Sana Security's Attack Shield Worm Suppression (WS) is a software-only solution to protect workstations from worms that spread via buffer-overflow attacks. The software operates only when an exploit makes a system call. So although it prevents exploits from using a buffer overflow for actions such as privilege escalation and file-system access, it won't protect against buffer overflows that cause a crash by corrupting memory.

I tested Attack Shield WS on both Windows XP and Windows 2000 Professional machines by using vulnerability-testing tools Metasploit and SMBdie to exploit three well-known Windows buffer-overflow vulnerabilities. I attempted to add a user with Metasploit by exploiting the vulnerabilities described in Microsoft Security Bulletins MS04-011 and MS03-026, and I crashed my system with SMBdie using the vulnerability described in MS02-045. Attack Shield WS successfully stopped the first two attacks, but it failed to thwart the third because SMBdie doesn't attempt a system call.

Attack Shield WS protects the default listening TCP/IP services on XP and Win2K (listed in Web Table 1, http://www.windowsitpro.com, InstantDoc ID 45607). It might not stop a machine from crashing, but it stops worms from using an exploited machine to spread. Although I'd like to see Sana Security test and support more services, such as the Microsoft SQL Server Desktop Engine (MSDE), the defaults are probably sufficient for most environments. If you don't need additional services on your workstations, Attack Shield WS is a nice complement to antivirus software.



Attack Shield Worm Suppression
Contact: Sana Security * 650-292-7100 or 866-900-7262
Web: http://www.sanasecurity.com
Price: $9.95 per individual license; $796 for a 100-license pack
Summary
Pros: Simple and effective; no updates or signatures to install
Cons: A limited number of Windows services are tested and supported
Rating: 3 out of 5
Recommendation: A good complement to antivirus software if workstation downtime is unacceptable.


Web Table 1: Default Listening Ports
XP SP2
Protocol Port Binary Attack Shield WS–Protected Process
TCP 135 svchost.exe Generic Windows Services
TCP 139 System* Generic Windows Services
TCP 445 System Generic Windows Services
UDP 123 svchost.exe Generic Windows Services
UDP 137 System Generic Windows Services
UDP 138 System Generic Windows Services
UDP 445 System Generic Windows Services
UDP 500 lsass.exe LSA Shell Manager
UDP 1025 svchost.exe Generic Windows Services
UDP 1026 svchost.exe Generic Windows Services
UDP 1900 svchost.exe Generic Windows Services
UDP 4500 lsass.exe LSA Shell Manager
Win2K Pro SP3
TCP 135 svchost.exe Generic Windows Services
TCP 139 System Generic Windows Services
TCP 445 System Generic Windows Services
TCP 1025 mstask.exe Task Scheduler
TCP 1026 System Generic Windows Services
TCP 1029 System Generic Windows Services
UDP 135 svchost.exe Generic Windows Services
UDP 137 System Generic Windows Services
UDP 138 System Generic Windows Services
UDP 445 System Generic Windows Services
UDP 500 lsass.exe LSA Shell Manager
UDP 1029 services.exe Services Manager