ID: KB65382
Last Modified: August 14, 2012

Environment
McAfee VirusScan Enterprise 8.8
McAfee VirusScan Enterprise 8.7i Patch 1 and later

For details of all supported operating systems, see KB51109.
Summary
When VirusScan Enterprise (VSE) is installed with the ScriptScan component, it inserts a proxy between the incoming script and the Windows scripting host ((( see comment by me below))). This can cause poor performance with web pages and web-based applications that are script-intensive. It is now possible to whitelist URLs for trusted web sites, such as sites within an intranet or sites that you use frequently and know to be safe. (( I am sooo impressed!!! )))

This functionality is available in:

* VSE 8.8
* VSE 8.7i with Patch 1 and later

NOTES:

* Do not use wild card characters.
* Partial URLs can be used. Be cautious when specifying partial matches to avoid excluding scripts from unexpected web sites. For example, adding only www as would exclude scripts from any source that contains the characters www in the URL.
* You must enable Browser Helper Objects.
* McAfee suggests that you use only Fully Qualified Domain Names and NetBIOS names.... (etc.)

Funny, I not only disabled, but completely removed the Windows Scripting Host from my locked-down and ultra-trimmed machine, and yet, Firefox seems to be able to render scripts on its own... can't see how the above tool provides "advance" browser protection (scanning scripts for malice) if that's the mechanism.

Another:
http://www.pcworld.com/article/241098/f ... lugin.html

Firefox Advises Users to Disable McAfee Plugin
By Robert McMillan, IDG News Service

* Oct 4, 2011 1:20 PM
* print

It's the last thing McAfee would want users to hear about one of its products, but the Firefox browser is advising users to disable McAfee's ScriptScan software, saying that it could cause "stability or security problems."

SriptScan ships with McAfee's VirusScan antivirus program. It's designed to keep Web surfer's safe by scanning for any malicious scripting code that might be running in the browser. But according to Mozilla it has an unintended side-effect: It can cause Firefox to crash... a lot.

Firefox Advises Users to Disable McAfee PluginIn a note posted to its website, Mozilla said that the add-on "causes a high volume of crashes," and is "strongly encouraging" users to disable the software. The warning applies to all users of version 14.4.0 and below of the plugin, Mozilla said.

The Firefox browser started popping up warning messages Monday, advising that users disable the software

In McAfee user forums, there is a smattering of complaints about the Firefox problem.

The problem affects Firefox 7 users, according to Francie Coulter, a McAfee spokeswoman. "McAfee has identified the cause and is working actively with the Firefox team to resolve this issue and expects to roll out an update shortly," she said in an email message.

They apparently did fix that.

Seems the best practice is still to use default-deny NoScript; upon (or before) visiting a new site, check its reputation and those of the script sources, auto-excluding all of these sites; allow or temp-allow only the minimum needed for the functions you want; and wrap it all inside some kind of sandboxing or virtualization tool anyway.

If someone does present a tool to scan scripts for malice, I'll bet that someone like, say, Giorgo (a recognized world-class hacker) could write one that would bypass it, although it might take him two or three minutes.