Is WormGuard needed if Im running SSM?

Just wanted peoples thoughts - do I need WG if I have the full version of SSM?

Which other apps may add valuable security to SSM?

I already run F-Secure AV, AVG Anti Spyware and Spycop.

Cheers,

ChrisP

 

Hi ChrisP

I'm by no means an expert here, but I'd say no WG is not necessary. I did run SSM's full version & ended up uninstalling & going with Prevx. Also SSM should be installed on a squeaky clean machine, as it won't remove existing malware. Therefore given your machine is sparkling clean when SSM was installed, the others are mainly, just in case. I would run with SSM the following AV, FW, AS, & AT. SSM can pester you so much, you might allow something, then your other residents could pick up on what accidental allowed.

Take Care
Rico

 

As far as I'm aware, SSM is not a script blocker while wormguard is.

SSM is more concerned with intercepting the running of executables rather than scripts; where the purpose of the script is to download and run an executable then SSM could prevent this, but I do not discount the possibility that a script can make undesirable changes to your system, or cause other damage, if allowed to run. So yes, WG does provide additional cover.

The thing to remember is that WG only protects against scripts actually on your HD, it has no effect on scripts encountered through your browser, so its main benefit would be in opening email attatchments that may contain a malicious script.

 

Hi Topper,

Well! I did mention I was not an expert. Thanks for the save.

Take Care
Rico

 

SSM will not block execution of a script file?

 

How could it? A script file is not an executable file.

I don't run WG or ScriptSentry etc because, as I say, they are only blocking scripts that are already downloaded to your system and if you are careful about email etc a script blocker is not essential in my opinion. However they could be useful for some users.

 

Ok. What if u disable windows scripting host?

 

This has no effect on the Browser interpreting a script. It would only block a script from being directly run from the HD, such as double-clicking on it - essentially the same scenario that TopperID describes.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Thanks. I have disabled scripting host on my system since long. JS disabled in Opera and FF as well( although I think I can really keep it ON as I use GeSWall). All this should be more than enough.

 

Both scripts and executables "execute" (carry out) instructions. So, technically, there is no difference.

For convenience, a distinction is made between a script (text strings) and compiled code (executables).

SSM looks for compiled code (executables)

WormGuard analyzes text strings in a script.

See this site for some more explanation:

Scripting vs. programming: is there a difference?
http://www.killersites.com/blog/2005/scripting-vs-programming-is-there-a-difference/


regards,

-rich

 

Here is the alert from SSM free.

 

OK, some confusion here.

I thought you were referring to TopperID's comment about blocking web scripts from carrying out commands, such as downloading something.

In your example, you attempt to run a .vbs file from your HD. The .vbs extension tells Windows to start WScript.exe.

SSM is not interested in the text strings of the script, just the program attempting to run it.

This is fine, just remember that dealing with web-based scripts requires a different solution. WScript.exe is not involved at all in web scenarios. Just look in your browser cache and see how many .js and other script files have been allowed to cache and run (assuming you don't block with the browser)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

If you disable WSH you can prevent .vbs scripts running on your HD which will counter some worms; but what about scripts with other extensions? Disabling WHS will not stop all worm types.

In the example you give re: SSM, SSM is intercepting the running of WScript.exe because it does not have permission to run as a child of Explorer.exe. SSM is not intervening because a .vbs script is seeking to run. If the script had another extension and was being run by a program that did have permission, SSM would allow it.

 

Thanks Rmus and TopperID!

In that case also it will not run as no application in SSM rules is allowed to run WScript.exe. In SSM rules child-parent relation is very protective.
I am not familiar with srcipt with other extensions.

So turning off browser JS is enough in this regard or not?

 

For javascript -- I assume yes, until someone finds a way to bypass it!


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

So there are other browser scripts as well?

 

Two that come to mind are ActiveX and VBS - both of which are Microsoft-proprietary and are not interpreted by browsers other than IE.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Thanks Rmus!

 

You are welcome.

There is a lot of good information about scripts on the internet, if you want to find out more!

regards,

-rich

 

Thanks, I am too lazy for that. But will see if I needed more.