ScriptBlocking Service

Christer · 2003/09/26

Hello all!

Symantec installs ScriptBlocking Service (SBServ.exe). It is by default set to automatic.

On my system, as soon as it gets started it is immediately stopped.
When I start it in Administrative Tools / Services it is immediately stopped.

Does anyone know what causes this to happen?

Thanks for Your time,
Christer

Johanna · 2003/09/27

Christer,
I have NIS 2003 and Norton Utilities 2002, and I found that service exactly as you described, set to "automatic." But it does not appear on the task manager's list of running processes, and it is not on the start up menu at all. So perhaps it just waits until it is needed, then comes to life? You said it is set to automatic. What is telling you that it is stopped? An error message? Any dialog box? Wonder how it knows which scripts to block, and if there is a way to configure that? Thanks, Christer, now I'll be up all night!

Johanna

off researching Script Blocking by Symantec...

btw, I noticed the exe is listed as "Script blocking registration "- maybe it's part of the LU?

miniB · 2003/09/28

Hi

Is this not just the 'plug-in' for Office applications which would come into action if working with a suspicious script ? Mine is set to automatic also but I have never seen an alert (really don't want to either!!) I just wonder if it detects script things that may be on a web page or e-mails???
I have just checked again and see if it's on Auto then it will stop a malicious script without alerting you to this. If set to manual then it will alert and ask you what you want to do.

I am not sure how I would know it's stopped as Christer has found out

Christer · 2003/09/28

Hi guys,
on Windows XP go to Control Panel > Administrative Tools > Services.

Services can be set to Automatic, Manual or Disabled. Automatic = started when Windows starts, Manual = started when a program that needs the Service is started, Disabled = not available.

For each Service there´s a status indication, "blank" or "started ".

ScriptBlocking Service is by default set to Automatic so the fact that it isn´t started indicates to me that something stops it.

Double-click the Service and start it manually. It gets the indication as started but exit Services and go back and check. My bet is that it has been stopped and the status is again blank.

ScriptBlocking is part of NAV and NPF. It detects possible virus that has not yet been defined and therefore not included in the virus definitions.

I´m having an E-mail conversation with Symantec Support. They think that it´s a problem with my setup and have suggested to uninstall and reinstall.
I don´t believe that´s the case since I´ve checked two other computers, one XP Home and one XP Professional and both behave exactly like mine.

I have told this to SS and also suggested that it might be an incompatibility issue with a Windows Hotfix.

The reason for believing this is that a month or so ago I changed the settings for a couple of Services and I would probably have noticed a Service set to automatic but not started ...... ......

I´ll let You know what I find out!

Christer

miniB · 2003/09/28

Hi

I have just checked my services too - set to Automatic but the service has not been started - 'yes' you have guessed it - started - came out and back again - automatic - start service!
Does this not indicate that it would start if it was needed?

It seems to be the SS answer to a lot of problems - re-install everything! I used to get a lot better one to one support by e-mail but now by the time you get to the 'contact us' they either tell you to re-install on a clean boot of Windows or refer you to the KB when the actual article does not describe the full problem.

I have now decided that I am not upgrading to the new 2004 version and within the next few weeks I am uninstalling the software completely. There are far too many conflicts arising with it now. This just adds to the issue - I have configured my services for security and effiency - I would not know which of these has conflicted with this service now

Christer · 2003/09/28

Hi miniB!

Does this not indicate that it would start if it was needed?
Click to expand...

No, it indicates to me that something stops it as soon as it has been started.

Once, when starting my computer, I hit ctrl-alt-del to bring up the Task Manager > Processes as soon as possible. The SBServ.exe appears in TM during startup but gets shut down.
I have no idea why or by what.

I´ll wait for Symantecs response to my latest E-mail to see if they have investigated the Hotfixes. If they haven´t, I will.

Christer

charlesvar · 2003/09/29

Hey Christer,

Running NAV2002 on XP, same situation. Since I run SSM (System Saftety Monitor), don't worry about whether it works or not.

However, I'm going to make a few guesses based on experience running stand-alone script blockers on XP and on 9X.

For example, currently running a fairly old program called Script Trap on 9X. Does not show up as running in the background, but know it works, have had it pop up with a warning at the appropriate times. It warns whenever Word wants to run, for instance. Prior to installing SSM, ran SciptSentry on XP, same deal.

So I think Johanna is right: " But it does not appear on the task manager's list of running processes, and it is not on the start up menu at all. So perhaps it just waits until it is needed, then comes to life? ".

Off the top of my head, don't know how you would test NAV's script blocking though.

Regards - Charles

Christer · 2003/09/29

Hi Charles!

There´s always the possibility that it really works in the background and is kicked into gear when needed. Your experience seems to support that.

If that´s the case, then I don´t understand that Symantec Support doesn´t know and inform me about the situation. Instead they send me on a wild goose chase ...... ...... well, they try but I´m not running yet ...... ......

Christer

BillyBob · 2003/09/29

Is Norton ScriptBlocking Service similiar to this.

Benign

This only worls on E-mail as far as I know but has a few time filtered out some script in an e-mail.

Every e-mail I get says at the bottom " checked by Benign " but nothing every pops up but is un a log file.

It has an Icon in the systray. Does not show in services but does show in Taskmanager as a running App as b9.e x e.

So am I correct that SS is a service and b9 is a standalone application ?

miniB
I am with you on upgrading. I upgraded to 2003 and it is sitting a a box somewhere. AVG7. Kerio Firewall and Benign have replaced it. All are doing well and no more conflicts.

