Here you'll find some code to block malware scripting attack.
Perhaps could it be useful to set a github repo for community packages ?
Regards
Code : Tout sélectionner
def install():
print('installing %s' % control.asrequirement())
print 'Disable execution of script file extensions'
#.vbs Visual Basic Script
registry_setstring(HKEY_CLASSES_ROOT, r"vbsfile\shell", '','Edit', type=REG_SZ)
#.VBE Visual Basic Script Encoded
registry_setstring(HKEY_CLASSES_ROOT, r"vbefile\shell", '','Edit', type=REG_SZ)
#.WSF Windows Script files
registry_setstring(HKEY_CLASSES_ROOT, r"wsfile\shell", '','Edit', type=REG_SZ)
#.WSH Windows Script Host files
registry_setstring(HKEY_CLASSES_ROOT, r"wshfile\shell", '','Edit', type=REG_SZ)
#.js allows execution of JavaScript
registry_setstring(HKEY_CLASSES_ROOT, r"jsfile\shell", '','Edit', type=REG_SZ)
#.jse JScript Encoded Script File
registry_setstring(HKEY_CLASSES_ROOT, r"jsefile\shell", '','Edit', type=REG_SZ)
#.hta allows execution of JavaScript and other scripting languages
registry_setstring(HKEY_CLASSES_ROOT, r"htafile\shell", '','Edit', type=REG_SZ)
#.scf Windows Explorer Shell Cmd File
registry_setstring(HKEY_CLASSES_ROOT, r"SHCmdFile\shell", '','Edit', type=REG_SZ)
#.scr Windows Screen Saver extension
registry_setstring(HKEY_CLASSES_ROOT, r"scrfile\shell", '','Edit', type=REG_SZ)
#.pif contains information that defines how an MS-DOS-based program should run
registry_setstring(HKEY_CLASSES_ROOT, r"piffile\shell", '','Edit', type=REG_SZ)
#.mht unpatched IE bug
registry_setstring(HKEY_CLASSES_ROOT, r"mhtmlfile\shell", '','Edit', type=REG_SZ)
print 'disable Windows Scripting Host (WSH)'
#reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
registry_setstring(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows Script Host\Settings", 'Enabled',0, type=REG_DWORD)
print 'disable powershell script execution'
#reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v EnableScripts /t REG_DWORD /d 0 /f
registry_setstring(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\PowerShell", 'EnableScripts',0, type=REG_DWORD)
print 'add firewall rules to block malware scripts to get external access'
##https://gist.github.com/ricardojba/ecdfe30dadbdab6c514a530bc5d51ef6
##Enable Windows Firewall and configure some advanced options
##Block Win32/64 binaries from making net connections when they shouldn't
delete_firewall_rules() #delete old rules and prevent creating many same rules
run('netsh Advfirewall set allprofiles state on')
run(r'netsh advfirewall firewall add rule name="Block appvlp.exe x86" program="C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block calc.exe x86" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block certutil.exe x86" program="%systemroot%\system32\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block cmstp.exe x86" program="%systemroot%\system32\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block cscript.exe x86" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block esentutl.exe x86" program="%systemroot%\system32\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block expand.exe x86" program="%systemroot%\system32\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block extrac32.exe x86" program="%systemroot%\system32\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block findstr.exe x86" program="%systemroot%\system32\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block hh.exe x86" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block makecab.exe x86" program="%systemroot%\system32\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block mshta.exe x86" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block msiexec.exe x86" program="%systemroot%\system32\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block nltest.exe x86" program="%systemroot%\system32\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block Notepad.exe x86" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block pcalua.exe x86" program="%systemroot%\system32\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block print.exe x86" program="%systemroot%\system32\print.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block regsvr32.exe x86" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block replace.exe x86" program="%systemroot%\system32\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block rundll32.exe x86" program="%systemroot%\system32\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block runscripthelper.exe x86" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block scriptrunner.exe x86" program="%systemroot%\system32\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe x86" program="%systemroot%\system32\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block wmic.exe x86" program="%systemroot%\system32\wbem\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block wscript.exe x86" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block ftp.exe x86" program="%systemroot%\system32\ftp.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block telnet.exe x86" program="%systemroot%\system32\telnet.exe" protocol=tcp dir=out enable=yes action=block profile=any')
if iswin64() :
