PG-n-Eicar.com

Discussion in 'ProcessGuard' started by redwolfe_98, May 13, 2006.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i was testing one of my programs with the eicar.com test file and fould that, unlike with many other files, PG does not "block" eicar.com from running when it is doubleclicked, where you would expect a PG-alert to ask you if you want to allow "eicar.com" to run..
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    afaik, PG only prompts for executables (.exe) whereas eicar has an .com extension. maybe wormguard would stop it tho (if ur AV doesnt do so first).
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This is incorrect - .com files are executables and can be used to malicious effect (format.com anyone?). I can confirm that PG is not prompting on these and I would consider this a serious loophole. Thanks for pointing this out Redwolfe_98!
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well after further testing, it appears that PG prompts on many, but not all, .com files. Testing was done by running each .com file present in the WINNT\System32 folder (on a Windows 2000 system) with the /? parameter (which should just list available options, if applicable, for the command) after checking that it was not previously listed in PG's Security List. Here are my results:

    chcp.com Prompt Issued
    command.com No Prompt
    DISKCOMP.COM Prompt Issued
    DISKCOPY.COM Prompt Issued
    edit.com No Prompt
    FORMAT.COM Prompt Issued
    graftabl.com Prompt Issued
    graphics.com No Prompt
    kb16.com No Prompt
    loadfix.com No Prompt
    mode.com Prompt Issued
    more.com Prompt Issued
    tree.com Prompt Issued
    win.com Prompt Issued

    From the \WINNT\ServicePackFiles\i386 folder:
    ntdetect.com No Prompt

    Command.com is the biggest potential problem since it can be used to run other programs - however PG does prompt for these if they are not present in its Security list.
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    thanx for teh correction P2K.

    but ur tests results are puzzling; maybe someone from diamondcs can answer why PG only prompt on certain .com files?
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Nice find redwolfe_98. I see that AppDefend does prompt when executing eicar.com and logs the following:

    20:13:14 13 May 2006 | AppDefend | Allowed process execution of ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 |
    20:13:22 13 May 2006 | AppDefend | Allowed physical memory access performed by ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 |
    20:13:26 13 May 2006 | AppDefend | Allowed self termination of ntvdm.exe | c:\windows\system32\ntvdm.exe | "c:\windows\system32\ntvdm.exe" -f -i1 |


    System Safety Monitor does not prompt because ntvdm.exe is allowed to execute via one of its default rules. After deleting the ntvdm rule, SSM alerts to the following:

    The call to API function "CreateProcess" was successfully intercepted.
    Command-line parameters were ""C:\WINDOWS\system32\ntvdm.exe" -f -i9".


    Nick
     
    Last edited: May 13, 2006
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I see this also with SSM (and PG, which notes ntvdm being allowed to run). The downside is that this does not work on a command-by-command basis - once you allow ntvdm (even only once), multiple commands using it can then go through without further checks.
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i was wrong.. PG 3.15 does throw up an alert when i run "eicar.com", asking if i want to allow "ntvdm.exe" to run..

    to make a long story short, i downloaded a fresh copy of eicar.com, disabled all of the protection on my pc and ran it.. then i enabled PG's protection and ran it again, and PG threw up the alert (asking if i wanted to allow "ntvdm.exe" to run)..

    i don't know what the problem was, before.. i noticed that the iecar.com file did not seem to be running properly, which is why i downloaded a fresh copy, to test again..

    between all of the programs that i have on my pc, my av, "a-squared", and ewido, all of which flag the eicar.com test file, there is no telling..

    i think i need to test again.. :)

    update: i tested again and PG does flag the eicar.com test file when i try to run it, popping up an alert, asking me if i want to allow ntvdm.exe to run..
     
    Last edited: May 14, 2006
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You'll receive a prompt for the first occurrence only, not for any subsequent occurences while ntvdm is still loaded (try running commands in a DOS box, then closing it - or closing ntvdm in Task Manager to retrigger a PG prompt).

    Basically, eicar.com (and the other examples listed above) are 16-bit applications that are handled via Windows' Virtual DOS Machine - PG only detects the VDM itself being started and needs to be able to intercept applications that it runs also.
     
Thread Status:
Not open for further replies.