WORMGUARD BLOCKED FILETYPES

Discussion in 'WormGuard' started by maggie123, Aug 18, 2005.

Thread Status:
Not open for further replies.
  1. maggie123

    maggie123 Guest

    this is what Is listed in blocked filetypes

    .HTA
    .JSE
    .SHA
    .SHS
    .VBE

    Being new to wormguard what else should I ADD?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Whatever you don't want to run on your system, but i do advice never to add .exe or .com there :) as you would be left with an unworkable system.
    If you don't want JS SCR WSH VBS at all but then you won't be able to run any script on your system, not sure if that is something you want.
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yes, as Jooske says maggie, you can always remove a certain filetype if something is needed to be run, then when finished, simply put it back in, but unless you are a programmer, then a lot of the extras you can add aren't going to affect your normal running of the PC. [Unless you add .exe/.com lol ]

    Cheers, TAS
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As you decide what to add, consider that WG has two types of protection:

    1) Filetype blocking, and

    2) Script analysis.


    From the Help File:

    --------------------------------
    Filetype-blocking allows you to completely disallow certain filetypes from being able to run on your system. Any filetypes may be blocked except for the primary executables - .EXE and .COM.
    ---------------------------------

    If a blocked filetype attempts to execute, a "Warning...blocked" box will appear. The user has no option to permit the file to run. My test Example:

    http://www.rsjones.net/vbs_3.gif



    ------------------------
    [script analysis]...does the file contain any scripts? (Such as VBS files, VBScript, JS files, Javascript, WSH, HTA, and so on).If it does, the WG Executive will call the Advanced Script Analysis Engine (ASAE). This engine is able to analyse what the script inside the file is capable of doing. If it determines that it is capable of doing anything that is suspicious or potentially hostile, you will be alerted.
    -------------------------

    In this example, .vbs is not on the blocked list, but contains a potential malicious script, and an alert box appears with the action-to-take options listed that you have selected:

    http://www.rsjones.net/vbs_1.gif


    The script analysis tools are very useful and make WG a more powerful program than some of the other script blocking programs.

    So, you could leave .vbs off of the blocked list if you regularly use those files, such as your own scripts for various actions on your system. Or for example, Kelly's Korner MVP site is full of XP tweaks using .vbs files she has written. You would have the option of permitting known .vbs files to run, and denying unknown files to run.


    EDIT: RE Jooske's comment below about the exclusion list: In mine and in the case of one other user, where there is a large group of files (.bat), we have chosen the above instead of the exclusion list per the WG note to keep the exclusion list small. For just few script files, the exclusion list would be a more practical choice.


    Lots of options is setting up WG, according to your own uses of script types. A good start would be to go to one of several web sites that describe how the various script file types work, and which ones you would want to add to the list. Understanding executable filetypes is basic to setting up security.

    Also, look at the WG Help file in the section about script analysis - macros, for example. It's a very comprehensive and informative Help file.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 19, 2005
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nice analyses, thanks.
    You can always place known files to the exclusion list so they will never be blocked.
    Long ago my WSH was damaged and i couldn't run any script at all, so putting that in the block list should be very convincing for blocking every script.
    I have not tested in that situation if placing scripts at the exclusions list would enable running them anyway. (with a damaged WSH guess not, with a blocked WSH i expect the exclusions to run.)
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for pointing that out - I edited my post above to reflect that.

    Yes, they run - I tested that. It's a nice feature of WG.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    How does the script analysis feature of WG differ from that of an AV such as KAV?

    Are they merely duplicating the same function?

    Also, is it true that WG will not protect you from scripts embedded in web sites?

    In which case it would offer no protection to internet surfing, and would only apply to things already on your HD and email etc.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    See:

    https://www.wilderssecurity.com/showthread.php?t=91194

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanx.

    So WG cannot protect you while you surf and will have no application if you use browser based web-mail.

    If you use Outlook Express and have it placed within your restricted sites I.E. zone, scripts will not be run in any case; giving very little point to running WG at all.

    Thus if you have script blocking from your AV (eg KAV), script blocking from your FW (eg ZAP), script blocking from your AS (eg Giant/MS-AS) and your browser settings correctly set, WG is basically redundant.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    WG needs to read the file, i.e., has to be on the HD. There are other ways of blocking web-based scripts, e.g., within the browser.

