Bug

Discussion in 'WormGuard' started by Patrice, Apr 26, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hello people!

    O.K., here we go again! I installed Wormguard on my machine (Windows XP Pro) and I tried again, if Wormguard gives me an alert if I receive a link in an email message. And I have to say, YES IT DOES!

    Let's see what is happening. Here's the information you need to understand my problem:
    I'm using Office 2002 SP-2 and therefore Outlook 2002 SP-2 as well. I just received an email of the support of DriveCrypt which provided me an answer and a link (www.guidancesoftware.com). The sender and the link are secure! If I click on the link, Wormguard gives me the following alert:

    Risk Assessment: Uncertain

    *> Suspicious Filename - Multiple File Extensions.
    This filename appears to have 2 file extensions.
    The REAL file extension is: .COM

    If I say, I still want to run this file, something really weird is happening. A completely other program than IE is starting up... o_O

    Well, the first problem is certainly a problem of Wormguard, the second problem could be a problem of my OS. Perhaps something is messed up there.

    Does anyone has any good suggestions to solve that problem?

    Best regards!

    Patrice
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    WormGuard picks up web addresses as having 2 extensions, this is a bug in WG-3 that will be fixed in v4.0 . I don't know why its not loading up Internet Explorer though, what program is it loading?
    -Jason-
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Patrice,
    you wrote you found it solved / explained and quoted part of the WG helpfile in this thread
    http://www.wilderssecurity.com/showthread.php?t=8749
    So i am confused you start a new thread with the same question. This is why i didn't react earlier, with so many threads to jump around for at a time.

    Is it a browser at all being started at pressing the URL and is it only when you get them by email to press on and makes it any difference if those are TXT or HTML or also from websites? And does it make differences if you use Outlook or Outlook Express?
    There was a series of security patches which you maybe installed also for Outlook which affected the hyperlinks clicking among others and were to disable running any scripts in it etc. to sad surprise of people trying to run wanted scripts like the msagents in it for instance.
    You did not block .com in WG did you?
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi,

    thanks Jason for the information. I think I can live with this "minor" bug until the next version (Worguard 4) arrives. It's loading a program called Gyrometer, a funny tool I once installed a long time ago. At the moment I'm searching my registry to see if there's something messed up. I'm sure there's a wrong setting somewhere. But why this happen I cannot explain.

    GOT IT!! I found this entry in the registry:

    \HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Preferences

    There the value for the key "InternetBrowserPath" is set to this Gyrometer program...Weird! How did this happen? o_O

    I set it back to IE. Let's see.

    TESTING...

    Yeah, it's working again!! Well, another Microshit bug is solved! :cool:

    Jooske, I thought my problem was solved, but indeed it wasn't. As I already told you I deinstalled Wormguard a while ago. Yesterday I bought Wormguard, that's why I reinstalled it again. And there the error occured again. Nothing helped... And no, I didn't block .com in Wormguard neither. I just let it be as it was installed. So no change there. Nevertheless it doesn't work. But o.k. the answer of Jason is enough explanation for me. I wait for Wormguard v4.0! :D

    Best regards!

    Patrice
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad you found it, but did fixing that registry entry not help all complete then?
    Is it only with URLs received via Outlook emails or also in other texts?
    I mean: i click web addresses all the time without any WG alarm, via emails etc, only when for instance zapro adds the urls in changed form as attachments to original emails and clicking on those in stead of at the original url inside the email body i get WG warnings about the double extensions.
    Think this is logical and how WG was designed: to prevent us opening intentional sent malware with double extensions attached.
    Could it be in your Outlook the attachments are not added or invisible and thus creating this alarm? And is it in all html and txt format emails?
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Jooske!

    No, it didn't solve the whole problem. I have this problem just with Outlook, I never had this problem with other software until now. My emails are html, I'm using also MS Word to write 'em (possible setting in Outlook).

    But it's o.k., if Worguard gives an alert there. That's why I bought it, to make me more careful with clicking on links/files/... And at least I know it works silently in the background! ;)

    Regards,

    Patrice
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hope allowing access after the warning now does open IE correctly since you fixed this preference in the registry, that would be something to start with.
    Imagine how an hyperlink in word sent by email would look like: www.domain.com.doc.eml (or the outlook extension i forgot) of course WG will alarm on that ! :)
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, I am wondering if there programme that thinks that it has some kind of priority for the .com extention as .com files are executables like .exe For instance "mouse.com"

    Just a thought - Pilli
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Aha, this you should be able to test easily with www.domain.net or other extensions :)
    If ZAPro grabs it it makes either
    wwwdomainnet or www.domain.zl1 (not sure about the exact extension) of it, but as it is an attachment to the email (created by ZAPro) clicking the attachment to see what it is will cause WG to warn at least for the double extensions, while clicking the URL in the email will not cause any problems as i guess it will call the un-executable attached safe hyperlink.
    Could try to block .com extensions in WG to test this, think i suggested this before; i would not choose for that myself with all the many comfiles to be executed too.
     
  10. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Pilli!

    You're right! :D If the link doesn't contain .com it's working. Didn't think about this issue. :p

    I've sent a mail to myself with the link domain.net and it worked. Ahh... now I begin to understand! So, this isn't a bug of Wormguard at all!

    Jooske, do you have the same problems with your browser if you try to open a link, which contains .com?

    Regards,

    Patrice
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Depends on if i try it via the attachment which for URLs will always alarm due to the double extension with the .eml extra behind it or from the email body. If this was no ZAPro action it might have come with some security patch, ...... wasn't there a year ago one for Outlook to disable the clicks from hyperlinks? As you now have problems only for .com domains i might remember wrong or you might not have installed that patch ;)

    Hope Jason sees this explanation and i'm sure he will think of something to test if the www.something.com is a legal innocent URL to make an extra test if it can be safely opened or not. There are already more tests, for malicious code for instance, so one more..... why not?
    :D
     
  12. controler

    controler Guest

    If you are using outlook ans word to write your e-mail, you will have script enabled by default, since word needs to use script.
    Nobody should evernneed to use double file extensions in this day and age. Appears Wormguard is seeing a false possative.
    I also use Outlook and Word as e-mail clients.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No it's not a false positive in fact, it is concrete the dual extensions.
    If you use outlook and word, don't you have double extensions for your URLs? Or when you pick up emails in outlook, and try to click the hyperlinks, are they not seen as double or suspicious?
    Do you have WG running at the moment?
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Jooske!
    I was just checking my update level. Microsoft Office Update tells me, that my Office is up-to-date. So I was using Microsoft Baseline Security Analyzer to check if something is missing in Windows XP Professional. There were some reports, but after checking them more closely they were just false alarms. I needed some minutes to understand this tool and why it's giving me false errors. Luckily I found the appropriate Knowledge Base Article about that... :p

    So, everything is o.k. on my system so far! :cool: But with Windows you never know... :mad:

    Regards,

    Patrice
     
Thread Status:
Not open for further replies.