________________________________________________
AntiX:
a program which prevents the execution of unauthorized code
(source: The Rmus Handbook of Significant Data)
________________________________________________

Quick: how many executables can you name? What *is* an executable?

In a recent survey of 9 acquaintances I chose at random, 3 did not know what an executable file is. Only two could list something other than .exe. One knew .com and .bat. But what about .dll; .sys; .scr; .ocx; .ax…

All of the above can execute code. Some are commonly used so that we are familiar with them. Others are not so familiar, but potentially dangerous when used in malware.

Much has been written and discussed about the idea of preventing unauthorized executables from running, and the discussion often leads to conclusions based on misinformation and misunderstanding. The terms anti.exe, anti-exe, have been used to describe programs that attempt to do this, but to limit them to .exe files is misleading to the average user. Hence, the need for a new term.

I coined AntiX to include the idea of prevention of executable files that run code in viruses, trojans, worms, etc. Because there is no consensus as to the differences in some cases between these terms, I use the term malware (in most cases) to refer to any program the user does not want to have executed; hence: unauthorized executable.

There are a number of products that prevent unauthorized executables from running their payload. Two companies that have created very innovative and different solutions to this problem are DiamondCS, with their Process Guard (PG) and Faronics, with their Anti-Executable (AE). Using some of the tests that PG has provided on their website, and those that I have run myself with AE, I will show how the fear of malware running on your system can be alleviated when you understand how malware attempts to execute, and how that execution can be prevented. I’ll start with some of the highly-feared types of malware floating around.

Rootkit

The fear of a rootkit is so pervasive (shutter) that discussions in the various forums (questions like, Do I have a rootkit?, or, HELP - I think I have a rootkit) border almost on total panic. Microsoft didn’t help any with their article back in April when they wrote that we should be "very very afraid." Well, the more afraid you are, the less capable you are of dealing with the problem. This, of course, is the basis for all types of terrorism (and malware writers are a type of terrorist): to raise the level of fear as high as possible.

As with all malware, a basic understanding of what it is (and isn’t) is the starting point.

Rootkit (root = root privilege) + kit (hacking tools dropped into the system to work at the root level) goes back to Unix days. Hence, many advocate using a different term, since we don’t have root privilege in Windows, (unless you want to think of Administrator). A rootkit is just another type of malware (often called trojan), albeit a rather sneaky one. The fear of it started because at first they were undetectable. Then came a product that could analyze the system and detect a rootkit, but it could not be removed. Now, there are products that do even that. The scanning/analyzing is very complicated, and there aren’t too many people with the technical knowledge to use those tools effectively. Several people have posted their logs, completely befuddled as to what the logs are indicating. Often, there are false positives. Besides, the time and bother involved with that is just completely unnecessary, for the rootkit can be prevented at the start from carrying out its task.

PG’s solution is to block the installation of the driver (.sys) by the "dropper" trojan (.exe), essentially rendering the attack useless. See:

PG_rootkit (http://diamondcs.com.au/processguard/index.php?page=attack-rootkits)

When AE installs, it creates a whitelist of every executable on the computer (scans for more than 80 different types). Any executable not on that list will be blocked from installing/executing. I wanted to test fu.exe, but when I downloaded the fu rootkit package and attempted to extract the files, AE denied the extraction (copying), invoking its copy prevention rule. So, I extracted the package on my laptop (without AE) and attempted to copy fu.exe and the driver, msdirectx.sys, across my LAN to the desktop computer. Again, the attempt was denied. See:

AE_rootkit ( http://www.rsjones.net/AntiX/rootkit.html)

With both PG and AE, installation failed. So much for rootkits.

Dll Injection

Ever notice how medical terms are used? - virus, injection, infection, etc. Helps to raise the fear level. In this exploit, the trojan attempts to load (inject) a dll file into one or more processes. Here are two tests - firehole.exe and pcAudit2.exe - that demonstrate dll injection. This is how PG blocks the attack. Look for those two tests at the bottom of the page:

PG_dll injection (http://diamondcs.com.au/processguard/index.php?page=attack-leaktests)

In trying to run the tests on my system with AE, I ran into the same problem as with rootkit: AE blocked downloading the test files. Knowing that those test.exe files dropped a dll upon execution, I wanted to see if AE would block the dropping, since a dll is an executable. So, I turned off AE and downloaded the two tests to the desktop and then turned AE back on. Upon executing each, AE denied the attempt to drop (copy) the dll, which would have created a global hook:

AE_dll ( http://www.rsjones.net/AntiX/dllinject.html)

Two different yet effective solutions. So much for dll injection.

