Sana Security's Attack Shield Worm Suppression (WS) is a software-only solution to protect workstations from worms that spread via buffer-overflow attacks. The software operates only when an exploit makes a system call. So although it prevents exploits from using a buffer overflow for actions such as privilege escalation and file-system access, it won't protect against buffer overflows that cause a crash by corrupting memory.
I tested Attack Shield WS on both Windows XP and Windows 2000 Professional machines by using vulnerability-testing tools Metasploit and SMBdie to exploit three well-known Windows buffer-overflow vulnerabilities. I attempted to add a user with Metasploit by exploiting the vulnerabilities described in Microsoft Security Bulletins MS04-011 and MS03-026, and I crashed my system with SMBdie using the vulnerability described in MS02-045. Attack Shield WS successfully stopped the first two attacks, but it failed to thwart the third because SMBdie doesn't attempt a system call.
Attack Shield WS protects the default listening TCP/IP services on XP and Win2K (listed in Web Table 1, http://www.windowsitpro.com, InstantDoc ID 45607). It might not stop a machine from crashing, but it stops worms from using an exploited machine to spread. Although I'd like to see Sana Security test and support more services, such as the Microsoft SQL Server Desktop Engine (MSDE), the defaults are probably sufficient for most environments. If you don't need additional services on your workstations, Attack Shield WS is a nice complement to antivirus software.
| Attack Shield Worm Suppression |
|
Contact: Sana Security * 650-292-7100 or 866-900-7262 Web: http://www.sanasecurity.com Price: $9.95 per individual license; $796 for a 100-license pack Summary Pros: Simple and effective; no updates or signatures to install Cons: A limited number of Windows services are tested and supported Rating: 3 out of 5 Recommendation: A good complement to antivirus software if workstation downtime is unacceptable. |
| Web Table 1: Default Listening Ports | |||
| XP SP2 | |||
| Protocol | Port | Binary | Attack Shield WS–Protected Process |
| TCP | 135 | svchost.exe | Generic Windows Services |
| TCP | 139 | System* | Generic Windows Services |
| TCP | 445 | System | Generic Windows Services |
| UDP | 123 | svchost.exe | Generic Windows Services |
| UDP | 137 | System | Generic Windows Services |
| UDP | 138 | System | Generic Windows Services |
| UDP | 445 | System | Generic Windows Services |
| UDP | 500 | lsass.exe | LSA Shell Manager |
| UDP | 1025 | svchost.exe | Generic Windows Services |
| UDP | 1026 | svchost.exe | Generic Windows Services |
| UDP | 1900 | svchost.exe | Generic Windows Services |
| UDP | 4500 | lsass.exe | LSA Shell Manager |
| Win2K Pro SP3 | |||
| TCP | 135 | svchost.exe | Generic Windows Services |
| TCP | 139 | System | Generic Windows Services |
| TCP | 445 | System | Generic Windows Services |
| TCP | 1025 | mstask.exe | Task Scheduler |
| TCP | 1026 | System | Generic Windows Services |
| TCP | 1029 | System | Generic Windows Services |
| UDP | 135 | svchost.exe | Generic Windows Services |
| UDP | 137 | System | Generic Windows Services |
| UDP | 138 | System | Generic Windows Services |
| UDP | 445 | System | Generic Windows Services |
| UDP | 500 | lsass.exe | LSA Shell Manager |
| UDP | 1029 | services.exe | Services Manager |