To block malware running via VBS, disable the script host by doing any of the following:
Option I: Disable Windows Script Host
To block .vbs malware by disabling WSH, create one of the following two registry entries (REG_DWORD) and set the value to "0".
- To disable WSH for a particular user, create this entry: HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
- To disable WSH for all users of a particular computer, create this entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
When enforced, the following message will be displayed during any attempts to run a WSH script:
"Windows Script Host access is disabled on this machine. Contact your administrator for details."
Option II: Block by Behavior Monitoring
To disable WSH using Behavior Monitoring:
- Log on to the OfficeScan management console.
- Go to Networked Computers > Client Management > Settings > Behavior Monitoring Settings.
- Add the following Block Programs:
- C:\Windows\system32\cscript.exe
- C:\Windows\system32\wscript.exe
- Click Save.
WSH should now be disabled.