Hi,

I just tried the three test files at the bottom of this page from AV Test.org.
http://www.av-test.org/sites/tests.php3?lang=de#short (2002-11-04)

What was strange was that Wormguard blocked my attempt to open each of these files. I thought TDS-3 would have been the one. Now here is where it got really odd. I closed Wormgaurd to see what TDS-3 would do and again WG jumped up and blocked each attempt. I tried reviewing my task manager but did not find an open process that looked WG and I did the whole thing over it appeared that I had successfully closed WG but again it was there doing the block.

Not that I am complaining but is it normal for WG to working this way and if so, was intended to be opened, click on install, and then closed as an active app but still be active in the OS (i.e. no window/systray, etc)?

Hi Luthor:

Did you try to open the Test Results of the 3 files [sorry can't read German?]

I downloaded the one with my cursor in pic, unzipped and tried to open [I do not have xls, so it opened in notepad in gobblygook, but still opened] WG did not jump up on it.

Am I misunderstandting your post.

edit: last sentence of your post. Yes with WG you just hit "install" then X close, and it's working in background all the time, unless you "Uninstall" the protection [not the program]

Once it's installed, it does NOT have to run [on taskbar or sys tray]

You can do test to see if it's working.

Or, in notepad, create a file [put anything you like in the notepad] but using the "Any file [*.*]" option, save it with multiple extensions or with excess spaces and then try to execute it and watch WG work.

test.jpg.exe
test.jpg exe
test.vbs

as long as you have the likes of VBS, SHA, SHS, VBE, HTA etc. in the "Blocked Editor's List"

1 more pic/test shot.

I created a file called it "test.jpg.exe" and tried to execute it.

See pic/file on left

-{ Quote: "I downloaded the one with my cursor in pic, unzipped and tried to open WG did not jump up on it." }-
First, my bad, here is an english version of the same page, test files are at the bottom as per the German page.
http://www.av-test.org/sites/tests.php3?lang=en

Still, I am not sure why it didn't work for you unless it is because you do not have Excel. I did the following steps:

1. I downloaded each of the test files
2. Unzipped one test file to my desktop
3. Double click on the file and I get this warning from WG (see image)

-{ Quote: "Once it's installed, it does NOT have to run [on taskbar or sys tray]" }-
I'll try your test as well, but that I think I tested this with these files. It's just I was expecting TDS-3 to be the one to do it. And then it was a nice discover to find that the WG app didn't need to be active on the taskbar/systray.

[i] - Adjusted image borders to fix webpage width problem - LWM

Ahhh, now I see your *problem* Luthor.
First, it did not "alert" to me because it was gobblygook in Notepad,
BUT, because you have Excel and it tried to open, the mere fact that what you were opening probably had words virus/etc. etc. in it hence WG leapt all over it.

Now this is what you can do. See your pic. On the right hand side, at bottom, select "Safely View File" and in that same window, it will open up the strings, etc.

I am willing to bet that somewhere in there a code relating to the test or the words virus, etc. triggered off the alarm.

Actually, LOL, it already says it in the initial window. See that? About the strings then the wording, that's what's in the file.

Unfortunately, it's better to err on cautious side than auto run and no warning. :(

edit: Re TDS alerting. TDS is virtually strictly TROJAN, not a worm/code, hence no reaction.
It will only alert when trying to execute [open] a file and within that file a known trojan exists, not a worm, nor bad coding, but an actual troja/server that will "phone home", etc.

That's right, WG-3 runs all hidden in the background.
You might have seen Jason's posting telling WG-4 will have an icon to click for extra functions.
For me it has been WG jumping up when i was about to open a suspicious file, while in scanning TDS alerts on the nasties if they have suspicious code, not on testfiles which are not doing anything wrong, except for the GRC leaktest for instance (suppose that one is added on users request). But jumping up to alert, no, did not happen yet in all those years i use them both.
Trying to run a suspicious thing like an attachment from the mailbox it can happen my mailsafe alerts in the first place, if i still insist running it i get to WG warning again and i expect if i still want to run it if it's an executable TDS will scream if it's not safe, but i took the former warnings serious already so don't get that far.

