Why to add .mde extension to WG block list

Discussion in 'WormGuard' started by UNICRON, Aug 7, 2003.

Thread Status:
Not open for further replies.
  1. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    WG detects MS Access .mdb with evil code in it:

    [​IMG]


    Evil code is compiled into .mde file with the click of one button right in MS Access:

    [​IMG]


    WG cannot detect the now hidden evil code but it is still there and opening this file will smoke your machine.

    [​IMG]

    Luckily we can block the .mde file extension all together in WG, so when we execute the file we get this:

    [​IMG]


    so please do this is you haven't already.

    Have a nice day!

    PS, This is not WG's fault. WG detects source code, this .mde no longer has any. Your other secuirty tools won't detect much from a .mde file either, but I wish they did :(
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Thanks for the warning UNICRON.
    Unfortunately compiling an Access database makes it run much faster, so now you have to choose between two bad situations.
    Dolf
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    TDS and NOD32 don't have much to say either:

    [​IMG]

    [​IMG]
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Very true Dolf, I use .mde files all the time because I am a database developer and use access for the small stuff (mainly because most offices insist).

    I am thinking mostly for those who have no need for the file extension. No system file uses it so it is safe to block.
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    There are a couple ways to open an access mde without the code running right away, but all of those techniques can be dissabled:

    [​IMG]
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Allan, Very useful tip :)
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yep, useful tip Allan, I'd be surprised if _any_ scanners actually detected that file though, you might want to give it a go with KAV
     
  8. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I don't have KAV. I doubt it would but maybe if I compiled known worm code. I'll make it tommorrow and send it to someone to test.
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Many thanks!!!

    Just updated my block-list accordingly
     
  10. FanJ

    FanJ Guest

    Hi Dolf, Allan, and Wayne,

    First of all: thanks Allan !!!

    OK, now back to Dolf's posting, just for my personal understanding:
    Is it really such a "bad situation" to add it to WG?
    Doesn't WG give you the opportunity to decide for yourself whether you want to run it or not? Or am I now making a mistake?

    Thanks, Jan.
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Jan,

    Any extentions in the Blocked list will be disallowed altogether from running. Where you have a choice is when the extention is not in the blocked list but where one of the analysis methods of WG detects something suspect with the file.

    So, it seems to me, the option is to add it to blocked (and hope you don't need it) or be independently sure of the safety of the mde files.

    :)
     
  12. FanJ

    FanJ Guest

    Thanks a lot Dan !!!!! ;)
     
  13. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    it is if you actually use .mde files like Dolf and I do. Once added to the block list, you can't use that extension anymore.

    Juat like always: Security or functionality. A truly classic case ;)
     
  14. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    It just shows why Worm Guard shouldn't rely so much on blocking file extensions. I can understand maybe scrap files but blocking not commonly used file extentions is a very bad and ineffective security method. It is Worm Guards job to tell if a file is malicous, not to block files that could be legitimate.
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi wizardavc,

    I agree with your first statement but in the sense that it is bad if it is the *only* means implemented but it can be (and IMO) is an effective supplement to other means of analysis and detection that WormGuard currently provides. It is my understanding that WormGuard 4 will include a definition update arrangement which will help alleviate the need to resort to extention blocking but I suspect there will continue to be occasions when extention blocking is useful.

    Regards,

    Dan
     
  16. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    It isn't a practical solution or a proper supplement in most cases. Files such as .mde have a legit purpose and wouldn't have been designed if they solely were used for malicious purposes. Even less practical is file name blocking. A file can be named almost any numerical pattern and a legitimate file has a right to be named what every it wants to. Many trojans go around named setup.exe or install.exe, of course many legit programs use these same names. If someone wants to download a legitimate program such as TDS, they have a right to rename it "Sex Picture.exe"

    I mentioned this in the suggestions thread but thought I'd bring up the file name issue here since it is related to the file extension blocking list.
     
  17. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    100% agreed
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's why WG is not dependent on file names but looks at malicious code and that's why updates are hardly necessary, we add file names if we think it helps and it might in case of exploits more then worms f.e.
     
  19. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Nobody is suggesting that file extension blocking is a first choice. As stated earlier, I am one of two people here who have mentioned that they do indeed use that extension.

    The point is, no other security measure I have found currently handles malicious .mde files, so we don't have much choice if MS Access on the machine.

    If you know of one, please let me know!
     
  20. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    WG-4 :rolleyes:
     
  21. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    By default will WG4 have a list of file names it will block like it is in WG3?
     
  22. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Actually, it doesn't rely on that at all (you don't have to block _any_ filetypes) - it's just extra functionality that's there for you if you want it, adding an extra layer of security (ie. even if a user disables the .mde extension in the registry, a trojan could re-enable it, but that would still fail if Wormguard is blocking that filetype). If you don't want to use it, that's fine too - the choice is entirely yours!

    Best regards,
    Wayne
     
  23. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    It is on by default, thats the point. Default settings are what the majority of software users use. Its a FACT that blocking the majority of file types and ALL file names are NOT an effective measure for stopping worms/trojans. If someone wants to rename the TDS Install file to south park.exe, MSBlast.exe, or the like they should have every right to without getting a warning from Worm Guard. It is Worm Guards job to analyze a file for worm-like characteristics. ANY legitimate or unlegitimate file can be named anything, and blocking by file name should not be a solution in any circumstance.
     
  24. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    It would almost never happen that a legitimate file will be blocked by WG because of its filename. In the rare occasion it happens, just remove the filename from that list. It's not that important.
    Dolf
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Antivirus wizard, did you understand Wayne says WG is looking for CODE in stead of NAMES in the first place?
    Different from any SCANNER which needs updates of databases, it has very different ways and means of detection.
    Relating to worms and scripts, has nothing to do with viruses, although those might be stopped where possible.
    You were told you can name any file anything and add to the block list whatever you want or don't and it will be detected just as hard if malicious.
    See what happens if you change some of your critical windows system files or add them to the blocked list and tell your experiences after that.
    Create some testfiles on your desktop, put some code or innocent text in it and give them some extensions and double extensions, tell WG not to run them or delete them from the block list, see all that happens.
    In your notepad put a line
    Msgbox "this is a vbs script running"
    and save as test.vbs to start with, give an extra copy double extensions vbs.vbs or exe.vbs whatever you like and click on it. Put them in the block list or the left pane blocked extensions list, etc. Try them.
     
Thread Status:
Not open for further replies.