How do I check WG Integrety

Discussion in 'WormGuard' started by Tuggboat, Nov 11, 2004.

Thread Status:
Not open for further replies.
  1. Tuggboat

    Tuggboat Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    28
    One of my pieces of software reported that my browser was trying to change WG. I think it was my Firewall (outpost2.5) that gave me this notice. I blocked it from the change and did some scans but I see some talk of cheksums and was wondering if there is a way to check WG for changes' I don't see any reason my browser (firefox 1) should change programs and I didn't even think it could.

    I went back to the site and couldn't reproduce the attempt tonight so maybe it was a glitch and I'm just paranoid ;)

    Thanks
     
  2. FanJ

    FanJ Guest

    PS: earlier posting by Tuggboat here:
    https://www.wilderssecurity.com/showthread.php?t=54264

    Quote :
    Something on that Host page tried to modify my wormgaurd so I pulled the plug and checked everything out.
    - end quote -

    And my reply there:
    quote:
    Sorry, I'm not sure whether I understand what you were saying about WormGuard and that Hosts page.
    Could you give more details, if you remember them?
    - end quote -
     
  3. FanJ

    FanJ Guest

    Hi Tuggboat,

    With respect to your question about checksums and checking WormGuard for changes:

    What you could do, if you like, is this:
    You can add the files in your WormGuard folder to the TDS-3 file crcfiles.txt
    Then the CRC32-test in TDS-3 will check whether those files are changed.
    Please remember :
    1. you have to add those files with their full path.
    2. the CRC32-test in TDS-3 is not a resident test.

    If you like, you could read more about the CRC32 test in TDS-3 here:
    TDS-3 CRC32-test Guidelines
     
  4. Tuggboat

    Tuggboat Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    28
    Well, I was surfing through this link about host files
    Host files info
    I was clicking my way to download the most recent host file one on the site to try it out and see what they were blocking. I had gotten one and then noticed another link that suggested an even newer version might be found at this link
    The suspicous link

    When I clicked on it I was warned that my browser Firefox was attempting to change wgaurd.exe in the wgaurd directory. Since I know that anything that uses hooks works at a very low level on the machine, that wgaurd hooks into the file sytem at a low level and that program hooks used to go beyond the operating sytem level and into the processor hardcoding I suspected something malicous.

    A little knowledge is a dangerous thing they say :) . Mines outdated as well because hooks were still in the next generation or two of chips when I read about them last LOL. I've just got a bundle of security software thats all new to me.

    From what I can tell the warning came from outpost 2.5. On component control I have it set to Block network access if application memory is modified by another process. I also have it set to warn me about new application components not being in the app folder. I was also running NOD32 and spybot at the time. I dont have TD3 as resident but it may have been running in the background. Thats about as much as I can remember. It was not a wormguard report but a report about wormguard.

    Hope thats not too much or not enough info

    Thanks Bob
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    At a guess Tugboat, It was OP2.5's file protection kicking in, probably did like like being "Hooked" by WormGuard or WG hooking Firefox for that matter, some such interaction like that for sure.

    HTH Pilli
     
  6. FanJ

    FanJ Guest

    Hi Bob,

    Those two links does not work for me (using IE).
    In both there is one time too much http://

    The links are:
    http://www.accs-net.com/hosts/what_is_hosts.html
    http://www.accs-net.com/hosts/HostsToggle/

    That first link gives an explanation about HOSTS.
    The second one gives a tool for HOSTS (I myself don't use that one but that is of course everybody's own choice).

    If you would like to find HOSTS files on the internet which are frequently maintained, then please have a look at the following sites:

    MVPS HOSTS :
    http://www.mvps.org/winhelp2002/hosts.htm

    HPguru HOSTS :
    http://www.dozleng.com/hpguru/



    I have to admit that I don't know what was happening... :oops:

    I even have to admit that I don't know whether WormGuard works with Firefox; I suppose yes, but I hope the DiamondCS guys could tell some more about that.

    What happened between Outpost and WormGuard: again I have to admit that I don't know that; I don't have Outpost; sorry again.

    About TDS-3:
    The resident part of TDS-3 is Execution Protection.
    It is not working like your resident anti-virus program, but -just like WormGuard's hook- it is an hook.
    Execution Protection works only if the following two things have been done:
    1. TDS-3 has been started (either automatically or by yourself);
    and
    2. Execution Protection was enabled in TDS-3.


    Sorry that I could not answer all your questions :oops:
    I hope others will jump in here.

    Cheers, Jan.
     
  7. Tuggboat

    Tuggboat Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    28
    Thanks All! I'm on my way to CRCing the files in the WG dir thanks to you and I got my executable protection goin on TD3.

    There is an option in my firewall to block or allow hidden processes that may answer my own question. Seems outpost 2.5 has this option to tighten up security but I found out that it is kind of an expected behavior for it to give some false reports because the warning also pops up... sometimes... just because it does an access on an unshared or hidden process. I don't have all the facts yet but figured I'd post back that it looks like a firewall issue and that might be helpful to someone in the future. It can be fixed when I'm sure everythings on the up and up by clicking allow acces for hidden processes but its a global setting and a firewall issue not a Wguard. I don't think its a virus issue at this time either.

    Thanks again
    Bob
     
Thread Status:
Not open for further replies.