Discussion in 'ProcessGuard' started by FAG, Jul 12, 2005.
im using ProcessGuard ,do I need WormGuard ?
Yes, at least in my opinion. Wormguard will catch scripts and stuff in email that nothing else catches. I've got KAV 5.0, PG, Regdefend, and Prevx, running, and on an Email test site(there is a link somewhere's here on wilders) where the send you test emails, much of the stuff was stopped by my ISP's, but it was Wormguard that caught the rest.
im not using outlook email ,
im using web site email like yahoo
do I need WormGuard?
I am using WormGuard and online Yahoo mail. There have been times when WormGuard intercepted scripts that were attempting to be automatically executed (sometimes they are related to a particular web page, or a download of some type), and WormGuard has alerted me. Usually I allow the script to execute but sometimes I suppress it because I do not know what the script is attempting to do and do not wish to allow it to execute on the off-chance that it may be malicious.
Hope this helps,
a little more info in Wormguard can be usefull Indeed Rich.
and for the original question: one year ago I infected myself and it was WG that alerted me something was wrong...
Yes, I very much agree. Software vendors in general do not really describe the functionality (or the architecture) of their products very well. I remember when I use to work on large mainframe based systems (e.g. IMS/DB, DB2, MVS), we had tons of documentation available to us, some giving us the actual program flow so we knew exactly what the software was doing. (Most of the time it was correct - though we had some surprises now and then ). Better documenation would certainly be helpful. I am still not exactly sure how to "update" Wormguard. Luckily, fellow members like Pilli, and Kent/Tony (on the GhostSuite site), really fill in lots of the blanks.
thank you all
plaese what do you mean by scripts ?
ist java scripts?
so this software block any scripts in web pages?
many web sites have scripts , so how can I know which is bad scripts or good scripts?
experience I hate to say FAG...I don't like the sound either but when you get your hands upon the services/legit dll's/exe's and their locations/... you begin to understand the power of good/wrong apps like pg/rd/wg for that matters...
you cannot expect an explorer.exe into your downloaded program files connecting to an exterior server...
if it tries to use a batch/script/...or even tries to use Outlook script: it will ask/stop before the deed is done.
At least in 99% of the cases.
I copied this from WormGuard's help file. It provides the best explanation that I have seen regarding the type of protection that WormGuard provides. Hope this helps,
Image 3: WormGuard Primary Testing Sequence
The Primary Testing Sequence is initialised by the WormGuard executive, and the first test that is applied is carried out by the Macro Detection\Interpretation engine (MD\I). This engine will detect the presence of macros, and pass the testing to an appropriate internal subsystem for independant testing when it determines what kind of macro the file contains. There are four internal subsystems to do this - each macro class has it's own format (Word, Excel, Access, Powerpoint).
After MD\I processing, if the file is determined to be of Document nature (such as from Wordpad, Microsoft Word, etc) the WG Executive will initiate a further test to read the embedded files in the document - letting the user know exactly how many embedded objects there are, what their names are, and what their original filenames were. WordPad worms exist which don't use macros to propagate - they drop executable files when their embedded object is activated. As an example, the JanyCute worm arrives in the format of a Wordpad .doc file. The user can open this file - it is not hostile. However, it contains an embedded object. The label of the embedded object is "JanyCute.doc", but the file is actually janycute.exe - WormGuard will also alert you to any extension changes inside embedded objects inside document files.
If it does, the WG Executive will call the Advanced Script Analysis Engine (ASAE). This engine is able to analyse what the script inside the file is capable of doing. If it determines that it is capable of doing anything that is suspicious or potentially hostile, you will be alerted. It is virtually impossible to get VBS/JS/HTA/WSH worms passed this engine, and worms like I-Love-You/LoveBug will usually generate more than 15 unique alarms in WormGuard.
If the file is determined to be of command/batch file inheritence, such as .BAT, .COM, .PIF or .CMD, the Command-File Interpretation (CFI) engine will analyse the file. This engine will analyse the file to determine if it is capable of performing any potentially hostile DOS commands. It is also a very solid engine against the four Command/Batch file types.
The filename itself will then be examined to guard against several severe file-system vulnerabilities that exist in all versions of Microsoft Windows 95, 98, NT and 2000. This test makes these vulnerabilities obsolete.
The final test, performed by the Advanced Deep-Search Interpretation (ADSI) engine, will only be performed if Deep-Search is enabled. This search engine is capable of detecting most keyloggers, password-stealers, references to known worm authors, and identifying IRC-propagating worms as being "capable" or "almost definate", as well as programs carrying internal IRC scripts.
During the tests, an alarm report is continually being developed in memory by WormGuard. If at the end of the tests the alarm report is empty (eg. no alarms were triggered), then the file will be allowed to process normally by the operating system, allowing it to execute. If there is an alarm report, it will be displayed, and the user will then have the option of re-deciding if executing the file is a wise idea or not. WormGuard will also provide the user with a Risk Assessment.
I think Regrun does something similar as wormguard - at least it pops up with similar files such as .reg.
You're correct about that.
thank you richrf
thank you Infinity
You're welcome. Glad I was able to help.
Web page scripting can be dealt with via browser settings and can be filtered by a number of firewalls or a specialised web filter like Proxomitron (free and powerful, but complex). Windows scripting can be restricted using the likes of Script Sentry (also free for personal use) and is covered by some anti-virus software also (see the Multiple Firewall Products Bypass Vulnerability thread for other methods of dealing with scripting).
IMHO, WormGuard is likely to be of real value only if you do not have these options covered by other software or you consider yourself at increased risk from script-borne malware (e.g. you receive a lot of Microsoft Word/Excel documents with embedded macros).
Firefox does not allow scripting to be set on a per-site basis (though an extension may help here, I've not researched this though so can't offer any further info) and Opera/IE seem to be the same - global settings only.
A separate filter would be a better option therefore for per-site control - Privoxy and Proxomitron are the ones I've used (though I use Privoxy mainly to Socksify traffic for use with Tor). WebWasher Classic (donationware) is another option that is simpler to use (no text files to edit or filtering language to learn). They do allow greater control over website behaviour (especially Proxomitron) including the removal of non-malicious annoyances (e.g. ads, frames, off-site graphics, blinking text, sound/music or garish backgrounds).
If you are happy to apply the same settings across a range of sites then the zones facility can be used - but they aren't much good for differing "per site" settings. There have also been security vulnerabilities allowing malicious websites to bypass the zones settings.
Thanks for the additional info guys. An area that Firefox can probably improve upon.
Any "zonal" kind of system can be bypassed. Even Firefox's XPI allow list which is technically a kind of trusted zone was breached once.
That is why it's best not to rely on such systems as much as possible. Any 'trusted zone' that allows any website to manhandle your computer is just asking for trouble.
That said, a zonal system exists for firefox but it's extremely well hidden and isn't centralised.It's called "Security policies"
No UI exists for this, there's an extension for it.
Separate names with a comma.