run(r'netsh advfirewall firewall add rule name="Block appvlp.exe x64" program="C:\Program Files\Microsoft Office\root\client\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block calc.exe x64" program="%systemroot%\SysWOW64\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block certutil.exe x64" program="%systemroot%\SysWOW64\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block cmstp.exe x64" program="%systemroot%\SysWOW64\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block cscript.exe x64" program="%systemroot%\SysWOW64\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block esentutl.exe x64" program="%systemroot%\SysWOW64\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block expand.exe x64" program="%systemroot%\SysWOW64\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block extrac32.exe x64" program="%systemroot%\SysWOW64\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block findstr.exe x64" program="%systemroot%\SysWOW64\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block hh.exe x64" program="%systemroot%\SysWOW64\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block makecab.exe x64" program="%systemroot%\SysWOW64\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block mshta.exe x64" program="%systemroot%\SysWOW64\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block msiexec.exe x64" program="%systemroot%\SysWOW64\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block nltest.exe x64" program="%systemroot%\SysWOW64\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block Notepad.exe x64" program="%systemroot%\SysWOW64\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block pcalua.exe x64" program="%systemroot%\SysWOW64\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block print.exe x64" program="%systemroot%\SysWOW64\print.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block regsvr32.exe x64" program="%systemroot%\SysWOW64\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block replace.exe x64" program="%systemroot%\SysWOW64\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block rpcping.exe x64" program="%systemroot%\SysWOW64\rpcping.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block rundll32.exe x64" program="%systemroot%\SysWOW64\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block runscripthelper.exe x64" program="%systemroot%\SysWOW64\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block scriptrunner.exe x64" program="%systemroot%\SysWOW64\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe x64" program="%systemroot%\SysWOW64\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block wmic.exe x64" program="%systemroot%\SysWOW64\wbem\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block wscript.exe x64" program="%systemroot%\SysWOW64\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block ftp.exe x64" program="%systemroot%\SysWOW64\ftp.exe" protocol=tcp dir=out enable=yes action=block profile=any')
run(r'netsh advfirewall firewall add rule name="Block telnet.exe x86" program="%systemroot%\SysWOW64\telnet.exe" protocol=tcp dir=out enable=yes action=block profile=any')
def uninstall():
print('uninstalling %s' % control.asrequirement())
print 'Enable execution of script file extensions'
registry_setstring(HKEY_CLASSES_ROOT, r"vbsfile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"vbefile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"wsfile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"wshfile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"jsfile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"jsefile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"htafile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"SHCmdFile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"scrfile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"piffile\shell", '','Open', type=REG_SZ)
registry_setstring(HKEY_CLASSES_ROOT, r"mhtmlfile\shell", '','Open', type=REG_SZ)
print 'enable Windows Scripting Host (WSH)'
#reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "1" /f
registry_setstring(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows Script Host\Settings", 'Enabled',1, type=REG_DWORD)
print 'enable powershell script execution'
#reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v EnableScripts /t REG_DWORD /d 1 /f
registry_setstring(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\PowerShell", 'EnableScripts',1, type=REG_DWORD)
print 'remove firewall rules to block malware scripts to get external access'
delete_firewall_rules()
def delete_firewall_rules():