Keyloggers and Password Stealers

The fear of this is so high that one is afraid to even type anything, lest her/his entire life history be exhibited on the internet for all to see. Well, a keylogger or password stealer is just another trojan and nothing to be afraid of. In the keylogger test that PG uses, the program loads a dll to attempt to create a global keyboard hook, and PG effectively blocks the attempt:

PG_keylogger (http://diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers)

If keystroke.exe runs, AE blocks the attempt to load the dll. I had to permit the keystroke.exe file to download in order to test this. In practice, the .exe would never have made it into the system.

AE_keylogger ( http://www.rsjones.net/AntiX/keylogger.html)

Again, two different but effective approaches to the problem. So much for keyloggers and password stealers.

Well, there is much more that these programs do, but this shows how effective they are against some of today’s fearsome exploits involving executables. For instance, anything that attempts to execute an installation of spyware, adware, etc, would be also blocked by Anti-Executable by preventing the executable from getting into the system. Process Guard must do something similar, since it uses a whitelist.

There are things that they don’t protect against, of course: they are not a firewall, nor a script-blocker, nor a lock-down program, but certainly can be considered as part of an over-all security setup.

Now, the tests above could only run because permission to install them in the first place was given. It can be persuasively argued that if one’s user alertness and safe computing habits are strong enough, that AntiX is not necessary. Fair enough, and I would not argue with someone otherwise. Yet, there are those instances when something could trigger an attempt to auto-load an unauthorized executable, and it is these cases that one can argue for such protection. No two users and their systems are alike, and no single security setup would be applicable in all situations, and I think it's futile to argue for one over the other.

Something needs to be said at this point about installing software. In doing so, it’s been said, you are granting permission for the installation of a program, and this is a point of vulnerability, since you might not be completely sure that the program is safe. True enough. When this is brought up in discussion, often a silly jump-to-conclusion is reached: "See, your AntiX doesn’t prevent installing of a malicious program." Well, this is absurd, of course, because at this point your security apparatus is turned off, and some type of risk assessment has to take place. All AntiX does is protect from *unauthorized* intrusions once the protection is enabled.

How to evaluate risk assessment is another topic. Each to her/his own.

Conclusion

All writers of malware prey on fear. The more afraid you can be made to feel, the less likely you can adequately defend yourself. The first step is to understand that there are solutions to attacks against your computer.

Your defense solution may be nothing more than your own awareness of what’s going on and not relying on any security product. A thread in another forum asked, what are your #1, 2, 3 security products. I wasn’t surprised that a number of people put either "none," or "#1-user awareness, #2-user awareness, #3-user awareness." Others said they ranked them all the same, couldn’t imagine being without any of them, and then listed all (9 in one case).

What you choose for your security setup ultimately depends on what your concerns are.

Today’s computer security companies have come out with many creative and innovative products. We should be thankful for that. I have demonstrated two products that offer quite different yet effective solutions to some of these concerns.

Happy and safe computing!

regards,

-rich
___________________________________
"Fear is only as deep as the mind allows."
(Japanese proverb)

Hi,
Several things:
1.Very good post man.
2. Could you link to faronics ae?
3. About fear. People forget that malware is not aids. It's curable and reversible. Even the worst windows trojan cannot stand in the face of a lovely format. I noticed that people also tend to be quite afraid of formating and starting a fresh clean install. It's also usually a job of no more than 3-4 hours.
Cheers,
Mrk

-{ Quote: "Hi,

2. Could you link to faronics ae?
" }-Info w/link to evaluate:

http://www.faronics.com/html/AntiExecStd.asp

-{ Quote: "
3. About fear. People forget that malware is not aids. It's curable and reversible. Even the worst windows trojan cannot stand in the face of a lovely format. I noticed that people also tend to be quite afraid of formating and starting a fresh clean install. It's also usually a job of no more than 3-4 hours.
Cheers,
Mrk" }-Well put!

regards,

-rich

Indeed! Formatting really isn't that bad, and knowing how to do it (and having a good backup strategy) can free up a lot of apprehensions about really getting to know your system, which can only help security in the long run. Formatting and handling hardware are two things that can go a very long way towards demystifying computers. As far as malware goes, when I find a machine infected with keyloggers or backdoors I don't take chances, just format and get it done with.. especially a heavily infected machine where there may be question as to whether there's anything left. Disk imaging software is a good option for those that really don't like the idea of formatting, though, as long as you can be sure the image is clean.

The way rootkits are going, however, I would personally still want something like PG to ensure the infection didn't go beyond the bounds of the harddrive (into other parts of the computer or into other parts of your life, like your bank account or credit report) and do prefer to format on my own schedule, not out of urgency or haste.