Of course Luthor, those Alert Warning Windows, appear if some suspicious code,etc. is inside a file.

This is the warning [modified naturally] you get if you try to actually run a script like VBS if it's in your Blocked Editor's List

I'm gonna jump in here. WG is working, and I don't mind the way it runs in the deep background...but, I am somewhat alarmed by the fact that it can do this and I can't find WG listed as running anywhere...what other (malicious) programs can do this? I really thought any running process must be on the process list. Of course, 'system' PID 4 is not on the list of running processes, either. Would I like to know what PID 4 is and why it has listening ports!

Hi Justin,
-{ Quote: " quoting: Justin Smith link=board=6;threadid=5931;start=0#49500 date=1046046020]... WG is working, and I don't mind the way it runs in the deep background...but, I am somewhat alarmed by the fact that it can do this and I can't find WG listed as running anywhere...what other (malicious) programs can do this? I really thought any running process must be on the process list. ..." }-

Actually, Wormguard is not really running hidden in the background. It isn't a process at all. It's an "execution hook." Here (http://www.wilderssecurity.com/showthread.php?t=5035) is a quote from Gavin on this:
-{ Quote: " quoting: Gavin / DiamondCS link=board=6;threadid=5035;start=0#32939 date=1037848251]Wormguard installs a DLL which is an execution hook, anything you run is then passing through that DLL and being checked - the application WGUARD.EXE is just for setting configuration options and enabling/disabling the hook." }-

Best Wishes,
LowWaterMark

With Wormguard 3, when an executable is run the Wormguard 3 DLL is loaded which then tests the executable and command line for worms. So the DLL isn't loaded any other time other then when an application is IMMEDIATELY being opened.

This is quite a nice method for resource usage since it uses no resources until a new program is launched and then quickly gives back all the resources until it happens again.

To my knowledge there is no way to hide processes from task manager, etc under NT/2K/XP so I wouldn't worry too much Justin :D
-Jason-

Aha, excellent, I like that! 8)

Now if only XP printer drivers could be designed in some similar resource-conserving way! Lexmark litters my system at all times, even when I'm not connected to a printer! ::)

>To my knowledge there is no way to hide processes from task manager, etc under
>NT/2K/XP so I wouldn't worry too much Justin :D

You can go stealth using a code or dll inject. The manager won't enumerate modules. :)

But you have to know how to do this without crashing the host program ;D

CreasteRemoteThread? SetWindowsHookEx? CreateProcess / WriteProcessMemory / ResumeProcess? Many ways ...

CreasteRemoteThread ??? ;D

Gives a Unresolved external linker error without compiling i know this ;D

Why don't you guys open some developers / debuggers forum here somewhere for discussing among the developers, which can be really constructive and the products and thus the users all will profit of the usage in the various products.
Can imagine it's a very lonely task to code many hours on a product so such discussions could be really constructive.
I mean, the way this thread is leading goes outside the specific WormGuard subject, and even though probably informative for those who know i think this could best be kept for future generations in a special area like suggested.
I hope you see the reason and like the idea and find a place to continue the develop-discussions!
Looking forward to it!

CreateRemoteThread - better Mr. "I never produce a typo late at night" Xor *g* ;D ;D ;D ;D Just a typo :).

-{ Quote: " quoting: xor link=board=6;threadid=5931;start=15#50833 date=1046814644]
CreasteRemoteThread ??? ;D

Gives a Unresolved external linker error without compiling i know this ;D
" }-

It would actually be an undeclared identifier since the function isn't declared anywhere, a linker error would be caused by the compiler not finding the actual function after it has been declared. Just clearing that up ;)

Also I meant there is no way to hide PROCESS's from Task Manager, of course you can inject code into other process's but that process would still appear in Task Manager.

-Jason-

Check out this source... Its for ShowEQ. It injects code into a memory space via rundll32, and waits for everquest to launch. This is pretty harmless code(it reads a encryption key) but the method could be used for much more malicious intend.

URL deleted; method could be used for malicious intend indeed - Forum Admin

Its a very clever method of getting data without the target .exe knowing(atm anyway).