Is it safe to play with SQL slammer worm in shadow mode of ShadowSurfer?
Will Comodo stop its spread?

Any ideas?

Thanks

aigle, if i were you i'd either mess around with that worm on a test pc or use a virtualization app like the vmware one (or failing that returnil :D ).

{QUOTE-> aigle, if i were you i'd either mess around with that worm on a test pc or use a virtualization app like the vmware one (or failing that returnil :D ). <-QUOTE}
Hi zopzop, Returnil is a bit similar to SS.
U r right that best choice will be VM.

hey aigle. i think returnil is slightly safer than shadowsurfer. i don't have time now but i'll post a link to some tests someone ran on these boards.

{QUOTE-> hey aigle. i think returnil is slightly safer than shadowsurfer. i don't have time now but i'll post a link to some tests someone ran on these boards. <-QUOTE}
Ya, I know this but SS will protect all partitions of my HD that Returnil can,t.

ah i see. i only have 1 partition on my machine so i never noticed returnil only protects a single partiton. hmmm, i think using a virtualization program is your best bet aigle (unless you have a second pc). but i wouldn't risk it dude :D

{QUOTE-> ah i see. i only have 1 partition on my machine so i never noticed returnil only protects a single partiton. hmmm, i think using a virtualization program is your best bet aigle (unless you have a second pc). but i wouldn't risk it dude :D <-QUOTE}Virtualization? Don't need no steenkin virtualization. Just make an image & try anythiing what you wishes, mon.8)

P.S. I use SS, too. Ergo, I'm interested to see if anyone can answer aigle's question based on substantive trial data. Truly I am.

Which version of Comodo are you going to test? 2.4 or beta 3? I'm just curious 8)

I have 2.4.

I noticed that many FW detect these sort of worm by sig based IDS( like Norton and Kaspersky) but I am not sure if Comodo has such functionality or not.

Can anybody throw some light on this?
Thanks

{QUOTE-> ah i see. i only have 1 partition on my machine so i never noticed returnil only protects a single partiton. hmmm, i think using a virtualization program is your best bet aigle (unless you have a second pc). but i wouldn't risk it dude :D <-QUOTE}
I would have used VM but I have no extra licence for XP.

I could not resist and run it anyway.

First, tried in GW, nvdm.exe executed isolated and there was an error message and nothing happened.

Executed outside GW.

EQS gave two warnings:

1- Explorer.exe executing ntvdm.exe- allowd
2- Ceate file in C:\ - allowed

I got a popup that windows is shutting down by NTauthority.
Rebooted and everything seems normal. Seems SS saved from it.

BTW no warnings from Comodo FW version 2 or Cyberhawk.

Execution with GesWall.
192667
192668
192669
192670

For some strange reason, I am not able to run it again. It gives an error message. Anyway I guess GW, EQS and SS were all successful against it but i am not sure at all.