Script Explorer adds security features

In April 2020, we released a new tool, the SAPIEN Script Explorer. You can find the details here: https://www.sapien.com/blog/2020/04/06/introducing-the-sapien-script-explorer/.

The basic premise was to prevent users from having to associate script extensions (.ps1, .vbs, .js, etc.) with the ‘open’ verb in Windows Explorer because doing so will execute any script whenever a user double-clicks it, thus posing a huge security risk. Undeniably there is a convenience to that, but that does not make it less dangerous. Even an accidental double-click can execute a malicious script you just downloaded.

image

If you are using Windows PowerShell and Windows 10, there are other safeguards in place. The same applies to older script languages, like VBScript and JScript. Most of the additional security features provided by Microsoft revolve around digital signatures. If you have a digital signature you should absolutely use it and require all scripts to be signed. However, a good portion of our users do not have or use a code signing certificate.

As you can imagine, we see plenty of user scripts in bug reports, support requests, and when we are asked to extract a script file from a packaged executable. It appears that some companies do not regard digital signatures to be a necessary expense or, in other cases, are not feasible. The added server infrastructure in an air-gaped environment to authenticate code signing certificates is not a priority for “some simple admin scripts.” Nonetheless, these “simple admin scripts” pose a huge security risk, as they are commonly executed elevated with full administrative privileges.

We figured you would like a way to know if a script’s integrity has been verified and maintained before you run it. That is where these new SAPIEN Script Explorer features come in.

This new version uses additional icons in the Explorer sidebar to display a file’s status. You can easily make out which file is signed (green certificate), verified (green shield), or modified (yellow shield) after it has been signed or verified:

image

A lock icon indicates that the file was recently downloaded from the internet or another computer, and Windows applied a ‘locked’ attribute:

image

A new option has Script Explorer prompt you before executing a script that is neither signed nor verified:

image

The prompt will still enable you to run any unverified or unsigned script, but we hope it will give you enough pause to consider checking it first:

image

These security features are considered experimental. That means they will become disabled after a while in this particular build.

A new feedback icon above the ribbon links to our feedback forum. We encourage you to share your thoughts about these features so we can improve, adapt, or remove them as needed. Please do not feel constrained to these particular features when providing feedback. Any input is always welcome.

image

The Sign and Remove Signature commands apply to digital signatures. Please note that you do not have to remove any existing signature if want to sign a file again with your own signature. However, if you want to utilize the “Verify File” functionality, you should remove any existing signature beforehand.

image
The “Verify File” function creates an MD5 hash for the file and stores it. Currently this only works for NTFS file systems, so this will not operate on a flash drive with FAT. Moving a file from your hard drive to a flash drive and back will remove the verification status.

Aside from the new buttons in the Ribbon interface, you can also mark a script as verified on the context menu. The same goes for unblocking a recently downloaded file.

image

Last but not least, let me repeat the request for feedback. The more input you provide, the more useful we can make this tool.