WG detects MS Access .mdb with evil code in it:

http://www.wilderssecurity.com/attachments/FSOmdb.jpg


Evil code is compiled into .mde file with the click of one button right in MS Access:

http://www.wilderssecurity.com/attachments/FSOmakeMDE.jpg


WG cannot detect the now hidden evil code but it is still there and opening this file will smoke your machine.

http://www.wilderssecurity.com/attachments/FSOmde.jpg

Luckily we can block the .mde file extension all together in WG, so when we execute the file we get this:

http://www.wilderssecurity.com/attachments/FSOmdeBlock.jpg


so please do this is you haven't already.

Have a nice day!

PS, This is not WG's fault. WG detects source code, this .mde no longer has any. Your other secuirty tools won't detect much from a .mde file either, but I wish they did :(

Thanks for the warning UNICRON.
Unfortunately compiling an Access database makes it run much faster, so now you have to choose between two bad situations.
Dolf

TDS and NOD32 don't have much to say either:

http://www.wilderssecurity.com/attachments/nodMDE.jpg

http://www.wilderssecurity.com/attachments/tdsMDE.jpg

{QUOTE-> quoting: Dollefie link=board=6;threadid=12163;start=0#msg78216 date=1060231784]
Thanks for the warning UNICRON.
Unfortunately compiling an Access database makes it run much faster, so now you have to choose between two bad situations.
Dolf
<-QUOTE}

Very true Dolf, I use .mde files all the time because I am a database developer and use access for the small stuff (mainly because most offices insist).

I am thinking mostly for those who have no need for the file extension. No system file uses it so it is safe to block.

There are a couple ways to open an access mde without the code running right away, but all of those techniques can be dissabled:

http://www.wilderssecurity.com/attachments/specialkeys.jpg

Thanks Allan, Very useful tip :)

Yep, useful tip Allan, I'd be surprised if _any_ scanners actually detected that file though, you might want to give it a go with KAV

I don't have KAV. I doubt it would but maybe if I compiled known worm code. I'll make it tommorrow and send it to someone to test.

Many thanks!!!

Just updated my block-list accordingly

{QUOTE-> quoting: Dollefie link=board=6;threadid=12163;start=0#msg78216 date=1060231784]
Thanks for the warning UNICRON.
Unfortunately compiling an Access database makes it run much faster, so now you have to choose between two bad situations.
Dolf
<-QUOTE}

Hi Dolf, Allan, and Wayne,

First of all: thanks Allan !!!

OK, now back to Dolf's posting, just for my personal understanding:
Is it really such a "bad situation" to add it to WG?
Doesn't WG give you the opportunity to decide for yourself whether you want to run it or not? Or am I now making a mistake?

Thanks, Jan.

Hi Jan,

Any extentions in the Blocked list will be disallowed altogether from running. Where you have a choice is when the extention is not in the blocked list but where one of the analysis methods of WG detects something suspect with the file.

So, it seems to me, the option is to add it to blocked (and hope you don't need it) or be independently sure of the safety of the mde files.

:)

Thanks a lot Dan !!!!! ;)

{QUOTE-> quoting: FanJ link=board=6;threadid=12163;start=0#msg78364 date=1060301342]
Is it really such a "bad situation" to add it to WG?
<-QUOTE}

it is if you actually use .mde files like Dolf and I do. Once added to the block list, you can't use that extension anymore.

Juat like always: Security or functionality. A truly classic case ;)

It just shows why Worm Guard shouldn't rely so much on blocking file extensions. I can understand maybe scrap files but blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate.

{QUOTE-> blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate. <-QUOTE}

Hi wizardavc,

I agree with your first statement but in the sense that it is bad if it is the *only* means implemented but it can be (and IMO) is an effective supplement to other means of analysis and detection that WormGuard currently provides. It is my understanding that WormGuard 4 will include a definition update arrangement which will help alleviate the need to resort to extention blocking but I suspect there will continue to be occasions when extention blocking is useful.

Regards,

Dan

{QUOTE-> quoting: Dan Perez link=board=6;threadid=12163;start=0#msg80614 date=1061091328]
{QUOTE-> blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate. <-QUOTE}

it can be (and IMO) is an effective supplement to other means of analysis and detection that WormGuard currently provides. <-QUOTE}

It isn't a practical solution or a proper supplement in most cases. Files such as .mde have a legit purpose and wouldn't have been designed if they solely were used for malicious purposes. Even less practical is file name blocking. A file can be named almost any numerical pattern and a legitimate file has a right to be named what every it wants to. Many trojans go around named setup.exe or install.exe, of course many legit programs use these same names. If someone wants to download a legitimate program such as TDS, they have a right to rename it "Sex Picture.exe"

I mentioned this in the suggestions thread but thought I'd bring up the file name issue here since it is related to the file extension blocking list.

