WG Working? How do you know?

Discussion in 'WormGuard' started by f_disk, Nov 9, 2002.

Thread Status:
Not open for further replies.
  1. f_disk

    f_disk Guest

    I've downloaded and installed WG. Other than opening the program and clicking "test", HOW do you know it's running? There is nothing in the task bar area and I can see nothing when I pull up Task Manager...................shouldn't it have some sort of process running?
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    f_disk,

    grab a text editor, type some randomly chosen words, save the file as for example "testing.vbs", and execute the file. WG should jump right at it.

    regards.

    paul
     
  3. f_disk

    f_disk Guest

    Paul,

    I did that...........the double extension test worked fine...WG caught it.

    Using Notepad, doing save as any file type and naming it text.vbs gave me some sort of compilation error...WG didn't catch it.

    See my screen shot here towards the bottom.....

    http://www.dslreports.com/forum/remark,4952649~root=security,1~mode=flat

    Why isn't my whole link highlighted as html..............?
    it is now
     

    Attached Files:

    • test.jpg
      test.jpg
      File size:
      5.9 KB
      Views:
      1,204
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you have the Windows Scripting Host still installed (you can, no problems with that, the contrary!)
    Open notepad, and type this:
    Msgbox "This is a VBS script running"
    Now save as test.vbs
    click the thing, you can expect a messagebox popping up telling "this is a VBS script running"
    Now save again as test.vbs.vbs or any double extension you like.
    Now click it again. WG should jump in with a warning message about at least the double extension.
    Have a try with some terrible text in it and see if WG does like to allow you to delete or modify or infect files and install viruses, whatever kind of text you type there.
    If you did edit or see in the default several files to be blocked like funlove and goner and such in WG you can expect some warnings when you put such names in your test file.

    You won't see processes running as WG runs all silently in the background, not costing any resources, but jumping up the moment needed.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    f_disk

    Your link isn't showing up because you didn't use URL tags: ...

    Seems like you saved the file as a .txt file; pick "all files" instead.

    After doing so, this warning pops up (see attached screen shot):

    regards.

    paul
     

    Attached Files:

  6. f_disk

    f_disk Guest

    Paul,
    I did not save it as a .txt file. See the screenshot above......it is named test.vbs

    Jooske,
    I'll try that.
     
  7. f_disk

    f_disk Guest

    Jooske,
    I used your example and it worked exactly like you said...I got the message "This is a vbs script running"....then renamed it to a double extension and WG caught it and popped up.

    I then opened it and editied it to just have garbage characters in it:
    dfjkdjfdjfkjiejei (NOTE I DID NOT PUT MSGBOX or ANY QUOTES)
    did save as any file type, test.vbs

    And I got the error in my screenshot above.......
     
  8. f_disk

    f_disk Guest

    Heres what it looked like when I tried it like this:

    WG did not catch it
     

    Attached Files:

  9. f_disk

    f_disk Guest

    2nd pic
     

    Attached Files:

  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Windows is so very nice eh? :)
    I saved it on my desktop, so always at hand to play around with it.
    This is the content of my test.vbs at the moment
    (just drag it to an open notepad to change and save again is the easiest)
    Msgbox "This is a VBS script running"
    dfjkdjfdjfkjiejei
    goner.scr
    With this it opens the messagebox, after clicking the OK i get an error message for wrong type on that line of yours, if between " " i get an error expecting some action, give the goner a double extension and you will get an error on that, etc.
    Anyway, you know now your scripting host and wormguard are working fine and windows with all those error messages. (wished windows would give help suggestions how to correct the things :D)
     
  11. f_disk

    f_disk Guest

    I thought it was supposed to intercept ALL .vbs extensions!

    This IS NOT the case, since in the screenshot above, Windows let it run.

    Right / Wrongo_O

    Thanks.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There was not any reason for WG to grab the "garbadge.vbs" as there was no executable thing to do, just a word to be displayed in a messagebox.
    I copied some script part in it and immediately got warnings. I don't know enough of VBS to make it a jukebox telling it to start playing a file on my system, while in TDS scripting part i can :)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you tell WG to block the vbs scripts too, just add it to the file extensions to be blocked in the left panel. See what happens if you put exe and other frequent extensions there too, i don't think you will like that :)
     
  14. Luthorcrow

    Luthorcrow Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    56
    Location:
    California
    Hhmm. I tried this as well as the other variations and nothing happened. I don't mean that WG4 did nothing I mean the VBS file doesn't do anything. I right click on properties and windows IDs it as a VBS file but nothing happens.

