Script lists contain parts of scripting language (script expressions) that MIMEsweeper for SMTP uses to detect potential source code extracts for malicious activity. Script lists are used in Script Manager scenarios to detect files that contain scripts that are deemed potential threats.
Detecting script expressions in a message is a two-stage process. A script list is made up of two separate lists: a Primary list and Secondary list. For scripts in a message to be detected, one expression in the Primary list must be found, then one expression in the Secondary list must be found. The process is as follows:
Initially, the Primary list is read to detect the presence of scripts in a file.
• Script examples from the Primary list:<script>
• If scripts are detected, the Secondary list is read to determine if any of the scripts contained in the file are deemed to be malicious.
• Script expression example from the Secondary list:.regcreate
• If matching script expressions are found, the scenario will classify the message as specified.
There are two types of script list Reference:
• Managed Script lists
Dynamic lists managed by Clearswift. Managed lists are imported from the Clearswift server by the managed list wizard. Your managed script lists are automatically refreshed every time the list is updated by Clearswift. Managed script lists cannot be edited. Setting up managed lists is described in the following Properties sections in this chapter.
• User-defined Script lists
These are static lists that you create in MIMEsweeper Policy Editor by using the user-defined list wizard and manually adding files. When you browse for a file and add it to the list,
MIMEsweeper Policy Editor generates a 32 digit hexadecimal value which is defined by the file content. You can also import script lists from the Clearswift server, or from your local PC. Script lists imported using the user-defined wizard, will not be automatically updated.
Managed and user-defined Script lists are configured and maintained in exactly the same way as Expression lists. For details on managed and user-defined lists, see Expression list on page 5-6.
Script list properties
The properties of a script list are briefly described in the following sections. For details about configuring script lists, see the MIMEsweeper Policy Editor help.
Script lists in scenarios work in a similar way to expression lists, except that a script expression is not allocated a weighting. A script expression is either detected or not detected in a file. If detected by the scenario, the message is classified accordingly. For more information about scenarios, see Chapter 3.
General - managed script lists only
• The General property page displays the title given to the script list and its type, for example:
Managed Script List.
Management - managed script lists only
The commands on the Management tab allow you to specify when the script list is updated.
You can set an interval in which the Managed script list is automatically updated from the Clearswift website, or you can perform an immediate update.
Each time the update interval is reached your MIMEsweeper for SMTP server checks for a new definition file. A download will not take place if the current file being used is the latest available.
The Management tab also incorporates a log file window that lists log entries recording the number of successful updates to the Managed script list.
For information on registering your MIMEsweeper for SMTP license on the Clearswift website to enable Managed Downloads, see Configuring managed downloads on page 5-4.
Primary expressions
The list of keywords that are to be detected during the first stage of detecting scripts.
You can specify phrases in the following ways:
• Simple keyword: A string of words.
• Compound keywords: Multiple words and phrases connected by expression operators. For details, see Expression operators on page 5-9.
Unlike Expression lists, you cannot specify a weighting for a script expression. This column is not configurable and defaults to Detected.
You can specify whether the capitalization of the specified keyword must match in order for it to be detected.
For user-defined expressions, users must only use US ASCII characters when creating script expressions.
8-bit characters can be entered using \xhh syntax (that is, \x followed by two hexadecimal characters).
Any user-defined script expressions containing non-US ASCII characters created in a release prior to 5.1 will be ignored during script analysis of messages. Users will need to correct any such expressions.
To import Script lists from the Clearswift server or from your local PC, use the Import command. For more information, see Importing references on page 5-27.
When importing a list there are three import options:
• Clear script list
Clears all script expressions listed on this property page.
• Merge with existing list and overwrite existing entries
Merges imported script expressions with those listed on this property page and overwrites script expressions that are duplicated.
• Merge with existing list but do not overwrite existing entries
Merges imported script expressions with those listed on this property page. Duplicated expressions are not overwritten.
Secondary expressions
The list of keywords that are to be detected during the second stage of detecting scripts.
Usage
A list of the scenarios currently associated with the script list. Each entry shows the scenario name and its location in the scenario folder hierarchy. You can navigate to a Scenario item by highlighting a scenario from the list and clicking the Show button.
The import command can only be executed from the Primary Expressions tab, although both primary and secondary script expressions are imported.
When viewing the properties of a managed script list, the property page displays the expressions in read only format.