-{ Quote: "... As far as malware goes, when I find a machine infected with keyloggers or backdoors I don't take chances, just format and get it done with.. especially a heavily infected machine where there may be question as to whether there's anything left. " }-Oh, I think that should be standard procedure. In fact, I would advise before installing a program like PG or AE to start with a clean reinstall. Or, if it's a fairly new system, complete scan. After all, you are going to permit free rein for what's on your computer and block everything else.

-{ Quote: "
The way rootkits are going, however, I would personally still want something like PG to ensure the infection didn't go beyond the bounds of the harddrive (into other parts of the computer or into other parts of your life, like your bank account or credit report.)" }-I certainly agree! However, as I stated earlier, I would not attempt to convince anyone of that who did not want to be convinced.

regards,

-rich

Couldn't agree more :D

Good Posts Rich and Notok ... it is all about fear of the unknown.

There are so many great tools available to us today that can erase any fear. It also speaks for other programs, like Deep Freeze, Shadow User, or good Imaging software.

In the case of monitoring a user executed executable - RegDefend could be used to analyze reg entries created by it, only for analysis of course - not for daily use by monitoring HKUR, HKU, HKCU, and HKLM using wild cards. Something like Total Uninstall can be used in a similar fashion with the log generated.

I really like the protection PG affords, and I can comfortably relax when someone else is using my PC. I have a limited whitelist, all the global protections enabled, with the block new/changing programs protection enabled, and PG locked (actually all my security apps settings are password protected - to prevent any unauthorized change by a user). Beyond that I employ other solutions, so I have no fear of what anyone does on my PC - as they can't really do any damage. :)

Steve

Hi,
I just installed faronics ae to try it.
But I have encountered two snags:
There's no uninstall feature in the add/remove.
The new icon in the tray is unclickable.
Any suggestions?
Mrk

Answered by PM with references to the user manual.

-rich

-{ Quote: "Hi,
I just installed faronics ae to try it.
But I have encountered two snags:
There's no uninstall feature in the add/remove.
The new icon in the tray is unclickable.
Any suggestions?
Mrk" }-

-{ Quote: "Good Posts Rich and Notok ... it is all about fear of the unknown.

...Beyond that I employ other solutions, so I have no fear of what anyone does on my PC - as they can't really do any damage. :)" }-You should set up a clinic and teach security!

-rich

-{ Quote: "You should set up a clinic and teach security!

-rich" }-LOL ... isn't that what Wilders' is? ;) :) ~an evolving clinic for an ever changing threat~

I don't think any one person could teach a clinic, it's all about group knowledge. There are an awful lot of very knowledgeable experts - I however am not one - but even those experts rely on group knowledge. I do think many of the members here could teach a basic course on security to new users ... but not too much beyond that. I think the biggest issue is teaching at a level of their comprehension, once the basics are understood then increasing the curriculum to more advance subjects. It's far to easy to ramble off, use this use that, if the users knowledge doesn't warrant an understanding of the product(s), it's protections or the inference for the need.

Steve

-{ Quote: "All writers of malware prey on fear. The more afraid you can be made to feel, the less likely you can adequately defend yourself. The first step is to understand that there are solutions to attacks against your computer.

Your defense solution may be nothing more than your own awareness of what’s going on and not relying on any security product.
" }-


-{ Quote: "Hi,
Several things:

2. Could you link to faronics ae?

Mrk" }-

Darn.

-{ Quote: "Something needs to be said at this point about installing software. In doing so, it’s been said, you are granting permission for the installation of a program, and this is a point of vulnerability, since you might not be completely sure that the program is safe. All AntiX does is protect from *unauthorized* intrusions once the protection is enabled." }-

Sadly, you know this, and probably 90% of everyone here knows this intellectually speaking. But emotionally speaking it doesn't register.

Marketing of ProccessGuard and other security products often seems to imply that they provide 100% protection against rootkits. When the fact is, rootkits are often hidden as trojans that are run by the user!

Ditto for other threats like keyloggers. It's fashionable to worry about zero day buffer overflow attacks that result in unauthorized intrusions , but the simple fact is most of the time it's the users who choose to run the malware which makes your anti-X products helpless to protect you.

@Rmus

I disagree. I believe that windows rootkits are/will become a bigger problem than your post suggests.

1.
For many users, the very basic "white list" approach (AE) does not work because, frequently, they want to try & install new applications. The AE approach only works for corporate admins who want to provide the user with a "fixed" environment which cannot be changed. (A centrally administered PG could offer the same protection.)

2.
Also the PG approach does not protect you with respect to a number of real-world scenarios. Frequently, users WANT to install new applications/drivers. Almost every game, many copy-protected applications, many image editing applications etc. require the installation of a driver. If such applications are "trojanized" PG cannot prevent the installation of a rootkit.

