im using ProcessGuard ,do I need WormGuard ?

Discussion in 'ProcessGuard' started by FAG, Jul 12, 2005.

Thread Status:
Not open for further replies.
  1. FAG

    FAG Guest

    im using ProcessGuard ,do I need WormGuard ?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Yes, at least in my opinion. Wormguard will catch scripts and stuff in email that nothing else catches. I've got KAV 5.0, PG, Regdefend, and Prevx, running, and on an Email test site(there is a link somewhere's here on wilders) where the send you test emails, much of the stuff was stopped by my ISP's, but it was Wormguard that caught the rest.

    Pete
     
  3. FAG

    FAG Guest

    im not using outlook email ,
    im using web site email like yahoo

    do I need WormGuard?
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am using WormGuard and online Yahoo mail. There have been times when WormGuard intercepted scripts that were attempting to be automatically executed (sometimes they are related to a particular web page, or a download of some type), and WormGuard has alerted me. Usually I allow the script to execute but sometimes I suppress it because I do not know what the script is attempting to do and do not wish to allow it to execute on the off-chance that it may be malicious.

    Hope this helps,
    Rich
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    a little more info in Wormguard can be usefull Indeed Rich.

    and for the original question: one year ago I infected myself and it was WG that alerted me something was wrong...
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Infinity.

    Yes, I very much agree. Software vendors in general do not really describe the functionality (or the architecture) of their products very well. I remember when I use to work on large mainframe based systems (e.g. IMS/DB, DB2, MVS), we had tons of documentation available to us, some giving us the actual program flow so we knew exactly what the software was doing. (Most of the time it was correct - though we had some surprises now and then ;) ). Better documenation would certainly be helpful. I am still not exactly sure how to "update" Wormguard. Luckily, fellow members like Pilli, and Kent/Tony (on the GhostSuite site), really fill in lots of the blanks.

    Cya around,
    Rich
     
  7. FAG

    FAG Guest

    thank you all :)

    plaese what do you mean by scripts ?
    ist java scripts?
    so this software block any scripts in web pages?
    many web sites have scripts , so how can I know which is bad scripts or good scripts?

    :)
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    experience I hate to say FAG...I don't like the sound either but when you get your hands upon the services/legit dll's/exe's and their locations/... you begin to understand the power of good/wrong apps like pg/rd/wg for that matters...

    you cannot expect an explorer.exe into your downloaded program files connecting to an exterior server...

    if it tries to use a batch/script/...or even tries to use Outlook script: it will ask/stop before the deed is done.

    At least in 99% of the cases.

    Sincerely.
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi FAG,

    I copied this from WormGuard's help file. It provides the best explanation that I have seen regarding the type of protection that WormGuard provides. Hope this helps,

    Rich

    Image 3: WormGuard Primary Testing Sequence
    The Primary Testing Sequence is initialised by the WormGuard executive, and the first test that is applied is carried out by the Macro Detection\Interpretation engine (MD\I). This engine will detect the presence of macros, and pass the testing to an appropriate internal subsystem for independant testing when it determines what kind of macro the file contains. There are four internal subsystems to do this - each macro class has it's own format (Word, Excel, Access, Powerpoint).

    After MD\I processing, if the file is determined to be of Document nature (such as from Wordpad, Microsoft Word, etc) the WG Executive will initiate a further test to read the embedded files in the document - letting the user know exactly how many embedded objects there are, what their names are, and what their original filenames were. WordPad worms exist which don't use macros to propagate - they drop executable files when their embedded object is activated. As an example, the JanyCute worm arrives in the format of a Wordpad .doc file. The user can open this file - it is not hostile. However, it contains an embedded object. The label of the embedded object is "JanyCute.doc", but the file is actually janycute.exe - WormGuard will also alert you to any extension changes inside embedded objects inside document files.

    The next test - does the file contain any scripts? (Such as VBS files, VBScript, JS files, Javascript, WSH, HTA, and so on)
    If it does, the WG Executive will call the Advanced Script Analysis Engine (ASAE). This engine is able to analyse what the script inside the file is capable of doing. If it determines that it is capable of doing anything that is suspicious or potentially hostile, you will be alerted. It is virtually impossible to get VBS/JS/HTA/WSH worms passed this engine, and worms like I-Love-You/LoveBug will usually generate more than 15 unique alarms in WormGuard.