    I am assuming this is a good thing rather than a bad thing. I know I have trimmed my services back, is it possible I disabled a service that prevents this from working? Any reason why this would be a bad thing?

    Specs
    Wk2 Sp3
    P4 1.5ghz
    Intel 850GB
    NOD32/WG4/TDS-3/Spyblaster running
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hi Luthorcrow,
    I'm wondering if by this statement you mean that Visual Basic Scripting is disabled on your system? I created the image below to show how VBS looks and works on my Windows XP system.

    First, notice in Windows Explorer that the file "test.vbs" has a special script icon, and that Windows identifies its filetype as a "VBScript Script File". Does yours show this or does it show the filetype as "VBS File"? (If it's "VBS File" it means the association of the file extension ".vbs" is not with Windows Scripting Host facility.)

    Also, in the Notepad window, notice the single vbs script command line - a msgbox like in one of Jooske's examples. When I run this (by double clicking test.vbs, or by right-click it and selecting "open", the default action), I get the pop-up window. Can you try this and see if that is what you get?

    If VBS does not run at all on your system, you are right, it is a good thing, or at least it might be. If you don't need to run VBS for any specific purpose on your system, having it disabled is good for your overall security. (I leave it enabled on my system because I sometimes write simple scripts to automate some functions on my PC.)

    As for WG "catching it", I think the point above was that it could catch it if it was set to always block .vbs file execution. And, also it seems that if harmful actions/functions were coded in a vbs script, those too would be blocked by Wormguard. Obviously, a message box is not harmful.

    Thoughts?
    LowWaterMark
     

    Attached Files:

  16. Luthorcrow

    Luthorcrow Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    56
    Location:
    California
    Did as you directed and it appears that I must have disabled visual basic on my system. It's possible that I did it during one of the many security tutuorals I have tried (ex: Techspot Guide and Tweaks). I am kicking myself because my mental audit is drawing a blank on this, but it explains why my wife's Sim Mod programs no longer work (almost all of them need visual basic to run). To bad, because it hasn't caused me any pain otherwise.

    I guess I am off to Google to figure out how to undo what I have done;)
     
  17. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Luthorcrow:

    First I will be posting some pics, so need to have 3 posts as no facility to post multiple in this forum

    Now I do not know if this is the problem, but do you have Scripting in IE/options in Security marked disable.
    I don't know if this would be the trouble or not.

    See pic. then I will describe in next posts about WG role and VBS.
     

    Attached Files:

  18. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    OK. I presume you DO HAVE .vbs in the "Blocked Editor's List" in WG.
    If NOT, there is no way WG will react to a non-malicious execution of a VBS file, as it has not been told to block ALL vbs executions.

    If that has been added, and you try to execute a "test.vbs", then WG *should* issue a warning like my pic [forget the wording, I play around with the message boxes for my daughters to read, lol]

    What you put in the actual file, does not matter. I usually just put the word "test". DOES NOT MATTER.

    Here is pic of warning.
     

    Attached Files:

  19. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Wormguard 3 only picks up VBS files which are "violent" in nature or trigger off a detection routine. For example just displaying a messagebox won't make Wormguard 3 say "do you want to run this VBS file" because there is nothing harmful in it. As the others have said you can make it block all VBS files if thats what you want to do and it will pop up on each VBS file. Hope that clears up some confusion. :)
    -Jason-
     
  20. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    OK, I disable WG [uninstalled the protection, not the program] and here is what I get now.

    It's an error message, because the CODE [the word "test" ] does NOT mean anything, therefore it cannot actually run.

    Unlike LowWaterMark's posts, he actually put in correct coding.
     

    Attached Files:

  21. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Jason. Enjoy your break. :)

    Yes, Luthor seems to not even have VBS enabled on his system at all, not just for WG, but in general I gather.

    he could not display any message at all [presuming he added .vbs in the Blocked Editor's List]
     
Thread Status:
Not open for further replies.