Greetings Everyone

We just installed a new application called eDexter found here: http://www.accs-net.com/hosts/eDexter.html
Immediately WormGuard caught it as possibly having a worm. This is supposed to be an anti-adware application which takes the place of ad images on pages. Is this a false positive or does it have a worm?

Thank you for your help.

HMSS Q Section

I can hardly believe eDexter contains a worm. It seems that either EDexter activities are suspect to WormGuard, or that there are suspect patterns.

Do you have any other AV-tool to check again?

Hello
We also checked the file with Spybot S&D, Ad-Aware 6, Gladiator AV and NOD32 and they all came up negative. So possibly this is a false positive? When prompted wormGuard put the files in question in quarantine. Not all eDexter files landed there - only these 2 - edexter.exe.ANALYSIS.TXT and edexter.exe.TXT. A worm expert needs to advise as we are not as studied in this department.

Thank you.

HMSS Q Section

My guess is the double extensions set WormGuard off.

From: http://wormguard.diamondcs.com.au/index.php?page=features
-{ Quote: "Analyses files generically using heuristic and intelligent rule-sets rather than relying on signatures for known worms - this is the future of worm interception." }-

Hiding intentions through multiple extensions is interpreted as suspect behaviour.

Regards,

Pieter

Our testing computers are game so we will get the files out of quarantine and try it. We will post results here soon.
Thank you.

HMSS Q Section

I don't think you will have any problems. :)

Regards,

Pieter

Hi Qsection, Almost certainly a false positive on the double extentions.
WG will even pick up quite innocent words in email such as I have a bad throat caused by a "viral infection" but this is not usually a problem as you can preview the text without opening the file, once previewed one can normally make a good judgement of the files credibility. This maybe a little over cautious but it is better to be safe than sorry ;D

HTH Pilli

Thanks and so far no problems. BTW - Is it not WormGuard that places the TXT suffix on an EXE file to prevent execution upon placement in quarantine?

Thanks again

HMSS Q Section

Qsection, To be honest I am not quite sure. I have WG set to ask me before allowing/disallowing a suspect file to run & as yet have never had one quaranteened. Reading through the help file does not help unless I have missed something. ::)
The only other thing that may have caused this, as far as I can see, is if you have disallowed .exe extention in the WG setup?

Hi all,
WG is not placing extra TXT to make a file un-executable.
In the safe mode you can look in the file content if there is anything suspicious.
My guess it is the double extensions WG is alerting on and telling it could be a mild alert and the real extension is exe or txt .. whatever........
If it's a high security risk it will be displayed like that.
So always watch the alert message, they really differ :)


If you would disallow all EXEs not any program will run without alert so i don't think you really would like to configure that!

Thanks Jooske, I guessed that was so as re-reading the help files the DCS WG help etc. there was no mention of adding an extention to any errant files.

I am wondering though if any other security programme may do such a thing?

My point about the adding of .exe extentions was aimed at over zealous use of the disallow function ;D