Wormguard still useful?

Discussion in 'other anti-malware software' started by Gen, Nov 4, 2008.

Thread Status:
Not open for further replies.
  1. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Greetings,

    I had wormguard on my pc for ages, and now with Eqsecure, I'm not sure if it's still a good app to use. Haven't had any pop ups from it for a long time and I'm not sure if I should keep it or remove it. I think Eqsecure should be able to handle scripts/worms alone now no?

    Any thoughts?
     
    Last edited: Nov 4, 2008
  2. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    1,786
    i don't think you need it. otherwise it will be overkill. just a personal opinion
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I doubt EQSecure does what WG does. And WG uses 0 resources.
    Whether you need WG is another question.
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    if you have configure eqsecure well and tight you dont need wormguard,no even a antivirus or antispyware:D
    note:personal opinion and advise(viewer description is advise)
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wormguard, like Processguard, was certainly a product ahead of its time. Using an analysis engine, it can determine from the strings in the file that malicious code may be present.

    Unfortunately, it has a weakness in that it can be bypassed by having a script engine run the file.

    For instance, WormGuard blocks the attempt to run a malicious .vbs or .reg file either by double-clicking on the file, or by running it from a command line using this syntax:

    Code:
    C:\demo.vbs
    
    C:\demo.reg
    
    However, it allows the scripts to run when launched by the particular engine:

    Code:
    wscript.exe C:\demo.vbs
    
    regedit.exe C:\demo.reg
    
    This opens up a glaring attack vector -- via an AutoRun.inf file, for example.

    There are other ways of blocking this type of attack, of course.

    WG's greatest strength is protecting against your own actions - attempting to open a malicious script file that is on your computer.

    You can argue if this is really necessary by asking, How can a malicious script file get installed on my computer, and, Why would I open an unknown, untrusted script file?

    Unfortunately people do -- love.vbs virus by email attachment, for example.

    ---
     
  6. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Thanks for the responses. For info i have Eqsecure and Comodo firewall running, nothing more. I do some occasional scans with Avira and TrojanHunter just to feel good, but they never pick up anything.

    I guess in the event where non-sense would take over my mind, it is good to have that last layer of protection with Wormguard in case I would click some file I *thought* to be safe where it actually wasn't. Or as i'd like to call it, the "oh ****!!" program for emergencies.

    What do you guys use in case you take a wrong decision allowing a malicious file you thought legitimate? Or you just eat it and get infected? Images don't count in the answers :p
     
  7. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    If something gets past my set-up, always possible. If I do not feel that scanning\removal tools have done their job then I have a back-up image on DVD setting at my fingertips. :D
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    a sandbox(sandbxie)watch how it behabe and the virus total or just any good free malware scaner
     
  9. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Havent tried Sandboxie for that purpose, i was using Geswall then removed it due to conflict in my gfx card with a game. But i think with either Sandboxie or Geswall i could test things out. It's just that with Geswall, it doesn't really feel like a sandbox where you could throw things in to test, it's more a policy based sandbox. Also not sure how hard is SB and don;t have much time atm to learn new apps =)
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i know:D require some reading
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Not an answer to your question, but I do have WormGuard installed ;)
     
  12. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Do you have the 4.0 version? Can you use it after the evaluation period ends? I still use the 2.1 and even after 30 days you can still somehow use it. But their website is closed again, i passed yesterday..
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Oops, after your posting I checked the DCS website, and I too cannot get there ...

    I am using the latest paid-for version of WormGuard for years.
     
  14. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  15. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Still running 2.0.0.0 trial, have had it for years. Just found and d\l 3.1 from Major Geeks.
     
  16. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Yes, FREEWARE Script Defender: GOOD for years; 0 RAM.

    For years.
     
  17. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Correct me if I'm wrong but isn't WG 2.X better? it's also usable for an unlimited time and seem more advanced.

    I used to have Script Defender back in the days, but ditched it when Script Guard first appeared, before it was WG.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes it is.
     