3.
AVs cannot detect a rootkit after it was installed. AVs may detect a rootkit prior to its installation if (and only if) the rootkit has not been modified. As you may know it is quite easy to modify known malware (no programming skills required)...

4.
Dedicated rootkit detectors may be hard to use for the average user. Moreover, even dedicated rootkit detectors may be useless because of anti-rootkit detector technology employed by the rootkit ( DCS published a respective screenshot -- it seems that it was removed ).

5.
In my opinion, there is reason to worry (not to panic). Something needs to be done. I wish there were a reliable high-tech rootkit detector. Current detectors are generally not too sophisticated.

OMG you are right!!! Guest.

First of all, very nice Post.

In relation to PG, and it's vulnerable area...ie - users installing an new executable...that's where RegDefend can come in - you don't need to switch it off, and as it monitors the autostart areas...if your program isn't an autostart type, well it can certainly give you a very big heads up....and don't forget your AV/AT that's probably also running as well.

One thing in the original post that I did find somewhat irksome was the use of the word 'terrorism' as a way to strengthen the argument, which seems to be a very flavour of the month method/word. Most people 'worry' that they'll get infected, and some don't do that enough even.

Also, on the topic of malware companies using medical terms for malware/malware behaviour...this would be because medical terms are the terms that best describe malware/behaviours (as opposed to using military terms...which happens sometimes).

There is a possibility that rootkits will become more common. Certainly there are now more open source rootkits on the internet. And certainly as security gets better and better, malware authors will be looking for sneakier ways to get around that same security.

Those things aside, as I said, a very good post.

-{ Quote: "First of all, very nice Post.

In relation to PG, and it's vulnerable area...ie - users installing an new executable...that's where RegDefend can come in - you don't need to switch it off, and as it monitors the autostart areas...if your program isn't an autostart type, well it can certainly give you a very big heads up....

" }-

Sadly, if it can install itself as a driver, all bets are off. Regdefend won't fair any better than any polling registry monitor.

And of course, there are a lot of simple ways to autostart not caught by Regdefend, because it doesn't monitor files or folders.

That's why I and you use Prevx I guess :))

err...yeah, as per my other posts in the RD forum :)
I like prevx too.

Hello,
Pollmaster? What's so darn about asking about faronics?
Mrk

On rootkits:

They are a trojan. Eventually better detection/removal techniques will emerge. One should deal with their prevention as with any other trojan. I don't fear them more than any other trojan, which is no fear.

Guest, Pollmaster, and others write that the whitelist approach does not work because

-- frequently, they want to try & install new applications; drivers

-- it's the users who choose to run the malware which makes your anti-X products helpless to protect you.

I covered this in the "installation of software" part of my post. This situation exists with *any* security program: you have to disable it when you install, and this is a point of vulnerability - the user has to assess the risks. But this is another topic.

The point of my post is that once you've locked down your system, nothing "unauthorized" can get into it while it's locked down. If you have to "unlock" it 10 times a day to install stuff, and that's a hassle, then this type of security program is not for you. I covered that in how you choose your security setup: each user's system/computing habits are different.

My reference to terrorism is to point out that writers of malware prey on fear. I think it's an apt reference.

My reference to the use of medical terms was to point out that they cause unnecessary alarm, often making people feel helpless. I just think that there are better ways of dealing with talking about security. It has to start from day one when a person jumps into computing: involves user education which dispels fear, provides an intelligent way of dealing with problems, etc., but that's another topic.

regards,

-rich

-{ Quote: "On rootkits:

Guest, Pollmaster, and others write that the whitelist approach does not work because

-- it's the users who choose to run the malware which makes your anti-X products helpless to protect you.

I covered this in the "installation of software" part of my post. This situation exists with *any* security program: you have to disable it when you install, and this is a point of vulnerability - the user has to assess the risks.

" }-

I think this is overstating matters. You generally don't have to disable your Antivirus when installing new programs do you? Similarly, programs that monitor suspicious behaviour (modification of hosts file, process injection etc) do not have to be turned off either and can help you detect something unusual.

It is the "antiX" portion as you call it, that is 100% helpless when dealing with trojans.

-{ Quote: "I think this is overstating matters. You generally don't have to disable your Antivirus when installing new programs do you? " }-True: I was referring to other lockdown programs, such as ShadowUser, Deep Freeze, where you unlock, install, then lock back down.

AV, scanning, etc, would be part of your risk assessment, where you determine to the best of your knowledge that a program you want to install is clean.

