Blocked-List Editor

Discussion in 'WormGuard' started by Bouch, Jun 5, 2002.

Thread Status:
Not open for further replies.
  1. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    What appears below was extracted from here: http://www.symantec.com/avcenter/venc/data/w32.frethem.a@mm.html
    OK, so my question is can I use wild cards to identify file names (including the extension) in WormGuard's Blocked-List Editor? For example, could I use  www..freedesktopthemes*.* in this particular case? I mean, I know that I can because I did it and WormGuard didn't reject it, but will it achieve the desired objective is really what I'm asking? (I've never been a morning person!) Thanks.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't see it in the WG/Helpfile; just thinking you must be able to test such a thing by creating a test file with such a name with your notepad for instance if you make a blocking for that name freedesktopthemes12345.vbs
    and inside a text like this:
    Msgbox "This is a VBS script running"
    "delete file"
    (this line might cause problems, so you can leave it out or make it looking real with a word like "Infect file" as WG loves to block such warnings)
    As you have this blocked  freedesktopthemes*.*
    (make one extra without that www. in the name)
    and see what happens if you click that new created testfile; if it runs the messagebox jumps up, if it is blocked WG will give a message.
    With that, in case you can run it, it could be the *.* would not be working, and at least you know it now for sure if it does or not.
    Good luck.
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I did a test and test*.vbs and test* both failed to catch my testXXX.vbs file so I don't think wild cards are supported.

    I bet it isn't too late to ask for that in WG4 though. I'll pose this question in the private forum.
     
  4. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Thanks Jooske and Unicron for your responses. I had a gut feeling that WG's Block-List Editor would not support wild cards, but I was encouraged when the addition of the file name containing the wild cards was not rejected by WG. I should have thought of testing it myself but, as I said, I'm not a morning person and it simply didn't occur to me. In any event, I have requested in the private forum that the addition of this feature be considered for WG4. Thanks again.

    PS. Sorry about the toilet paper thing in the other thread Jooske. Must be Canadian humour since AH got a chuckle out of it too.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nothing to be sorry for, you can wipe your tears of laughing off with it at least? :p
    Glad to be of help!
     
  6. controler

    controler Guest

    The idea Of creating your own signature files in wormguard has been thought of. I was thinking of just taking the virus lists from other software and adding the names to wormguard ;)
    What we need is a program that can generate all possible combinations of names and ad that to the signature databases.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    this moment you can do all that if you like, the adding of names i mean, but the wildcarts will not be working yet.
    I don't see the real need as the executables are but a relative few of extensions at the moment, but as you will not like to block for instance all *.exe files, you would certainly not put those in the blocked extensions list, but in certain combinations of infections, same with others. But it doesn't just look at names, but has other ways of detection, so don't worry too much about this point.
    Do you run WG as well Controler?

    Did you think of/try to put the URL in your HOSTS file and pointing it to your local host? there is so mauch written about HOSTS file(s) in other parts of this board, there will certainly be good answers on how to. Just as an extra prevention which you can of course use for more sites you want to block.
     
  8. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    It has been confirmed by Wayne that wildcards will either be function in the WG4 release, or in an update if they choose to give WG4 out before adding some of the wish list stuff.


    So there ya have it BC.
     
  9. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Well, thank you so much AH. The folks at DiamondCS are just sooooooooo... accommodating. Now, if they could only make WG's GUI a little more user friendly. There's just no pleasing some people, is there!!!  :D
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It will be nice to use I assure you :D
     
Thread Status:
Not open for further replies.