BillyBob

PeteC · 2003/09/29

I am running NAV 2004 quite happily - checked Services and also found that it was set to Automatic and was not started.

However checked in GoBack and SBServer.exe has run several times during the day - seems it kicks in when needed.

Christer · 2003/09/29

PeteC,
thanks for letting me/us know!

I have tried to search the logbook (Control Panel > Administrative Tools > Logbook) but on most items when I click for more information, none is available.

Quite easy to design that Help Function ...... ......

Nevertheless, it defies my logic when an automatically started sevice seems to get started and stopped by some other command.

I´m impatiently awaiting Symantecs next suggestion ...... ......

Christer

charlesvar · 2003/09/29

Hi Christer,

A possible way to test NAV script blocking, or at least to see what processes run during this test.

http://www.rexswain.com/eicar.html This is a site for downloading a test virus file. Comes in three flavors: non-zipped - zipped - double zipped. The site's web page will explain the reasons.

If I remember correctly, opening a zipped file involves scripting, I may be wrong about that though.

Regards - Charles

Christer · 2003/09/29

Charles,
Norton detected them all. I don´t know if it involved any ScriptBlocking, though. The Task Manager didn´t show the SBServ.exe.

Regards,
Christer

Christer · 2003/09/30

The next suggestion from Symantec Support:

Christer, this can also happen if the Windows Scripting Host is not installed. I suggest that you download the Windows Scripting Host and check the issue. For downloading the Windows Scripting Host, please click on the link provided below:

http://www.microsoft.com/msdownload/vbscript/scripting.asp
Click to expand...

I haven`t had the time yet but will try to find out if I I´ve got the WSH installed or not.
If I haven´t got it, well, then it seems like I´m not alone.

Christer

Johanna · 2003/09/30

Christer,
Looks like they gave you a bad link, as well. But I read the entire page on scripting from M$ and didn't understand much of it. I think Symantec is trying to put it on Microsoft because they don't know either.

Christer · 2003/09/30

Johanna,
sorry about posting a bad link ...... ...... didn´t have time to do anything but a quick post.

Same situation now, I´ll have to look into it later but my guess is that I won´t understand more than You did.

Christer

PeteC · 2003/09/30

Christer,

I guess the Scripting Host is cscript.exe - should be in system32 and system32\dllcache. At least that's how it is in my XP Pro.

Christer · 2003/10/17

Hello all!

It took a while but now I´ve received an explanation from someone at Symantec Support who seems to know what he is talking about:

Christer, Script Blocking has no real-time component. It is based on a programming mode known as Common Object Modeling (COM). This works on the premise that a Windows .dll file links the file being executed and an application that it will open.

Example: *.VBS => VBScript.dll => Wscript.exe

Script Blocking inserts its own .dll, Scrauth.dll or Scrblock.dll, between the file being executed and the Windows .dll file.

Example: *.VBS => Scrauth.dll => VBScript.dll => Wscript.exe

This allows Script Blocking to act as a proxy to filter out scripts with malicious intent. This Script Blocking DLL can be either Scrauth.dll or Scrblock.dll

To provide this protection, Script Blocking holds the 17 CLSID's. The purpose of SBServe.exe is to ensure all the proper CLSID's are hooked.

SBSERV monitors a series of Windows CLSIDs that are used for executing Visual Basic and Java scripts. When one of the registry keys is accessed, SBSERV passes the request off to SCRAUTH.DLL to see if the script is authorized. It is absolutely normal for SBServer.exe to be listed multiple times.
Click to expand...

My conclusion is that the automatically started ScriptBlocking Service checks that all components are okey and when done, it shuts itself down.
The behaviour is normal and by design.

I´m glad that I didn´t start uninstalling and reinstalling ...... ...... and I´m sorry for blaming a possible M$ hotfix as the culprit ...... ...... since they aren´t known to cause trouble!

Christer

PeteC · 2003/10/17

Christer - thanks for posting that clear and definitive response from Symantec.

Now we know for sure

Log in or Sign up

ScriptBlocking Service

Christer Geek Member Staff Thread Starter

Johanna Inactive Alumni

miniB Inactive

Christer Geek Member Staff Thread Starter

miniB Inactive

Christer Geek Member Staff Thread Starter

charlesvar Inactive Alumni

Christer Geek Member Staff Thread Starter

BillyBob Inactive

PeteC SuperGeek Staff

Christer Geek Member Staff Thread Starter

charlesvar Inactive Alumni

Christer Geek Member Staff Thread Starter

Christer Geek Member Staff Thread Starter

Johanna Inactive Alumni

Christer Geek Member Staff Thread Starter

PeteC SuperGeek Staff

Christer Geek Member Staff Thread Starter

PeteC SuperGeek Staff

Share This Page

Log in or Sign up

ScriptBlocking Service

Christer Geek Member Staff Thread Starter

Johanna Inactive Alumni

miniB Inactive

Christer Geek Member Staff Thread Starter

miniB Inactive

Christer Geek Member Staff Thread Starter

charlesvar Inactive Alumni

Christer Geek Member Staff Thread Starter

BillyBob Inactive

PeteC SuperGeek Staff

Christer Geek Member Staff Thread Starter

charlesvar Inactive Alumni

Christer Geek Member Staff Thread Starter

Christer Geek Member Staff Thread Starter

Johanna Inactive Alumni

Christer Geek Member Staff Thread Starter

PeteC SuperGeek Staff

Christer Geek Member Staff Thread Starter

PeteC SuperGeek Staff

Share This Page

Useful Searches