-rich

I thought this was a very good post. About the people who say PG is useless or can be easily compromised when disabled to install a new program. Well this is not PG’s fault; it cannot make up for user awareness. If you choose to download “shady” programs from un-trusted sources and then disable PG to install it and get infected with something, well then that’s your fault not PG’s. That’s why it is important to research any program before you install it. I always research any program that I am looking at before I install it; it just takes a quick google search or a search/post here (or on a similar forum) to find out if the program is legit or suspect, and if you cant find any info on it, don’t install it. If you have common sense and only download researched programs from trusted sites then you should never have to worry about something slipping though PG when it is disabled to install that program.

Hi,
Although computers tend to be advertised as your best buddy around, they aren't very intuitive and you need to know quite a bit to be able to use it properly. Think of your average user, how much fuss he needs to go through to disable messenger in the services?
So, the best thing anyone with limited knowledge is to limit the scope of damage he/she can do. If windows is concerned, and that's usually the choice of the inexperienced user, is to run a non-admin account, preferrably a restricted account. Few people will be able to know what to do if pg or any other program prompts about kkrss.exe is trying to this and that. But when you're boxed and all you can do is delete your own folder... there's little left to think and do.
And there are nice programs called dropmyrights and secureit, which allow the user, in the case of the former, to create shortcuts with non-admin privileges for ie or firefox or any other program, or in the case of the latter, right-click shell option to run the application as non-admin, allowing safe surfing.
And finally, format is like moving to a new house. New neighbors, new start. Takes a few hours, but it's not that painful.
Mrk

I just wanted to say thanks to Rmus for starting the very informative thread which was good to read. And for the others who have contributed to it.

I expect we'll all be hearing much more about things like this before too long i fear, so it's as well to be as fore armed as we are able to be.


StevieO

-{ Quote: "On rootkits:

They are a trojan.

" }-

Most are. A rare few are spread by worms of course.

-{ Quote: "
My reference to terrorism is to point out that writers of malware prey on fear. I think it's an apt reference.
" }-

I fully agree, similarly vendors of security products prey on the same fear.

Eg People fear unauthorised processes that magically run on their system automatically leading to a rootkit being installed. This fear of an unknown magical technique that can run processes without user interaction is what's fueling the whole AntiX market .

Whenever a article comes out about a new threat, people assume it can somehow (fear of the unknown) magically execute and install itself, and they
feel warm and fuzzy when they think about their antiX product that will stop this.

Of course, 9 out of 10 times, there is no such technique, the user still has to run it, against which no antiX product can protect against.

-rich" }-

-{ Quote: "I thought this was a very good post. About the people who say PG is useless or can be easily compromised when disabled to install a new program.." }-

My point is there is a growing trend among users of PG and similar products to quote some tech article about the latest worm,trojan,keylogger and then add a comment that 'antix' capability* of PG will protect them.

The underlying assumption of the poster I think is that the malware will be using some kind of unknown exploit (buffer overflow maybe?) to autoinstall without any user interaction. But as mentioned before ,in most cases, that is not even close to the truth.

Such exploits are extremely rare and valuable, and chances are the latest malware that is being discussed while interesting technically in some way, utilises no such exploit and as a result still requires user interaction (typically self-execution ) to get installed.

And in such cases, only user awareness can save you

* Other functionality of PG might save them of course, but of course according to some that isn't REALLY proactive. Neither is RD according to the same view.

Well agree with your point Pollmaster that no amount of the greatest software will protect the ~blind~ user.

But in the same time I think PG is the single greatest piece of security software to date. With the proper utilization it's almost a 100% guarantee. With a limited white list, all the global protections enabled, block changing exe's and PG locked it's pretty much unbeatable ... running under a limited account goes a long way too (but under those conditions even running an admin account is safe). ;) But even when that environment needs to change (ie. software installation) there are other measures/protections in place. Between your AV/AT, apps like RegRun and you still have PG's exe control (which would prevent any further rogue processes form running without user permission) should something go awry, one can easily undo whats been done ... even when it comes to installation I don't disable PG, I leave the exe and global protections active, if an install requires a driver/service installed, usually the installer will prompt you to the fact that it failed and you can adjust PG according, even if there isn't a prompt a quick look at PGs log or flashing systray icon will highlight that fact ... and you can easily re-install over top. I believe imaging is also a key, I have few hundred gigs of extra drive space, so taking an image prior to any installation is something I always do, with no exceptions - which is a really easy rollback should the worse happen. ;) Now I know this is just a basic overview of how my systems setup/utilized (I could go on and on and on :-X ;D ) ... there's a little more to it of course ... because like you and all the regulars here, security is my hobby too. ;)

If I had to class myself, I'd say my net activities are fairly high risk, between P2P (mIRC), venturing to the dark side of the web (and no I'm not referring to porn sites), and checking out links posted here etc. ... I think just that would put me in that class. But I've still have never been infected with anything. But you're absolutely right; it does for the most part come down to the users actions, common sense, and knowledge of your security apps ... if you're not careful you can get burned.