    Little point in running WG for email protection - I would agree. For text-based email/newsreaders programs, script-running is not even an issue.

    EDIT: I assume your setup with OE covers attachments; otherwise, you would need something else.

    Not running an AV or AS, I wouldn't know, but would suggest, as in the case of a FW that has script blocking, to test carefully to see that those programs block all script types effectively - from d-clicking, running within another file, from a command line, etc. Running your own tests often yields interesting results. I would never take for granted what a program claimed to do.

    In another sense, a program like WG is not necessary if you set up blocking of script filetypes within Windows itself.

    For those who don't wish to do that, and don't have a lot of other stuff running, such as you've listed, WG is an ideal solution.

    It's wonderful today that there are so many different solutions to various security concerns.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 19, 2005
  11. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Nice analysis Rich :) Thanks for that info.
    I had never even tried to add .exe/.com [to my knowledge anyhow, old grey cells here] and you can't by default, so learn something new every day.

    The question re say KAV v WG in scripts, obviously WG on scripts set to block which is in effect closing the door on them, can't run, under normal conditions.

    Now, obviously an AV like KAV unless set to an actual script BLOCK in it, would only check for malicious scripts then would block the running of that particular one at a given time, but still allow normal scripts to run.

    Topper would be correct in the fact WG would be redundant during normal operations even using IE/OE if setttings were set right and a good AV would alert on scipts within those, but, here is where WG is needed [or another form of script blocker] is if someone clueless to it all gets an attachment or downloads something which has to be physcially opened, then WG would alert on it, or if set to block that extension just give the normal alert it's blocked from running.

    Also to the question he poses re WG and say, KAV, with analysing, WG is purely heuristics [unless it is actually in the BLOCKED list] and I would presume a lot of AV have defs plus some would also rely on heuristics like NOD.

    Good thread in that regard as to the information provided. :D

    Cheers, TAS
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's nice to know about attachments, TAS - I wasn't sure, so I added the comment in my previous post. Good info to remember when working with someone who uses OE.

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  13. Maggie123

    Maggie123 Guest


    Sorry, buy no posters have answered my question. I was looking for suggestions of what filetypes I could add to WG.
    I know what these filetypes are .EXE and .COM.

    Someone must have a list of filetypes?

    Thanks Maggie
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Sorry to hijack your thread Maggie! Here is a fairly complete list:-
    .ADE
    .ADP
    .ASF
    .BAS
    .BAT
    .CHM
    .CMD
    .CPL
    .CRT
    .CSS
    .EML
    .HLP
    .HTA
    .INF
    .JS
    .JSE
    .MDE
    .PCD
    .PIF
    .REG
    .SCT
    .SHA
    .SHB
    .SHS
    .SWF
    .VB
    .VBE
    .VBS
    .WMD
    .WSC
    .WSF
    .WSH
     
  15. maggie123

    maggie123 Guest


    Thank you TopperID that is what I was looking for.


    Maggie
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hope the computer is still working with adding all that! :cool:
     
  17. maggie123

    maggie123 Guest



    I will only be trying one at a time. Then see if I have any problems. It may take a few weeks.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Lots has been written here. :)
    The Outlook Express question:
    If your email has an attachment, blocked by your emailscanner or other ways, and you click on it still wanting to run it, you would get a question of the email protection telling about a possible danger, you might still wanting to open or run the thing and WormGuard would jump up telling what is the possible danger, allowing you to view the whole thing in safe mode.
    Giving you a choice to run it or not.

    WormGuard helps you protecting your system without crippling it.
    I am in a msagent newsgroup so it's scripts all time, and if one would be suspicious WormGuard would jump up immediately. etc.

    In fact all the DiamondCS software keeps us in the driver's seat:
    With TDS you decide what to do with an alarm,
    ProcessGuard you set it up and make changes to your liking
    Port Explorer you look and decide which connections might be unwanted and which to kill and maybe delete the application involved
    WormGuard you add your ever to be blocked or allowed extensions/files
    and so it goes on with the other tools.
    We are educated step by step and learn to know our systems better each alert or setting we do, better and more detailed then with automatic set and forget and auto-delete scanners anyway.

    So yes, WormGuard does add an extra layer to our protection and ability to look into blocked files -- we always are curious what a file could do, aren't we to add to our personal knowledgebase? :cool:
     
Thread Status:
Not open for further replies.