Is WormGuard needed if Im running SSM?

Discussion in 'other anti-malware software' started by ChrisP, May 21, 2007.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Just wanted peoples thoughts - do I need WG if I have the full version of SSM?

    Which other apps may add valuable security to SSM?

    I already run F-Secure AV, AVG Anti Spyware and Spycop.

    Cheers,

    ChrisP
     
  2. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,704
    Location:
    Texas
    Hi ChrisP

    I'm by no means an expert here, but I'd say no WG is not necessary. I did run SSM's full version & ended up uninstalling & going with Prevx. Also SSM should be installed on a squeaky clean machine, as it won't remove existing malware. Therefore given your machine is sparkling clean when SSM was installed, the others are mainly, just in case. I would run with SSM the following AV, FW, AS, & AT. SSM can pester you so much, you might allow something, then your other residents could pick up on what accidental allowed.

    Take Care
    Rico
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    As far as I'm aware, SSM is not a script blocker while wormguard is.

    SSM is more concerned with intercepting the running of executables rather than scripts; where the purpose of the script is to download and run an executable then SSM could prevent this, but I do not discount the possibility that a script can make undesirable changes to your system, or cause other damage, if allowed to run. So yes, WG does provide additional cover.

    The thing to remember is that WG only protects against scripts actually on your HD, it has no effect on scripts encountered through your browser, so its main benefit would be in opening email attatchments that may contain a malicious script.
     
  4. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,704
    Location:
    Texas
    Hi Topper,

    Well! I did mention I was not an expert. Thanks for the save.

    Take Care
    Rico
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SSM will not block execution of a script file?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    How could it? A script file is not an executable file.

    I don't run WG or ScriptSentry etc because, as I say, they are only blocking scripts that are already downloaded to your system and if you are careful about email etc a script blocker is not essential in my opinion. However they could be useful for some users.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok. What if u disable windows scripting host?
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This has no effect on the Browser interpreting a script. It would only block a script from being directly run from the HD, such as double-clicking on it - essentially the same scenario that TopperID describes.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. I have disabled scripting host on my system since long. JS disabled in Opera and FF as well( although I think I can really keep it ON as I use GeSWall). All this should be more than enough.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Both scripts and executables "execute" (carry out) instructions. So, technically, there is no difference.

    For convenience, a distinction is made between a script (text strings) and compiled code (executables).

    SSM looks for compiled code (executables)

    WormGuard analyzes text strings in a script.

    See this site for some more explanation:

    Scripting vs. programming: is there a difference?
    http://www.killersites.com/blog/2005/scripting-vs-programming-is-there-a-difference/


    regards,

    -rich
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is the alert from SSM free.
     

    Attached Files:

  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, some confusion here.

    I thought you were referring to TopperID's comment about blocking web scripts from carrying out commands, such as downloading something.

    In your example, you attempt to run a .vbs file from your HD. The .vbs extension tells Windows to start WScript.exe.

    SSM is not interested in the text strings of the script, just the program attempting to run it.

    This is fine, just remember that dealing with web-based scripts requires a different solution. WScript.exe is not involved at all in web scenarios. Just look in your browser cache and see how many .js and other script files have been allowed to cache and run (assuming you don't block with the browser)

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you disable WSH you can prevent .vbs scripts running on your HD which will counter some worms; but what about scripts with other extensions? Disabling WHS will not stop all worm types.

    In the example you give re: SSM, SSM is intercepting the running of WScript.exe because it does not have permission to run as a child of Explorer.exe. SSM is not intervening because a .vbs script is seeking to run. If the script had another extension and was being run by a program that did have permission, SSM would allow it.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Rmus and TopperID!

    In that case also it will not run as no application in SSM rules is allowed to run WScript.exe. In SSM rules child-parent relation is very protective.
    I am not familiar with srcipt with other extensions.
    So turning off browser JS is enough in this regard or not?
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For javascript -- I assume yes, until someone finds a way to bypass it!


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So there are other browser scripts as well?
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Two that come to mind are ActiveX and VBS - both of which are Microsoft-proprietary and are not interpreted by browsers other than IE.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Rmus!
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome.

    There is a lot of good information about scripts on the internet, if you want to find out more!

    regards,

    -rich
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, I am too lazy for that. :D But will see if I needed more.
     
Loading...
Thread Status:
Not open for further replies.