Detecting malicious scripts
Page Shield implements different mechanisms to determine if a script is malicious. These mechanisms are:
- Malicious URL checks
- Malicious domain checks
- Malicious script detection
Any updates to the threat feeds will trigger new checks for previously detected scripts so that the Page Shield dashboards (Active Scripts and All Reported Scripts) always reflect the latest script categorization.
Malicious URL checks
The Page Shield dashboards display the scripts that were considered malicious at the top of the scripts list.
Malicious domain checks
A domain previously reported as malicious can later be reported as non-malicious if, after further analysis, the domain is deemed safe.
Malicious script detection
In this type of detection, Page Shield will download the script file and run it through a classifier. The classifier will perform several operations — deobfuscation, normalization, and decoding — before looking for correlations between form field fetches and data exfiltration calls. The stronger the correlation, the more likely the script is performing malicious operations like .
The script classifier will output a probability score for the script (also called the JS integrity score) between 1 and 99, where 1 means definitely malicious and 99 means definitely not malicious. This score, together with a threshold value, will determine if the malicious script detection system will classify the script as malicious or not.
The score threshold for considering a script as malicious is currently set to 50. If the script classification score is below this value, the Page Shield dashboards will display the script as being malicious.
Malicious script categories
Scripts considered malicious are categorized based on data from threat intelligence feeds. The current categories are the following:
- Security threats
- Command-and-Control (C2) & Botnet
- Domain Generation Algorithm (DGA) domain
- Typosquatting & Impersonation
Each script considered malicious can belong to several categories.