Why to add .mde extension to WG block list

WG detects MS Access .mdb with evil code in it:




Evil code is compiled into .mde file with the click of one button right in MS Access:




WG cannot detect the now hidden evil code but it is still there and opening this file will smoke your machine.



Luckily we can block the .mde file extension all together in WG, so when we execute the file we get this:




so please do this is you haven't already.

Have a nice day!

PS, This is not WG's fault. WG detects source code, this .mde no longer has any. Your other secuirty tools won't detect much from a .mde file either, but I wish they did

 

Thanks for the warning UNICRON.
Unfortunately compiling an Access database makes it run much faster, so now you have to choose between two bad situations.
Dolf

 

TDS and NOD32 don't have much to say either:

 

Very true Dolf, I use .mde files all the time because I am a database developer and use access for the small stuff (mainly because most offices insist).

I am thinking mostly for those who have no need for the file extension. No system file uses it so it is safe to block.

 

There are a couple ways to open an access mde without the code running right away, but all of those techniques can be dissabled:

 

Thanks Allan, Very useful tip

 

Yep, useful tip Allan, I'd be surprised if _any_ scanners actually detected that file though, you might want to give it a go with KAV

 

I don't have KAV. I doubt it would but maybe if I compiled known worm code. I'll make it tommorrow and send it to someone to test.

 

Many thanks!!!

Just updated my block-list accordingly

 

Hi Dolf, Allan, and Wayne,

First of all: thanks Allan !!!

OK, now back to Dolf's posting, just for my personal understanding:
Is it really such a "bad situation" to add it to WG?
Doesn't WG give you the opportunity to decide for yourself whether you want to run it or not? Or am I now making a mistake?

Thanks, Jan.

 

Hi Jan,

Any extentions in the Blocked list will be disallowed altogether from running. Where you have a choice is when the extention is not in the blocked list but where one of the analysis methods of WG detects something suspect with the file.

So, it seems to me, the option is to add it to blocked (and hope you don't need it) or be independently sure of the safety of the mde files.

 

Thanks a lot Dan !!!!!

 

it is if you actually use .mde files like Dolf and I do. Once added to the block list, you can't use that extension anymore.

Juat like always: Security or functionality. A truly classic case

 

It just shows why Worm Guard shouldn't rely so much on blocking file extensions. I can understand maybe scrap files but blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate.

 

Hi wizardavc,

I agree with your first statement but in the sense that it is bad if it is the *only* means implemented but it can be (and IMO) is an effective supplement to other means of analysis and detection that WormGuard currently provides. It is my understanding that WormGuard 4 will include a definition update arrangement which will help alleviate the need to resort to extention blocking but I suspect there will continue to be occasions when extention blocking is useful.

Regards,

Dan

 

It isn't a practical solution or a proper supplement in most cases. Files such as .mde have a legit purpose and wouldn't have been designed if they solely were used for malicious purposes. Even less practical is file name blocking. A file can be named almost any numerical pattern and a legitimate file has a right to be named what every it wants to. Many trojans go around named setup.exe or install.exe, of course many legit programs use these same names. If someone wants to download a legitimate program such as TDS, they have a right to rename it "Sex Picture.exe"

I mentioned this in the suggestions thread but thought I'd bring up the file name issue here since it is related to the file extension blocking list.

 

100% agreed

 

That's why WG is not dependent on file names but looks at malicious code and that's why updates are hardly necessary, we add file names if we think it helps and it might in case of exploits more then worms f.e.

 

Nobody is suggesting that file extension blocking is a first choice. As stated earlier, I am one of two people here who have mentioned that they do indeed use that extension.

The point is, no other security measure I have found currently handles malicious .mde files, so we don't have much choice if MS Access on the machine.

If you know of one, please let me know!

 

WG-4

 

By default will WG4 have a list of file names it will block like it is in WG3?

 

Actually, it doesn't rely on that at all (you don't have to block _any_ filetypes) - it's just extra functionality that's there for you if you want it, adding an extra layer of security (ie. even if a user disables the .mde extension in the registry, a trojan could re-enable it, but that would still fail if Wormguard is blocking that filetype). If you don't want to use it, that's fine too - the choice is entirely yours!

Best regards,
Wayne

 

It is on by default, thats the point. Default settings are what the majority of software users use. Its a FACT that blocking the majority of file types and ALL file names are NOT an effective measure for stopping worms/trojans. If someone wants to rename the TDS Install file to south park.exe, MSBlast.exe, or the like they should have every right to without getting a warning from Worm Guard. It is Worm Guards job to analyze a file for worm-like characteristics. ANY legitimate or unlegitimate file can be named anything, and blocking by file name should not be a solution in any circumstance.

 

It would almost never happen that a legitimate file will be blocked by WG because of its filename. In the rare occasion it happens, just remove the filename from that list. It's not that important.
Dolf

 

Antivirus wizard, did you understand Wayne says WG is looking for CODE in stead of NAMES in the first place?
Different from any SCANNER which needs updates of databases, it has very different ways and means of detection.
Relating to worms and scripts, has nothing to do with viruses, although those might be stopped where possible.
You were told you can name any file anything and add to the block list whatever you want or don't and it will be detected just as hard if malicious.
See what happens if you change some of your critical windows system files or add them to the blocked list and tell your experiences after that.
Create some testfiles on your desktop, put some code or innocent text in it and give them some extensions and double extensions, tell WG not to run them or delete them from the block list, see all that happens.
In your notepad put a line
Msgbox "this is a vbs script running"
and save as test.vbs to start with, give an extra copy double extensions vbs.vbs or exe.vbs whatever you like and click on it. Put them in the block list or the left pane blocked extensions list, etc. Try them.