Rmus
January 28th, 2009, 02:21 AM
Several months ago I was on Faronic's web site looking at some papers in their Content Library. While on the site I checked a couple of the Products pages and noticed on the Anti-Executable (AE) page that some descriptions were missing. One was the reference to 80+ executable file types that AE watches out for. I didn't think about that very much at the time, but recently I had occasion to evaluate this latest edition of AE.
Here are descriptions from the AE2 User Guide followed by that in the AE3 User Guide:
v.2
-{ Quote: "Whitelist refers to the list of authorized executables created when Anti-Executable is installed.
Authorized executable or authorized program means any executable file already present on a workstation
at the time of the Anti-Executable installation, or any executable file installed while Anti-Executable is
turned off. All authorized executables are included on the whitelist." }-
v.3
-{ Quote: "Anti-Executable allows administrators to create a list of all the permissible applications on a machine.
White List: A list of executables, or folders containing executables, that are managed by Anti-Executable.
Any application that has one of the following extensions: .scr, .jar, .bat, .com, or .exe." }-Do you notice any difference?
Now, I will attempt to run a non-White Listed program, AstroExp.exe.
First, AE2:
205846
Then, AE3:
205847
Do you notice any difference?
A bit of history. Years ago I became disillusioned with the reliability of Anti-Virus products. An acquaintance got a virus while using AIM. The AV was a reputable one and up to date. Shortly thereafter variants of the viruses were reported, undetected by most AV in the early days.
I began reading different articles and came across the product, Abtrusion Protector. It claimed to verify all executable file types, and any others that tried to install were blocked. That opened the door to the concept of execution protection and White Listing. Another product that was more interesting was FreezeX - the predecessor of Anti-Executable. I installed an evaluation version of it and emailed Faronics Support with loads of questions. I was put in contact with the project manager and he informed me that they were phasing out FreezeX for a better product, Anti-Executable. It had just come out of Beta Testing and wasn't scheduled to be released for a couple of more weeks, but he was happy to send me a copy to evaluate. I thanked him and told him that I was also interested in Process Guard.
While I didn't evaluate Process Guard, I was following with interest the discussions on the forum here at Wilders. Especially the long thread on rundll32.exe. Everyone was unsure how to configure it:
• Let it run all of the time:
-{ Quote: "I use 3.15 and I have had to give rundll32.exe full priveledges. If I don't do this the computer won't function properly. (XP Pro)." }-
• Let it run once:
-{ Quote: "I have it set to permit once as it usually only gives me one pop up. I'm still not clear though what the ikely risk of rundll32.exe is; Can a website execute maliceous code on your machine using rundll32.exe if you merely click on something?" }--{ Quote: "The simple solution to the problem is :
- don't allow rundll32 to "execute always"
- don't give rundll32 any special privileges by default
- live with having to read a few prompts every now and again" }-I decided I didn't want any part of having to make decisions as to what to allow. The problem, as I saw it, was not with rundll32 but with the file it executes.
I wrote the AE Project Manager about this, and questioned him about one part of the AE tutorial video they had at that time:
-{ Quote: "Q- In the tutorial, one of the programs tried to load a .dll and was blocked. Does this mean that Anti-Executable scans for all .dll files as well as .exe files on the workstation when installing? (that's quite impressive) because Process Guard does not do this because of the immense task of building a list of dlls.
A- Yes it does, - it will block unauthorized .dll files when set on high security." }-Of course, I shortly learned that it blocks all unauthorized executable file types. From the AE2 User Manual:
-{ Quote: "The High level of security does the following:
• Blocks unauthorized 32-bit executables
• Protects Anti-Executable Enterprise directory from access and tampering
• Blocks unauthorized drivers and .dll files
• Allows optional enabling of Copy Prevention and Delete Prevention
" }-So, AE2 it was.
So what has changed in AE3? No longer does AE watch over all file types, rather, it selects just five. To its credit, AE retains some type of code analysis, because I changed several EXE types to BGT, TMP, and they were blocked. So spoofing of EXE still doesn't get by AE.
But what about rundll32 and the executable file types that it handles. Here is a CPL - a Control Panel Applet.
With AE3 installed with NO White List configured, it will prompt when any EXE attempts to run:
205851
Now, an AE user is put in the same predicament as one with Process Guard. AE has changed from Default-Deny to Prompt-for-decision. In the configuration, you can designate "External" users (those not trusted nor Administrator) so that they can not allow. That is fine for a multi-user workstation. But for a single-user as Administrator, you have to make a decison. The only one is, of course, to put rundll32 on the White List. Otherwise you will be prompted all of the time. Search in the Registry for rundll32 and see how much it is used.