run_notfatal('netsh advfirewall firewall delete rule "Block appvlp.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block calc.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block certutil.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block cmstp.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block cscript.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block esentutl.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block expand.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block extrac32.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block findstr.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block hh.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block makecab.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block mshta.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block msiexec.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block nltest.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block Notepad.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block pcalua.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block print.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block regsvr32.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block replace.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block rundll32.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block runscripthelper.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block scriptrunner.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block SyncAppvPublishingServer.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block wmic.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block wscript.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block ftp.exe x86" ')
run_notfatal('netsh advfirewall firewall delete rule "Block telnet.exe x86" ')
if iswin64() :
run_notfatal('netsh advfirewall firewall delete rule "Block appvlp.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block calc.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block certutil.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block cmstp.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block cscript.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block esentutl.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block expand.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block extrac32.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block findstr.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block hh.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block makecab.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block mshta.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block msiexec.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block nltest.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block Notepad.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block pcalua.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block print.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block regsvr32.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block replace.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block rundll32.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block runscripthelper.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block scriptrunner.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block SyncAppvPublishingServer.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block wmic.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block wscript.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block ftp.exe x64" ')
run_notfatal('netsh advfirewall firewall delete rule "Block telnet.exe x64" ')
def session_setup():
print('Session setup for %s' % control.asrequirement())
#reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
#reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
#reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
## disallow opening some file extension in outlook attachment if you use it
#registry_setstring(HKEY_CURRENT_USER, r"Software\Microsoft\Office\14.0\Outlook\Security",'Level1Add',';.docm;.xslm;.ade;.adp;.app;.asp;.bas;.bat;.cer;.chm;.cmd;.cnt;.com;.cpl;.crt;.csh;.der;.exe;.fxp;.gadget;.grp;.hlp;.hpj;.hta;.inf;.ins;.isp;.its;.jar;.js;.jse;.ksh;.lnk;.mad;.maf;.mag;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mcf;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.msc;.msh;.msh1;.msh2;.mshxml;.msh1xml;.msh2xml;.msi;.msp;.mst;.ops;.osd;.pcd;.pif;.pl;.plg;.prf;.prg;.ps1;.ps1xml;.ps2;.ps2xml;.psc1;.psc2;.pst;.reg;.scf;.scr;.sct;.shb;.shs;.tmp;.url;.vb;.vbe;.vbp;.vbs;.vsw;.ws;.wsc;.wsf;.wsh;.xbap;.xnk', type=REG_SZ)
#registry_setstring(HKEY_CURRENT_USER, r"Software\Microsoft\Office\15.0\Outlook\Security",'Level1Add',';.docm;.xslm;.ade;.adp;.app;.asp;.bas;.bat;.cer;.chm;.cmd;.cnt;.com;.cpl;.crt;.csh;.der;.exe;.fxp;.gadget;.grp;.hlp;.hpj;.hta;.inf;.ins;.isp;.its;.jar;.js;.jse;.ksh;.lnk;.mad;.maf;.mag;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mcf;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.msc;.msh;.msh1;.msh2;.mshxml;.msh1xml;.msh2xml;.msi;.msp;.mst;.ops;.osd;.pcd;.pif;.pl;.plg;.prf;.prg;.ps1;.ps1xml;.ps2;.ps2xml;.psc1;.psc2;.pst;.reg;.scf;.scr;.sct;.shb;.shs;.tmp;.url;.vb;.vbe;.vbp;.vbs;.vsw;.ws;.wsc;.wsf;.wsh;.xbap;.xnk', type=REG_SZ)
#registry_setstring(HKEY_CURRENT_USER, r"Software\Microsoft\Office\16.0\Outlook\Security",'Level1Add',';.docm;.xslm;.ade;.adp;.app;.asp;.bas;.bat;.cer;.chm;.cmd;.cnt;.com;.cpl;.crt;.csh;.der;.exe;.fxp;.gadget;.grp;.hlp;.hpj;.hta;.inf;.ins;.isp;.its;.jar;.js;.jse;.ksh;.lnk;.mad;.maf;.mag;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mcf;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.msc;.msh;.msh1;.msh2;.mshxml;.msh1xml;.msh2xml;.msi;.msp;.mst;.ops;.osd;.pcd;.pif;.pl;.plg;.prf;.prg;.ps1;.ps1xml;.ps2;.ps2xml;.psc1;.psc2;.pst;.reg;.scf;.scr;.sct;.shb;.shs;.tmp;.url;.vb;.vbe;.vbp;.vbs;.vsw;.ws;.wsc;.wsf;.wsh;.xbap;.xnk', type=REG_SZ)