Wormguard necessity

[Peter2150]

Hi all

I am trying to figure if I really need Wormguard. Currently protecting my computer (XP Pro) are Zone Alarm Pro 4.0, F-Prot antivirus,TDS-3,Spybot, Adaware, and lastly Abtrusion Protector.

The last is the reason I ask. Abtrusion Protector when installed scans every file on the computer that can execute code, and records it and a CRC thumbnail. Then when anything new tries to run, it blocks it and alerts. (Yes it does have an install provision) I have tested it well, and its great.

What would Wormguard offer on top of all this.

[DolfTraanberg]

Hi Peter2150,

The difference between Abtrusion Protector and WG is that Abtrusion Protector relies on a database that it builds and does not know whether a file is dangerous, while WG is analizing the code before it is executed.
So if you know what is running on your system all the time, Abtrusion Protector will do.
Dolf

[Peter2150]

Exactly, Key is to be sure system is clean before installing Abtrusion. I guess another way of asking is can worms get into anything other than something that executes, and cause damage?

[LowWaterMark]

Hi Peter,

One question about Abtrusion Protector... What file types does it register and control? My assumption if .EXE .DLL maybe .SYS and a few others. Does it also handle script files? .VBS .JS etc.? WG can flag (and halt) malicious code in scripts, too. Since such scripts are actually interpreted from the Windows programs cscript.exe and wscript.exe, which may be allowed in Abtrusion, is this a protection that would be of benefit?

Sorry, I don't know Abtrusion and how it handles these. I use the Tiny Trojan Trap sandbox and it has a special handler for these types of scripts. Just a thought.

[DolfTraanberg]

Quote:

quoting: Peter2150 link=board=6;threadid=14854;start=0#msg93215 date=1066000954]
Exactly, Key is to be sure system is clean before installing Abtrusion. I guess another way of asking is can worms get into anything other than something that executes, and cause damage?

Not that I know of
Dolf

On a side-note:

1- CRC is not exactly the most secure HASH.
2- How secure (safe) stores Abtrusion Protector those CRC-checksums?

And some side-notes to that:
1- CRC has for "some time" been "cracked".
Lots of things could be said about that.
That doesn't necesarrily mean that it is that unsafe, but it could be wise to keep in mind.

2- An old favourit topic of mine.
If I (or some program) can confirm that a certain program is OK by using a checksum, why shouldn't a nasty not be able to do that too behind your back?

That all being said:
I myself still use W98SE that hardly give you the option to check exe, dll, etc files in real time for changes in checksums. On NT-based systems (2000, XP) the situation is better. And I'm jealous to you on NT-2000-XP who can use TTT or Abtrusion Protector or the like.
Nevertheless (on my W98SE box) I use several file-integrity-checkers.

And I most certainly use WormGuard too.
It's all about the layered defense !

[Jooske]

And i really like the ability to look inside files in the safe mode to decide better if i should indeed not run the file or take the risk anyway, the scripts detection, the fact it doesn't work on a database which needs updating but has several other ways of detection, the exclusions if we want, and not to forget the new WG4 around the corner all rebuild from scratch with even more possibilities. But those details we're going to know soon enough. And a registered WG3 user can get that upgrade even for free!

Saved my computer various times from real nasties.
The double extensions? Fortunately TDS detects them too and they can be real sercurity risks for many reasons written about before.

[Peter2150]

Thanks for all the replies. Just took another look at the Abtrusion website. They use a hash algorithym supposedly stronger then MD5. Not a simple crc sum. I don't believe that is will screen out scripts, which is what prompted my original question. Wormguard is cheap compared to the grief people have without protection. Its coming my way. There is also another program I use, but I will put that in a separate thread.

Pete

[Peter2150]

Since it isn't about worm guard I am posting the note about the other program under the general security issues board.

[rerun2]

I believe abtrusion protector uses a SHA-1 hash, while the current version of SSM is the one that uses CRC.