AE2 on the other hand doesn't care anything about rundll32 as long as it opens an authorized (White Listed) file. Otherwise it blocks:
205852
AE3 watches the application. The same as Process Guard (PG). AE2 watches the file. Big difference in approach. Of course, PG is an early prototype of HIPS and does more things. AE is interested only in blocking unauthorized executables.
Continued next Post.
Here are descriptions from the AE2 User Guide followed by that in the AE3 User Guide:
v.2
-{ Quote: "Whitelist refers to the list of authorized executables created when Anti-Executable is installed.
Authorized executable or authorized program means any executable file already present on a workstation
at the time of the Anti-Executable installation, or any executable file installed while Anti-Executable is
turned off. All authorized executables are included on the whitelist." }-
v.3
-{ Quote: "Anti-Executable allows administrators to create a list of all the permissible applications on a machine.
White List: A list of executables, or folders containing executables, that are managed by Anti-Executable.
Any application that has one of the following extensions: .scr, .jar, .bat, .com, or .exe." }-Do you notice any difference?
Now, I will attempt to run a non-White Listed program, AstroExp.exe.
First, AE2:
205846
Then, AE3:
205847
Do you notice any difference?
A bit of history. Years ago I became disillusioned with the reliability of Anti-Virus products. An acquaintance got a virus while using AIM. The AV was a reputable one and up to date. Shortly thereafter variants of the viruses were reported, undetected by most AV in the early days.
I began reading different articles and came across the product, Abtrusion Protector. It claimed to verify all executable file types, and any others that tried to install were blocked. That opened the door to the concept of execution protection and White Listing. Another product that was more interesting was FreezeX - the predecessor of Anti-Executable. I installed an evaluation version of it and emailed Faronics Support with loads of questions. I was put in contact with the project manager and he informed me that they were phasing out FreezeX for a better product, Anti-Executable. It had just come out of Beta Testing and wasn't scheduled to be released for a couple of more weeks, but he was happy to send me a copy to evaluate. I thanked him and told him that I was also interested in Process Guard.
While I didn't evaluate Process Guard, I was following with interest the discussions on the forum here at Wilders. Especially the long thread on rundll32.exe. Everyone was unsure how to configure it:
• Let it run all of the time:
-{ Quote: "I use 3.15 and I have had to give rundll32.exe full priveledges. If I don't do this the computer won't function properly. (XP Pro)." }-
• Let it run once:
-{ Quote: "I have it set to permit once as it usually only gives me one pop up. I'm still not clear though what the ikely risk of rundll32.exe is; Can a website execute maliceous code on your machine using rundll32.exe if you merely click on something?" }--{ Quote: "The simple solution to the problem is :
- don't allow rundll32 to "execute always"
- don't give rundll32 any special privileges by default
- live with having to read a few prompts every now and again" }-I decided I didn't want any part of having to make decisions as to what to allow. The problem, as I saw it, was not with rundll32 but with the file it executes.
I wrote the AE Project Manager about this, and questioned him about one part of the AE tutorial video they had at that time:
-{ Quote: "Q- In the tutorial, one of the programs tried to load a .dll and was blocked. Does this mean that Anti-Executable scans for all .dll files as well as .exe files on the workstation when installing? (that's quite impressive) because Process Guard does not do this because of the immense task of building a list of dlls.
A- Yes it does, - it will block unauthorized .dll files when set on high security." }-Of course, I shortly learned that it blocks all unauthorized executable file types. From the AE2 User Manual:
-{ Quote: "The High level of security does the following:
• Blocks unauthorized 32-bit executables
• Protects Anti-Executable Enterprise directory from access and tampering
• Blocks unauthorized drivers and .dll files
• Allows optional enabling of Copy Prevention and Delete Prevention
" }-So, AE2 it was.
So what has changed in AE3? No longer does AE watch over all file types, rather, it selects just five. To its credit, AE retains some type of code analysis, because I changed several EXE types to BGT, TMP, and they were blocked. So spoofing of EXE still doesn't get by AE.
But what about rundll32 and the executable file types that it handles. Here is a CPL - a Control Panel Applet.
With AE3 installed with NO White List configured, it will prompt when any EXE attempts to run:
205851
Now, an AE user is put in the same predicament as one with Process Guard. AE has changed from Default-Deny to Prompt-for-decision. In the configuration, you can designate "External" users (those not trusted nor Administrator) so that they can not allow. That is fine for a multi-user workstation. But for a single-user as Administrator, you have to make a decison. The only one is, of course, to put rundll32 on the White List. Otherwise you will be prompted all of the time. Search in the Registry for rundll32 and see how much it is used.
AE2 on the other hand doesn't care anything about rundll32 as long as it opens an authorized (White Listed) file. Otherwise it blocks:
205852
AE3 watches the application. The same as Process Guard (PG). AE2 watches the file. Big difference in approach. Of course, PG is an early prototype of HIPS and does more things. AE is interested only in blocking unauthorized executables.
Continued next Post.