i was testing one of my programs with the eicar.com test file and fould that, unlike with many other files, PG does not "block" eicar.com from running when it is doubleclicked, where you would expect a PG-alert to ask you if you want to allow "eicar.com" to run..
afaik, PG only prompts for executables (.exe) whereas eicar has an .com extension. maybe wormguard would stop it tho (if ur AV doesnt do so first).
This is incorrect - .com files are executables and can be used to malicious effect (format.com anyone?). I can confirm that PG is not prompting on these and I would consider this a serious loophole. Thanks for pointing this out Redwolfe_98!
Well after further testing, it appears that PG prompts on many, but not all, .com files. Testing was done by running each .com file present in the WINNT\System32 folder (on a Windows 2000 system) with the /? parameter (which should just list available options, if applicable, for the command) after checking that it was not previously listed in PG's Security List. Here are my results: chcp.com Prompt Issued command.com No Prompt DISKCOMP.COM Prompt Issued DISKCOPY.COM Prompt Issued edit.com No Prompt FORMAT.COM Prompt Issued graftabl.com Prompt Issued graphics.com No Prompt kb16.com No Prompt loadfix.com No Prompt mode.com Prompt Issued more.com Prompt Issued tree.com Prompt Issued win.com Prompt Issued From the \WINNT\ServicePackFiles\i386 folder: ntdetect.com No Prompt Command.com is the biggest potential problem since it can be used to run other programs - however PG does prompt for these if they are not present in its Security list.
thanx for teh correction P2K. but ur tests results are puzzling; maybe someone from diamondcs can answer why PG only prompt on certain .com files?
Nice find redwolfe_98. I see that AppDefend does prompt when executing eicar.com and logs the following: 20:13:14 13 May 2006 | AppDefend | Allowed process execution of ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 | 20:13:22 13 May 2006 | AppDefend | Allowed physical memory access performed by ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 | 20:13:26 13 May 2006 | AppDefend | Allowed self termination of ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 | System Safety Monitor does not prompt because ntvdm.exe is allowed to execute via one of its default rules. After deleting the ntvdm rule, SSM alerts to the following: The call to API function "CreateProcess" was successfully intercepted. Command-line parameters were ""C:\WINDOWS\system32\ntvdm.exe" -f -i9". Nick
I see this also with SSM (and PG, which notes ntvdm being allowed to run). The downside is that this does not work on a command-by-command basis - once you allow ntvdm (even only once), multiple commands using it can then go through without further checks.
i was wrong.. PG 3.15 does throw up an alert when i run "eicar.com", asking if i want to allow "ntvdm.exe" to run.. to make a long story short, i downloaded a fresh copy of eicar.com, disabled all of the protection on my pc and ran it.. then i enabled PG's protection and ran it again, and PG threw up the alert (asking if i wanted to allow "ntvdm.exe" to run).. i don't know what the problem was, before.. i noticed that the iecar.com file did not seem to be running properly, which is why i downloaded a fresh copy, to test again.. between all of the programs that i have on my pc, my av, "a-squared", and ewido, all of which flag the eicar.com test file, there is no telling.. i think i need to test again.. update: i tested again and PG does flag the eicar.com test file when i try to run it, popping up an alert, asking me if i want to allow ntvdm.exe to run..
You'll receive a prompt for the first occurrence only, not for any subsequent occurences while ntvdm is still loaded (try running commands in a DOS box, then closing it - or closing ntvdm in Task Manager to retrigger a PG prompt). Basically, eicar.com (and the other examples listed above) are 16-bit applications that are handled via Windows' Virtual DOS Machine - PG only detects the VDM itself being started and needs to be able to intercept applications that it runs also.