With that said ... PG is the one app I wouldn't ever be without. I think it's the strongest link in the armour bar done (I would like to see some small improvements to it though ... but as is; it's still the best preventive protection out there).

Honestly - PG paired with a solid AV, firewall (both hardware and software), RD to block the some of the common attack vectors for malware, and a good imaging program - You're pretty set to go. Add an AT, a script-defender, a web filter like proxomitron, it's even tighter ... add few other layers it becomes near impossible to fall victim.

It is all about layers, and I think PG and the like are the strongest link.

Regards,

Steve

~Sorry I rambled on ... I hope this is coherent ... I'm a ~little~ tired.~ :P

-{ Quote: "Well agree with your point Pollmaster that no amount of the greatest software will protect the ~blind~ user. " }-

Or One who has too much faith in software without any understanding .

-{ Quote: "
But in the same time I think PG is the single greatest piece of security software to date.

" }-

I wouldn't take the hyperbole so far.

-{ Quote: "

With the proper utilization it's almost a 100% guarantee. With a limited white list, all the global protections enabled, block changing exe's and PG locked it's pretty much unbeatable ... running under a limited account goes a long way too (but under those conditions even running an admin account is safe). ;)

" }-

I haven't tried it yet, but I suspect a limited account with proper restrictions to files and folders + PG (is this possible?) would be truly unbeatable with the former covering files and folders an area, PG does not touch.

-{ Quote: "
But even when that environment needs to change (ie. software installation) there are other measures/protections in place. Between your AV/AT, apps like RegRun and you still have PG's exe control (which would prevent any further rogue processes form running without user permission) should something go awry,

" }-

I agree with this except the value of exe control when the environment needs to change.

-{ Quote: "
there's a little more to it of course ... because like you and all the regulars here, security is my hobby too. ;)

" }-

Fun hobby isn't it? Not everyone has the same hobby though.


-{ Quote: "
With that said ... PG is the one app I wouldn't ever be without. I think it's the strongest link in the armour bar done (I would like to see some small improvements to it though ... but as is; it's still the best preventive protection out there).
" }-

I'm think it's by no means a "must have", but it's somewhat useful, except for exe control which I think is the least useful of all the functions in PG.

-{ Quote: "My point is there is a growing trend among users of PG and similar products to quote some tech article about the latest worm,trojan,keylogger and then add a comment that 'antix' capability* of PG will protect them." }-The examples I gave were based on exploits known to me.

1) Copying across a network. I used rootkit as a demonstration, since that's the latest and greatest, but know of an instance where a keylogging program was installed across a network at a school. With AE installed, that could not have happened. (I assume PG, but could not test that)

In this same instance, a successful deletion of an AV program was done across the network. That could not have happened with AE's delete protection.

One can argue that tighter network control might have prevented it, but it happened. A locked-down whitelist which blocks unauthorized executables, prevents these in any case.

2) Dll injection. These tests were setup to test firewalls, where known instances of trojans getting outbound traffic past a firewall were successful. Both PG and AE don't let the outbound attempt even get to the firewall. (granted, something in the defense broke down in that the trojan got installed in the first place, but it happened)

Since you mention user awareness (certainly very important) I could have included inadvertent user action protection. A family with two children ages 10 and 12 I know have one computer. Each has a separate email account. Dad has strict rules, one of which is only Dad opens email attachments. They love screen savers, and often dl different ones from a reputable site. One day, daughter gets an email from a friend saying, here's a great screen saver. It's attached as a zip file, and she can't resist. After all, it's from a friend, and she knows .scr is a screen saver. Dad comes home and the computer doesn't work. Daughter is honest and cannot tell a lie. Not too much damage, and the computer is cleaned up.

With AE (and I assume PG) this could not have happened. Had the above ocurred a few days ago, it might have been worse:

AE_screensaver ( http://www.rsjones.net/AntiX/pics.html)

_________________________________

So there are many uses for both of these programs, as I stated in the original post, and to limit the benefits to these few examples does a disservice. Even after evaluating them and deciding for oneself that they aren't needed, it doesn't serve any purpose to denigrate those who find them useful.

But all of this discussion gets away from the point of this thread, which is to dispel the fear that many people have of malware, and to show that it's possible to set up a system that is pretty secure (notwithstanding the need for user education). I use AntiX as just one type of protection that a user can utilize.

regards,

-rich

Hi Dog,

I am in your camp. Trying to figure out what all the different "anti" programs were doing and how they were doing them was becoming ludicrous. Giant AS alone claims to be covering 59 different "checkpoints". Win Patrol has its set, as does Tea Timer, Ad-Watch, SpySweeper, etc., etc., etc.

