Questions about wormguard

Discussion in 'WormGuard' started by Vikorr, May 25, 2005.

Thread Status:
Not open for further replies.
  1. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    hello, I'm trying to determine if Wormguard would benefit my security setup, which is currently an AT+AV, PrevX Pro, Process Guard, and RegDefend.

    I have a few questions - any answers would be most appreciated :)

    1. I understand wormguard uses heuristics...what is the nature of it's heuristics check ?

    2. Does it protect from scripts executed in the following :
    Applications dowloaded /run from the net
    Applications downloaded/run via IM ?
    Webbrowser scripts

    3. when it says worms, does it also protect from trojans in the same way ?

    thanks for any help in advance
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Vikorr,

    I pulled the following from WormGuard's help file. I think you will find it helpful. My understanding is that WormGuard will prevent any script from executing, whatever the source, it malicious behavior is detected. Hopefully, others will clarify.

    Rich

    _________________________________________________________________
    Image 3: WormGuard Primary Testing Sequence
    The Primary Testing Sequence is initialised by the WormGuard executive, and the first test that is applied is carried out by the Macro Detection\Interpretation engine (MD\I). This engine will detect the presence of macros, and pass the testing to an appropriate internal subsystem for independant testing when it determines what kind of macro the file contains. There are four internal subsystems to do this - each macro class has it's own format (Word, Excel, Access, Powerpoint).

    After MD\I processing, if the file is determined to be of Document nature (such as from Wordpad, Microsoft Word, etc) the WG Executive will initiate a further test to read the embedded files in the document - letting the user know exactly how many embedded objects there are, what their names are, and what their original filenames were. WordPad worms exist which don't use macros to propagate - they drop executable files when their embedded object is activated. As an example, the JanyCute worm arrives in the format of a Wordpad .doc file. The user can open this file - it is not hostile. However, it contains an embedded object. The label of the embedded object is "JanyCute.doc", but the file is actually janycute.exe - WormGuard will also alert you to any extension changes inside embedded objects inside document files.

    The next test - does the file contain any scripts? (Such as VBS files, VBScript, JS files, Javascript, WSH, HTA, and so on)
    If it does, the WG Executive will call the Advanced Script Analysis Engine (ASAE). This engine is able to analyse what the script inside the file is capable of doing. If it determines that it is capable of doing anything that is suspicious or potentially hostile, you will be alerted. It is virtually impossible to get VBS/JS/HTA/WSH worms passed this engine, and worms like I-Love-You/LoveBug will usually generate more than 15 unique alarms in WormGuard.

    If the file is determined to be of command/batch file inheritence, such as .BAT, .COM, .PIF or .CMD, the Command-File Interpretation (CFI) engine will analyse the file. This engine will analyse the file to determine if it is capable of performing any potentially hostile DOS commands. It is also a very solid engine against the four Command/Batch file types.
    The filename itself will then be examined to guard against several severe file-system vulnerabilities that exist in all versions of Microsoft Windows 95, 98, NT and 2000. This test makes these vulnerabilities obsolete.

    The final test, performed by the Advanced Deep-Search Interpretation (ADSI) engine, will only be performed if Deep-Search is enabled. This search engine is capable of detecting most keyloggers, password-stealers, references to known worm authors, and identifying IRC-propagating worms as being "capable" or "almost definate", as well as programs carrying internal IRC scripts.
    During the tests, an alarm report is continually being developed in memory by WormGuard. If at the end of the tests the alarm report is empty (eg. no alarms were triggered), then the file will be allowed to process normally by the operating system, allowing it to execute. If there is an alarm report, it will be displayed, and the user will then have the option of re-deciding if executing the file is a wise idea or not. WormGuard will also provide the user with a Risk Assessment.
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    thanks for the info Rich, that's hugely helpful, although it doesn't seem to say if it does analyse scripts that come through the webbrowser

    Hmmm...Just thought...seeing I shut down PG and PrevX to install things, this would be very handy.

    There was one thing I forgot to ask : is wormguard having problems with Windows XP compatability ? <I notice XP is left off the list in that helpfile>
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Vikorr,

    I have been running WormGuard on XP for quite some time without any issues. It is a very quiet program that pops up now and then to warn me that a script is about to be executed. Very re-assuring.

    Rich
     
  5. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    thanks again Rich
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    For a few of us, yes. ;)

    But there are work arounds. :)


    snowbound
     
Thread Status:
Not open for further replies.