What kind of worms is wormguard made for?

Discussion in 'WormGuard' started by Sandish, May 18, 2004.

Thread Status:
Not open for further replies.
  1. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    I´m not sure about this, is Wormguard made to protect against Email, P2P and IRC worms or just any worm. For example - was wormguard able to stop msblast and sasser ? I realy don´t want to do a selftest ;)
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Wormguard blocks execution of as much as it can. When first released, VBS and script based worms were the most popular, and Wormguard has an extremely high rate of detection on these worms, even though less popular now. They were also mostly email worms, not pure Win32 worms which connect to a vulnerable port/service

    Many of today's worms can still be stopped, however we are adding executable packer decompression for the new Wormguard as these change an EXE file's visible contents, hiding the actual code from the scanner.

    As for Win32 worms (network aware worms), we might make Wormguard check your installed patches and browser settings to help limit the effect of those worms. The best way to avoid those is to stay patched and use a firewall, but there will still be a place for Wormguard to help limit dangers from things you execute.
     
  3. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Thank you for the reply. I have to bother once more - if i got it right wormguard takes a file, extract the strings and checks them for suspicious words - like "pingflood", "bot", "HELO", "RCPT TO" for example and decides if it blocks the execution. But is there also something, that analyse the "behaviour" of a file ? For example, if a .exe wants to read the addressbook of Outlook or something - even without having typical strings in the file - would it cause an alert?
     
  4. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    If that is what you are looking for then you should also have a look at TPF5.5

    Chiao
    Itsme
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If "read addressbook" is supposed to be suspicious it is detected and your permission is asked. In most cases it will be an action from a known nasty --think this is what you mean?-- and the nasty is stopped anyway.
    The other action as send out whatever smtp server is used it would be very suspicious too and blocked from happening.
     
  6. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Thank you. I just checked it out and found my answers. :)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    WormGuard is an extra layer in your security, with execution protection for malware; you firewall might have email protection already, then the AV/AT and/or other specific email scanner, then WormGuard if you still insist to open a file which came either by email or otherwise on your system.
    Can but tell you from own experience it saved my computer's life various times!
    And i like the warnings when i want to open doc and xls files from reliable source it still warns me for macros and other suspicious parts in them.
    The tools all work very nice together for our security!
     
Thread Status:
Not open for further replies.