{QUOTE-> quoting: wizardavc link=board=6;threadid=12163;start=15#msg80628 date=1061100667]
Even less practical is file name blocking <-QUOTE}

100% agreed

That's why WG is not dependent on file names but looks at malicious code and that's why updates are hardly necessary, we add file names if we think it helps and it might in case of exploits more then worms f.e.

{QUOTE-> quoting: wizardavc link=board=6;threadid=12163;start=15#msg80628 date=1061100667]
{QUOTE-> quoting: Dan Perez link=board=6;threadid=12163;start=0#msg80614 date=1061091328]
{QUOTE-> blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate. <-QUOTE}

it can be (and IMO) is an effective supplement to other means of analysis and detection that WormGuard currently provides. <-QUOTE}

It isn't a practical solution or a proper supplement in most cases. Files such as .mde have a legit purpose and wouldn't have been designed if they solely were used for malicious purposes. Even less practical is file name blocking. A file can be named almost any numerical pattern and a legitimate file has a right to be named what every it wants to. Many trojans go around named setup.exe or install.exe, of course many legit programs use these same names. If someone wants to download a legitimate program such as TDS, they have a right to rename it "Sex Picture.exe"

I mentioned this in the suggestions thread but thought I'd bring up the file name issue here since it is related to the file extension blocking list.
<-QUOTE}

Nobody is suggesting that file extension blocking is a first choice. As stated earlier, I am one of two people here who have mentioned that they do indeed use that extension.

The point is, no other security measure I have found currently handles malicious .mde files, so we don't have much choice if MS Access on the machine.

If you know of one, please let me know!

{QUOTE-> quoting: UNICRON link=board=6;threadid=12163;start=15#msg80693 date=1061136166]
If you know of one, please let me know!
<-QUOTE}
WG-4 ::)

By default will WG4 have a list of file names it will block like it is in WG3?

{QUOTE-> quoting: wizardavc link=board=6;threadid=12163;start=0#msg80606 date=1061089625]
It just shows why Worm Guard shouldn't rely so much on blocking file extensions. <-QUOTE}
Actually, it doesn't rely on that at all (you don't have to block _any_ filetypes) - it's just extra functionality that's there for you if you want it, adding an extra layer of security (ie. even if a user disables the .mde extension in the registry, a trojan could re-enable it, but that would still fail if Wormguard is blocking that filetype). If you don't want to use it, that's fine too - the choice is entirely yours!

Best regards,
Wayne

{QUOTE-> quoting: Wayne - DiamondCS link=board=6;threadid=12163;start=15#msg80791 date=1061174492]
{QUOTE-> quoting: wizardavc link=board=6;threadid=12163;start=0#msg80606 date=1061089625]
It just shows why Worm Guard shouldn't rely so much on blocking file extensions. <-QUOTE}
Actually, it doesn't rely on that at all (you don't have to block _any_ filetypes) - it's just extra functionality that's there for you if you want it, adding an extra layer of security (ie. even if a user disables the .mde extension in the registry, a trojan could re-enable it, but that would still fail if Wormguard is blocking that filetype). If you don't want to use it, that's fine too - the choice is entirely yours!

Best regards,
Wayne

<-QUOTE}

It is on by default, thats the point. Default settings are what the majority of software users use. Its a FACT that blocking the majority of file types and ALL file names are NOT an effective measure for stopping worms/trojans. If someone wants to rename the TDS Install file to south park.exe, MSBlast.exe, or the like they should have every right to without getting a warning from Worm Guard. It is Worm Guards job to analyze a file for worm-like characteristics. ANY legitimate or unlegitimate file can be named anything, and blocking by file name should not be a solution in any circumstance.

It would almost never happen that a legitimate file will be blocked by WG because of its filename. In the rare occasion it happens, just remove the filename from that list. It's not that important.
Dolf

Antivirus wizard, did you understand Wayne says WG is looking for CODE in stead of NAMES in the first place?
Different from any SCANNER which needs updates of databases, it has very different ways and means of detection.
Relating to worms and scripts, has nothing to do with viruses, although those might be stopped where possible.
You were told you can name any file anything and add to the block list whatever you want or don't and it will be detected just as hard if malicious.
See what happens if you change some of your critical windows system files or add them to the blocked list and tell your experiences after that.
Create some testfiles on your desktop, put some code or innocent text in it and give them some extensions and double extensions, tell WG not to run them or delete them from the block list, see all that happens.
In your notepad put a line
Msgbox "this is a vbs script running"
and save as test.vbs to start with, give an extra copy double extensions vbs.vbs or exe.vbs whatever you like and click on it. Put them in the block list or the left pane blocked extensions list, etc. Try them.

{QUOTE-> quoting: Dollefie link=board=6;threadid=12163;start=15#msg85843 date=1062910107]
It would almost never happen that a legitimate file will be blocked by WG because of its filename. In the rare occasion it happens, just remove the filename from that list. It's not that important.
Dolf
<-QUOTE}

The filename shouldn't be in the list in the first place. Who says the user even knows how to get to the list and why should they have to even go to the trouble? It is important.