    If the file is determined to be of command/batch file inheritence, such as .BAT, .COM, .PIF or .CMD, the Command-File Interpretation (CFI) engine will analyse the file. This engine will analyse the file to determine if it is capable of performing any potentially hostile DOS commands. It is also a very solid engine against the four Command/Batch file types.
    The filename itself will then be examined to guard against several severe file-system vulnerabilities that exist in all versions of Microsoft Windows 95, 98, NT and 2000. This test makes these vulnerabilities obsolete.

    The final test, performed by the Advanced Deep-Search Interpretation (ADSI) engine, will only be performed if Deep-Search is enabled. This search engine is capable of detecting most keyloggers, password-stealers, references to known worm authors, and identifying IRC-propagating worms as being "capable" or "almost definate", as well as programs carrying internal IRC scripts.
    During the tests, an alarm report is continually being developed in memory by WormGuard. If at the end of the tests the alarm report is empty (eg. no alarms were triggered), then the file will be allowed to process normally by the operating system, allowing it to execute. If there is an alarm report, it will be displayed, and the user will then have the option of re-deciding if executing the file is a wise idea or not. WormGuard will also provide the user with a Risk Assessment.
     
  10. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I think Regrun does something similar as wormguard - at least it pops up with similar files such as .reg.
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    You're correct about that.
     
  12. FAG

    FAG Guest

    thank you richrf :)
     
  13. FAG

    FAG Guest

    thank you Infinity :)
     
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    You're welcome. Glad I was able to help.

    Cya,
    Rich
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Web page scripting can be dealt with via browser settings and can be filtered by a number of firewalls or a specialised web filter like Proxomitron (free and powerful, but complex). Windows scripting can be restricted using the likes of Script Sentry (also free for personal use) and is covered by some anti-virus software also (see the Multiple Firewall Products Bypass Vulnerability thread for other methods of dealing with scripting).

    IMHO, WormGuard is likely to be of real value only if you do not have these options covered by other software or you consider yourself at increased risk from script-borne malware (e.g. you receive a lot of Microsoft Word/Excel documents with embedded macros).
     
  16. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi P2000,

    Controlling scripting via Firefox didn't work for me, since many sites that I often visit (e.g. MyYahoo) require javascript to be turned on. Turning javascript on and off became too cumbersome for me and my family. WormGuard seems to work out well for my scenario. Do you know of a better way via Firefox to control javascripting? Thanks.

    Cya,
    Rich
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Firefox does not allow scripting to be set on a per-site basis (though an extension may help here, I've not researched this though so can't offer any further info) and Opera/IE seem to be the same - global settings only.

    A separate filter would be a better option therefore for per-site control - Privoxy and Proxomitron are the ones I've used (though I use Privoxy mainly to Socksify traffic for use with Tor). WebWasher Classic (donationware) is another option that is simpler to use (no text files to edit or filtering language to learn). They do allow greater control over website behaviour (especially Proxomitron) including the removal of non-malicious annoyances (e.g. ads, frames, off-site graphics, blinking text, sound/music or garish backgrounds).
     
  18. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    The internet and trusted zones in IE can be used here...deactivate activeX, Iframe, javascript etc for internet zone, and configure their use as you prefer in trusted zone....at least that's how I do it.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you are happy to apply the same settings across a range of sites then the zones facility can be used - but they aren't much good for differing "per site" settings. There have also been security vulnerabilities allowing malicious websites to bypass the zones settings.
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks for the additional info guys. An area that Firefox can probably improve upon.

    Rich
     
  21. Jame Taylor

    Jame Taylor Guest

    Any "zonal" kind of system can be bypassed. Even Firefox's XPI allow list which is technically a kind of trusted zone was breached once.

    That is why it's best not to rely on such systems as much as possible. Any 'trusted zone' that allows any website to manhandle your computer is just asking for trouble.

    That said, a zonal system exists for firefox but it's extremely well hidden and isn't centralised.It's called "Security policies"

    http://www.mozilla.org/projects/security/components/ConfigPolicy.html

    No UI exists for this, there's an extension for it.

    http://piro.sakura.ne.jp/xul/_policymanager.html.en

    You can set as many zones as you want, with policies for popup, images, Java,javascript (different functions), etc..

    There's another popular extension that is very flexible for handling Javascript only called Noscript, but it's pretty buggy in my experience.
     
  22. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    im surprised no mentioned it yet but the noscript extension for firefox lets u block all javascript then whitelist what sites u need javascript on.
     
Thread Status:
Not open for further replies.