  19. Nett0pp

    Nett0pp Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    71
    Location:
    Scandinavia
    I pers0nal, like ScripTrap...............................R00t...............................


    wormguard failz (l0 zient0).............................R00t...............................
     
    Last edited: Nov 6, 2008
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    All of these script blocking programs work with Windows file associations.

    Script Defender, Script Sentry, and Scrip Trap intercept the file call from the Registry entry, directing the file to pass to the script program for a user alert, rather than open directly. Here is Scrip Trap and the .vbs file entry in the Registry:

    scrtrap.gif
    _________________________________________________________

    WormGuard works a bit differently, using Script Analysis Engines.

    The weakness of these programs that they can be bypassed by using a script engine to directly launch the file,
    as I mentioned in an earlier post. Some scenarios:
    • malicious AutoRun.inf on a USB drive or network drive

    • someone on a network launching a malicious script file directed at another's computer

    • someone who gains direct access your computer can install/run a malicous script file directly from a command prompt.
    You can argue that there are other ways of blocking these attack vectors, or that their probability is nil. So, that leaves these script programs to protect the user against her/his own actions of clicking-to-run a script file already on the computer, or one that comes in via email attachment.

    The problem is that these programs do not distinguish between a good or malicious script. The user gets an alert when a script file attempts to run, no matter what. WormGuard has an additional scenario, described below.

    Robin Keir, who developed the Scrip Trap program writes about this (some may remember that he developed an early firewall leaktest, Firehole):

    scrtrap-alert.gif
    ______________________________________________________________

    Now the user has to make a decision.

    WormGuard works in two ways. If a filetype is on the Black list (Blocked) then the file is denied by default to run --
    there is no decision for the user to make:

    wg-block.gif
    ______________________________________________________________

    This is useful where several use a computer and the owner/administrator wants total control.

    If a filetype is not on the Blocked List, then WormGuard's analysis engine will alert if it finds potentially malicious strings in the file.

    Testing WormGuard, I didn't put .bat file on its list because I have dozens that I use in normal work. Most will run OK but here is one which was flagged because it has a line to delete a file:

    wg_bat2.gif
    ________________________________________________

    For someone who uses many script files in normal work, you would have to choose a program
    which allows for a White List of script files which will not be flagged. Scrip Trap and Worm Guard do.

    Of those that I tested, I found WormGuard to be the most flexible in being able to control both the Black and White Lists.

    Scrip Trap v1.03 and Script Sentry do not permit adding to the Black List.

    Also, WormGuard is the only one that doesn't modify the Registry entries for the Windows File Associations. Additionally, it lets the user view the file contents directly from the GUI.

    Finally, most are probably aware that these programs do not deal with Browser scripts: those are interpreted by the Browser itself, and protection must be secured within the Browser's options.

    ----
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Script Trap allows for BOTH a White safe List as well as a BlackList. In addition, Script Trap makes provision to offer an added feature to SCAN any script intercepted either with a MABAM/SAS antispyware OR your favorite AV, I use NOD32 on some, MBAM on another and they work perfectly.As good as ScriptDefender is, the one limitation it suffers from is that should you decide to uninstall it, it refuses to restore all it's associations that it covers. A minor inconvenience for many, but really not a problem so long as you first backup those keys/values to a reg file to simple restore them to defaults again. What i do like about ScriptDefender is you can add unlimited associations and it will alert to them.

    EASTER
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I uploaded this VBS file, go.vbs, to VirusTotal and it returned 0/32:

    Code:
    set shell = CreateObject("WScript.Shell")
    
    shell.run "go.bat"
    
    This and go.bat (also clean at VT) were in one of the Switchblade exploits. go.bat compiles a log of the information to steal. It doesn't modify or destroy anything on the computer, hence, it is not flagged as malicious.

    I would think that rather than depend on a scanner, someone of your expertise would just look inside the script file, since it is ASCII text. As a matter of fact, in Win9x days, many changed the default action of script file types from OPEN to EDIT so that clicking on one would open the file in Notepad, rather than executing it, so that they could review it.