The fundamental problem is that once a malicious program has opportunity to begin tampering with a system, there are hundres, or maybe even thousands of things it can do - including cloaking itself.

By putting .exe control back into the users hands, ProcessGuard creates a centralized "choke point", which now can be monitored by users. Script defenders, such as WormGuard, Script Sentry, etc. provide similar facilities. I put all of these programs into the "sentry" class since they are guarding the "gates of entry".

I am quite sure that ProcessGuard, WormGuard, RegDefend, and others can all be augmented and refined. But what a great start! Instead of dozens of programs trying to monitor all the little "nooks and crannies" in Windows (how many hiding places there must be??), it is now becoming possible to station just a handful of very powerful applications (e.g. firewall, top-rated AV/AT, .exe guard, script guard, registratry guard) at the perimeter with the goal of stopping the nasties before they have an opportunity to create any mischief. This, to me, sounds like a plausible long-term security strategy.

Rich

-{ Quote: "I haven't tried it yet, but I suspect a limited account with proper restrictions to files and folders + PG (is this possible?) would be truly unbeatable with the former covering files and folders an area, PG does not touch." }-PG runs fine under a limited account ... the GUI itself won't load but with the settings for PG I mentioned above, trying to run something that isn't white listed results in "invalid handle", if PG is left unlocked and changing exe unchecked - you'll get the same allow/deny pop ups as you would under an admin account and it can be allowed from there. RD as another example under a limited account, the user can not effect any permanent change to ghost files, the user can allow/deny each pop up if they're set to ask user but can't effect the always allow/deny check box or (I believe) set a APO that will take. I would still like to see a locking mechanism on RD, which would further limit any chance for change in either environment.

I agree with what you hinted at in regards to a file/folder defender - which I'm sure is on the horizon - which will further cripple any chance of malware. RegRun does provide for some of this file protection with the anti-replacement & File protection functions. RegRun by default backups critical system files and the user can add any file they wish, which RegRun copies to another folder, and uses checksums to verify the file is unchanged, if it is ... a simple restore from the RegRun backup folder replaces the file or if the change is legitimate the user can update the file in storage. One doesn't need RegRun to accomplish this, but it does make it so easy because it's fairly automated. The same effect could be achieve with creating a backup folder of sensitive files in conjunction with running an integrity checker, then when a change is found, either replace the file from storage or update the storage and checksums. But again this does come down to user knowledge/awareness ... :lurking:

Steve

~still half a sleep and :lurking: ~ :P

-{ Quote: "The examples I gave were based on exploits known to me.


One can argue that tighter network control might have prevented it, but it happened. A locked-down whitelist which blocks unauthorized executables, prevents these in any case.
" }-

Exactly, a misconfiguration of the system is the direct cause. A more direct solution is indicated.

-{ Quote: "
2) Dll injection. These tests were setup to test firewalls, where known instances of trojans getting outbound traffic past a firewall were successful. Both PG and AE don't let the outbound attempt even get to the firewall. (granted, something in the defense broke down in that the trojan got installed in the first place, but it happened)
" }-

Again, you are making my point. How did the trojan get installed in the first place? If it managed to get installed, it could do a lot more damage than merely trying to pass your firewall.

-{ Quote: "
Since you mention user awareness (certainly very important) I could have included inadvertent user action protection.

" }-

Given that I mention this too, in my post above, I don't see what your beef with me is.

-{ Quote: "
_________________________________

So there are many uses for both of these programs, as I stated in the original post, and to limit the benefits to these few examples does a disservice.

" }-

I don't deny that they have a function, just that they are far from the 'greatest thing since sliced bread' hype that many are saying.

For one they only come into play when you make a mistake. Granted people all make mistakes, but at the level we are talking about, for most people here, this is not a very big factor. After taking into account all the basic precautions, not much is left that is covered by this tool.

For two, it does not protect you from trojans.

For three, it is costly (in terms of time and knowledge required) to use. Some peopel who do have the knowledge do not see the need(for good reaons).


-{ Quote: "
Even after evaluating them and deciding for oneself that they aren't needed, it doesn't serve any purpose to denigrate those who find them useful.
" }-

Denigrate is your word. I'm certainly not attacking people who use PG out of knowledge about what it covers and what it does not. If you like I'm targetting the newbish people who treat PG and similar tools as good luck tokens with zero understanding of what they are doing.

AntiX (your term) is a strictly limited measure that has its use, it's not a tool that works against all malware.

