Hello people! O.K., here we go again! I installed Wormguard on my machine (Windows XP Pro) and I tried again, if Wormguard gives me an alert if I receive a link in an email message. And I have to say, YES IT DOES! Let's see what is happening. Here's the information you need to understand my problem: I'm using Office 2002 SP-2 and therefore Outlook 2002 SP-2 as well. I just received an email of the support of DriveCrypt which provided me an answer and a link (www.guidancesoftware.com). The sender and the link are secure! If I click on the link, Wormguard gives me the following alert: Risk Assessment: Uncertain *> Suspicious Filename - Multiple File Extensions. This filename appears to have 2 file extensions. The REAL file extension is: .COM If I say, I still want to run this file, something really weird is happening. A completely other program than IE is starting up... Well, the first problem is certainly a problem of Wormguard, the second problem could be a problem of my OS. Perhaps something is messed up there. Does anyone has any good suggestions to solve that problem? Best regards! Patrice
WormGuard picks up web addresses as having 2 extensions, this is a bug in WG-3 that will be fixed in v4.0 . I don't know why its not loading up Internet Explorer though, what program is it loading? -Jason-
Patrice, you wrote you found it solved / explained and quoted part of the WG helpfile in this thread http://www.wilderssecurity.com/showthread.php?t=8749 So i am confused you start a new thread with the same question. This is why i didn't react earlier, with so many threads to jump around for at a time. Is it a browser at all being started at pressing the URL and is it only when you get them by email to press on and makes it any difference if those are TXT or HTML or also from websites? And does it make differences if you use Outlook or Outlook Express? There was a series of security patches which you maybe installed also for Outlook which affected the hyperlinks clicking among others and were to disable running any scripts in it etc. to sad surprise of people trying to run wanted scripts like the msagents in it for instance. You did not block .com in WG did you?
Hi, thanks Jason for the information. I think I can live with this "minor" bug until the next version (Worguard 4) arrives. It's loading a program called Gyrometer, a funny tool I once installed a long time ago. At the moment I'm searching my registry to see if there's something messed up. I'm sure there's a wrong setting somewhere. But why this happen I cannot explain. GOT IT!! I found this entry in the registry: \HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Preferences There the value for the key "InternetBrowserPath" is set to this Gyrometer program...Weird! How did this happen? I set it back to IE. Let's see. TESTING... Yeah, it's working again!! Well, another Microshit bug is solved! Jooske, I thought my problem was solved, but indeed it wasn't. As I already told you I deinstalled Wormguard a while ago. Yesterday I bought Wormguard, that's why I reinstalled it again. And there the error occured again. Nothing helped... And no, I didn't block .com in Wormguard neither. I just let it be as it was installed. So no change there. Nevertheless it doesn't work. But o.k. the answer of Jason is enough explanation for me. I wait for Wormguard v4.0! Best regards! Patrice
Glad you found it, but did fixing that registry entry not help all complete then? Is it only with URLs received via Outlook emails or also in other texts? I mean: i click web addresses all the time without any WG alarm, via emails etc, only when for instance zapro adds the urls in changed form as attachments to original emails and clicking on those in stead of at the original url inside the email body i get WG warnings about the double extensions. Think this is logical and how WG was designed: to prevent us opening intentional sent malware with double extensions attached. Could it be in your Outlook the attachments are not added or invisible and thus creating this alarm? And is it in all html and txt format emails?
Hi Jooske! No, it didn't solve the whole problem. I have this problem just with Outlook, I never had this problem with other software until now. My emails are html, I'm using also MS Word to write 'em (possible setting in Outlook). But it's o.k., if Worguard gives an alert there. That's why I bought it, to make me more careful with clicking on links/files/... And at least I know it works silently in the background! Regards, Patrice
Hope allowing access after the warning now does open IE correctly since you fixed this preference in the registry, that would be something to start with. Imagine how an hyperlink in word sent by email would look like: www.domain.com.doc.eml (or the outlook extension i forgot) of course WG will alarm on that !
Patrice, I am wondering if there programme that thinks that it has some kind of priority for the .com extention as .com files are executables like .exe For instance "mouse.com" Just a thought - Pilli
Aha, this you should be able to test easily with www.domain.net or other extensions If ZAPro grabs it it makes either wwwdomainnet or www.domain.zl1 (not sure about the exact extension) of it, but as it is an attachment to the email (created by ZAPro) clicking the attachment to see what it is will cause WG to warn at least for the double extensions, while clicking the URL in the email will not cause any problems as i guess it will call the un-executable attached safe hyperlink. Could try to block .com extensions in WG to test this, think i suggested this before; i would not choose for that myself with all the many comfiles to be executed too.
Hi Pilli! You're right! If the link doesn't contain .com it's working. Didn't think about this issue. I've sent a mail to myself with the link domain.net and it worked. Ahh... now I begin to understand! So, this isn't a bug of Wormguard at all! Jooske, do you have the same problems with your browser if you try to open a link, which contains .com? Regards, Patrice
Depends on if i try it via the attachment which for URLs will always alarm due to the double extension with the .eml extra behind it or from the email body. If this was no ZAPro action it might have come with some security patch, ...... wasn't there a year ago one for Outlook to disable the clicks from hyperlinks? As you now have problems only for .com domains i might remember wrong or you might not have installed that patch Hope Jason sees this explanation and i'm sure he will think of something to test if the www.something.com is a legal innocent URL to make an extra test if it can be safely opened or not. There are already more tests, for malicious code for instance, so one more..... why not?
If you are using outlook ans word to write your e-mail, you will have script enabled by default, since word needs to use script. Nobody should evernneed to use double file extensions in this day and age. Appears Wormguard is seeing a false possative. I also use Outlook and Word as e-mail clients.
No it's not a false positive in fact, it is concrete the dual extensions. If you use outlook and word, don't you have double extensions for your URLs? Or when you pick up emails in outlook, and try to click the hyperlinks, are they not seen as double or suspicious? Do you have WG running at the moment?
Hi Jooske! I was just checking my update level. Microsoft Office Update tells me, that my Office is up-to-date. So I was using Microsoft Baseline Security Analyzer to check if something is missing in Windows XP Professional. There were some reports, but after checking them more closely they were just false alarms. I needed some minutes to understand this tool and why it's giving me false errors. Luckily I found the appropriate Knowledge Base Article about that... So, everything is o.k. on my system so far! But with Windows you never know... Regards, Patrice