{QUOTE-> quoting: Jooske link=board=6;threadid=12163;start=15#msg85852 date=1062918240]
Antivirus wizard, did you understand Wayne says WG is looking for CODE in stead of NAMES in the first place?
Different from any SCANNER which needs updates of databases, it has very different ways and means of detection.
Relating to worms and scripts, has nothing to do with viruses, although those might be stopped where possible.
You were told you can name any file anything and add to the block list whatever you want or don't and it will be detected just as hard if malicious.
See what happens if you change some of your critical windows system files or add them to the blocked list and tell your experiences after that.
Create some testfiles on your desktop, put some code or innocent text in it and give them some extensions and double extensions, tell WG not to run them or delete them from the block list, see all that happens.
In your notepad put a line
Msgbox "this is a vbs script running"
and save as test.vbs to start with, give an extra copy double extensions vbs.vbs or exe.vbs whatever you like and click on it. Put them in the block list or the left pane blocked extensions list, etc. Try them.
<-QUOTE}

As I said before default settings are what most users use and many assume are the best settings. I do think the double extensions warning is a good idea, but not in the cases of the SAME extension such as test.vbs.vbs or test.exe.exe. That's just stupid programming in that case. The issue with file names I was discussing in my previous post was with files such as MSBlast.exe, southpark.exe, NOT double extensions.

1) read the helpfile
2) i intentionally gave stupid examples to try to make sure they work. You can use any double extension, take three, four different ones, pif.exe.doc.vbs whatever you like and whatever you like to have added in your always blocked extensions list. See what happens if you use one exgtension which was added to the blocked list, or double or another or allow VBS and have a VBS extension while you put something nasty inside the testfile.
Again, try and play with it.
Name it one of your other blocked file names with the southpark or whatever as a name and nothing in it or other code, try it for yourself and see how stupid the examples are.
I just gave you a very safe way to do some testing without having the actual nasty infections around.

{QUOTE-> quoting: Jooske link=board=6;threadid=12163;start=15#msg87763 date=1063581604]
i intentionally gave stupid examples to try to make sure they work. You can use any double extension, take three, four different ones, pif.exe.doc.vbs whatever you like and whatever you like to have added in your always blocked extensions list. <-QUOTE}

Then turn if off by default for the SAME extension. I don't know if your just avoiding the issue or seriously don't comprehend. Worm Guard should not block the SAME repeat extensions such as test.vbs.vbs, test.exe.exe, test.com.com.com.com by default. If a file has the SAME repeat extension then it should NOT be blocked. There are files out there, which have multiple of the SAME executable extension, more legitimate than unlegitimate in fact.
1) They are NOT hiding their true extension
2) It is stupid programming

{QUOTE->
See what happens if you use one exgtension which was added to the blocked list, or double or another or allow VBS and have a VBS extension while you put something nasty inside the testfile.
Again, try and play with it. <-QUOTE}

I'm NOT disagreeing with blocking .VBS, .VBE, .SHS, .SHB, .SHA, .HTA, .JSE by default.

{QUOTE->
Name it one of your other blocked file names with the southpark or whatever as a name and nothing in it or other code, try it for yourself and see how stupid the examples are.
I just gave you a very safe way to do some testing without having the actual nasty infections around.
<-QUOTE}

Yes, and I've tried it. I even made sure by doing it on the TDS install file. A user has a right to rename a legitimate file such as the TDS install file to ANY file name they want to and should NOT have it blocked. As I've said before, ANY file legitimate or unlegitimate can be named almost ANYTHING. I use the default Worm Guard settings (which most users use), I renamed the TDS install file to 'south park.exe' and the TDS install file was blocked.

I think that speaks for itself in the effectiveness and accuracy of this feature.

{QUOTE-> If a file has the SAME repeat extension then it should NOT be blocked. There are files out there, which have multiple of the SAME executable extension, more legitimate than unlegitimate in fact. <-QUOTE}

Personally, I agree with your point about blocking repeat extensions being unnecessary but I know that the TDS folks have more knowledge of this than I and may know of reasons that are not apparent to me. However, I think you overstate the frequency with which this occurs. I have never seen a double extention of the same type in my 10 years of using computers and I go through a *lot* of programs!

{QUOTE-> I use the default Worm Guard settings (which most users use), I renamed the TDS install file to 'south park.exe' and the TDS install file was blocked. <-QUOTE}

In my opinion you are simply just fishing for flaws now. Of course if you have WG set to block a certain filename and you intentionally rename another executeable that you intend to use with that same filename then you are going to have issues. This doesn't point out any flaw in the respectiveprograms but rather in the way you choose to misuse them.

'wizardavc', seeing as your comments have degraded to childish insults we'll conclude that you've finished with contributions to this thread. If you don't like a part of Wormguard, don't use it - it's that simple.