-{ Quote: "Hi Dog,

Trying to figure out what all the different "anti" programs were doing and how they were doing them was becoming ludicrous. Giant AS alone claims to be covering 59 different "checkpoints". Win Patrol has its set, as does Tea Timer, Ad-Watch, SpySweeper, etc., etc., etc.
" }-

Of course, instead of using Giant AS to cover all the "checkpoints", you now use RegDefend with Tony's set to cover the same "checkpoints" (less the couple which refer to files of course, but I'm sure Jason will come up with Filedefend soon). I fail to see the difference :)

The value of Giant I believe comes from it's scanning engine mainly, though it does have a nice database of areas to check. Monitoring of registry , files etc is one function that is nice to centralise I agree, but according to you that's not really proactive, since by then the malware process must have run already.

-{ Quote: "
The fundamental problem is that once a malicious program has opportunity to begin tampering with a system, there are hundres, or maybe even thousands of things it can do - including cloaking itself.
" }-

Of course. But I don't see how wasting a couple of seconds clicking okay to a process you started yourself a second ago, helps solve this problem.

It's a problem that has no solution, there is no way around the problem of running a program you want to run. Intervene before it starts , and you won't know if it was really harmful, try to let it run a little, and you might be too late.


-{ Quote: "
By putting .exe control back into the users hands, ProcessGuard creates a centralized "choke point", which now can be monitored by users. Script defenders, such as WormGuard, Script Sentry, etc. provide similar facilities. I put all of these programs into the "sentry" class since they are guarding the "gates of entry".
" }-

Personally I think such checks are merely cursory checks, you know a process or script you executed is starting, what does that really tell you? Regdefend which I see in one post that you are degenerating as not really proactive, at least monitors behaviour that provides some info.

-{ Quote: "
I am quite sure that ProcessGuard, WormGuard, RegDefend, and others can all be augmented and refined. But what a great start! Instead of dozens of programs trying to monitor all the little "nooks and crannies" in Windows (how many hiding places there must be??), it is now becoming possible to station just a handful of very powerful applications (e.g. firewall, top-rated AV/AT, .exe guard, script guard, registratry guard) at the perimeter with the goal of stopping the nasties before they have an opportunity to create any mischief. This, to me, sounds like a plausible long-term security strategy.

Rich" }-

I'm not against such "sentries" , and in many cases it's pretty trival to setup programs to guard these areas, some are already in the OS. That's why people recommend you don't run as admin/root after all!

But it's hardly a complete solution, since it involves costs, a reason why most users don't run as non-admin. Using tools like PG, Regdefend you are trying to return to the same policy, a policy where the default is deny rather than allow.

It's more secure certainly, but only if the user running it is clued in. The user of a scanner at least doesn't require much brains, with tools like PG and RD, user awareness is more important than ever, not less.

And if you are so "Aware", I wonder what additional value such tools will bring anyway.

-{ Quote: " I would still like to see a locking mechanism on RD, which would further limit any chance for change in either environment. " }-

I suppose a band-aid would be nice. But as pointed out before, such measures can be overcome as long as you don't secure the whole file system.

-{ Quote: "
I agree with what you hinted at in regards to a file/folder defender - which I'm sure is on the horizon -

" }-

Yes it's called Windows :)

-{ Quote: "
RegRun does provide for some of this file protection with the anti-replacement & File protection functions. RegRun by default backups critical system files and the user can add any file they wish, which RegRun copies to another folder, and uses checksums to verify the file is unchanged, if it is ... a simple restore from the RegRun backup folder replaces the file or if the change is legitimate the user can update the file in storage. One doesn't need RegRun to accomplish this, but it does make it so easy because it's fairly automated. The same effect could be achieve with creating a backup folder of sensitive files in conjunction with running an integrity checker, then when a change is found, either replace the file from storage or update the storage and checksums.

" }-

Basically this is what WFP does for critical system files isn't it?
Of course, there are ways around it.


-{ Quote: "
But again this does come down to user knowledge/awareness ... :lurking:
" }-

Nah, I'm going to post the ultimate security setup later, 100% secure , idiot proof.

-{ Quote: "Yes it's called Windows :)" }- I was thinking of something sooner than Longhorn ... ;) :-X -{ Quote: "Basically this is what WFP does for critical system files isn't it?
Of course, there are ways around it. " }- Yes, but WFP isn't user defined ... I'm not just referring to system files, but anything can be protected from GHST files to your hosts file and anything else in between, either manually or semi-automated with RegRun.-{ Quote: "Nah, I'm going to post the ultimate security setup later, 100% secure , idiot proof." }-LOL, I can't wait :D that's just what everyone's been looking for :P

As this thread has reached it's conclusion, The topic starter Rmus has requested it to be closed!
Thank you