    But I'm thinking of less technical-savvy users, and I ask the questions,

    • How does a malicious file get onto the computer?

    • Why would someone open an untrusted script file?
    The classic example is the love.vbs email attachment exploit., which victimized millions. I and a group of my friends and users were not victimized because we were taught

    • filetypes and file associations, and

    • secure email procedures.

    I just question the necessity for these types of programs which you describe, which, if an alert pops up, require the user to make a decision to run or not.

    • The average user doesn't have the expertise to make that type of judgment, and scanning may or may not be reliable.

    • The experienced, technical user doesn't need them since, in the unusual situation of an untrusted script file, she/he could just open the file in a text editor to see what it does.

    The only use for such a program that I can see is if they blocked running of files by remote code execution -- which they do not.

    Several years ago, I evaluated the programs I could find, but discovered the weakness I've mentioned. At that time, I didn't understand what was going on behind the scenes. I posted the question in the WormGuard forum at that time. Some of the developers answered questions posed in that forum, but I received no answer:

    https://www.wilderssecurity.com/showthread.php?t=93194

    Later, after more analyzing and tests, I was able to determine why WG and the others fail to protect against this attack vector, as I've detailed previously.

    The only solution would be that which Anti-Executable uses with binary executables. Conversations with people at Faronics revealed the complexity of the problem, and that such a product was not likely to be forthcoming.

    I concluded that for the average users I was working with at that time, security measures and procedures were sufficient to protect against attacks from malicious script files, and that an additional program was not necessary.

    But maybe it is good to re-evaluate the situations in which one might encounter such a script file, and thus, change my thoughts on this. So,

    1) Other than in email attachments, how else might a malicious script file attempt to get on the computer?

    2) Are there current exploits using a malicious script file? (I mentioned the USB AutoRun.inf remote code execution exploit in another thread, but since these programs don't block that attack vector, and since there are other ways of blocking it, we can eliminate this exploit.)

    3) If such a file did get on the computer, what types of social engineering might entice someone to click on such a file?


    ----
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    A concientious security minded individual would be better off to completely dismiss obsolete WormGuard. After reviewing this thread and running it thru some paces, it doesn;t hold a candle to the likes of a good HIPS or expecially AE by Faronics, so i would not even waste time and possible trouble with it at all.

    EASTER

    On the flip side of all this, ProcessGuard still stands very formidable & strong in everything it was designed to do in the first place and if you still have it i would highly recommend it. I use it extensively and it lives up to being a very STRONG! deterent against various forced intrusions, a king of pioneer that lauched this very popular HIPS trend right noe without a doubt.


    EASTER
     
  24. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Rmus, hi Rich,

    As always I appreciate your thoughts on WG a lot !

    I have not much time so only some little thoughts (sorry!).

    There is a difference between file-types and file-names (WG makes that difference).
    WG has a flow-chart about how it works.
    WG gives options about what to do, its warnings, its logging.
    Yes, it is the user who has to decide some times. But the same thing goes sometimes for your firewall, AV-warning (is it a FP?), etc.

    Have you tried to get a warning from WG for things like:
    wscript.exe
    regedit.exe
    autorun.inf
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Comparing WormGuard to HIPS or Anti-Executable is not applicable, since WormGuard handles scripts only.

    Of the Script Blocking Programs, I rate WG over Script Sentry, Script Defender, ScripTrap because
    • When blocking by file type, it is Default-Deny -- no user decision. Bulletproof protection. Complete Administrative control (useful in multi-user situations)

    • For more technical users, when blocking by the Analysis Engine, the script file opens for viewing, and decision to block/run/quarantine.

    • It makes no modifications of file associations in HKC_ROOT in the Registry.
    (See my post #20 above for screen shots)

    ----
     
    Last edited: Nov 7, 2008
Loading...
Thread Status:
Not open for further replies.