Faronics Anti-Executable Standard 5 is live with granular publisher control

[hrnayy]

Why one should opt Anti-Executable when you have SRP or AppLocker there?

[m00nbl00d]

Quote:

Originally Posted by hrnayy

Why one should opt Anti-Executable when you have SRP or AppLocker there?

SRP isn't present in all Windows versions. You can use the registry, though. Or, even Sully's application. But, AppLocker is only present in Ultimate and Enterprise versions of Windows 7, if I'm not mistaken.

[Zyrtec]

I've been testing this new version of Faronics A-E on Windows 7 32-bit and, so far no glitches.
However, I wanted to see how it reacts when you throw in some security solutions to that configuration. So, I installed/uninstalled several anti-malware solutions to see how they interact with A-E v5.0

I ran Avast! 7 with A-E and no problems and/or bugs detected. Tested with Avira and found no problems. Tested with AVG and not bugs detected. Tested with MBAM and no problems were seen.

However, when I threw in MSE v4, I noticed that whenever MSE updates its definitions [manually], A-E blocks it, and you have to click allow for it to be able to finish updating. If MSE tries to update automatically, then it's blocked by A-E and MSE icon on systray becomes red, and MSE GUI freezes. It looks like A-E treats any definitions installer stub for MSE as a new [and unknown] executable trying to install on the system and thus, have to be authorized first every time.

Thus, if somebody plans to use those two together, better keep that in mind before running those two programs.



Carlos

[moontan]

Quote:

Originally Posted by m00nbl00d

SRP isn't present in all Windows versions. You can use the registry, though. Or, even Sully's application. But, AppLocker is only present in Ultimate and Enterprise versions of Windows 7, if I'm not mistaken.

you can also use Parental Control for SRP if you use the Home edition of Win7.

[faronics]

Quote:

Originally Posted by m00nbl00d

I take it you're part of Faronics. Do you folks have plans to provide localized versions of AE/other apps? I don't think if you folks have?

Thanks

Hello m00nbl00d,
AE is localized in six languages: English, German, Spanish, French, Japanese and Simplified Chinese. Localized user guides for version 5 are in production right now and will be posted shortly. The lack of the localized user guides has been reflected in the release notes. Do you experience any problems with a specific locale?

Quote:

Originally Posted by Osaban

I'll test it later. I wonder whether they fixed AE loooong incompatibility with Vista systems. When AE works properly it is really impenetrable, with very little system resources.

Hello Osaban,
Can you please let me know which incompatibility you are referring to? If you have a ticket or a bug number, I will be able to provide a detailed update.

Quote:

Originally Posted by Blackcat

Always thought that Faronics was too expensive...($35).

Hello Blackcat,
Application control industry represents a niche market with relatively low price elasticity of demand, we rarely get complaints about our pricing. Educational institutions have 50% discount, volume pricing is also available. The only store pricing you are referring to is a subscription pricing, perpetual licensing is also available through other sales channels, our channel partners, for example. We believe that AE is priced competitively based on the benefits it provides and features that have been made available. If you have feedback on this, I will be interested to hear it. PM me with details.

Quote:

Originally Posted by chris1341

... it slows everything to a crawl. ...

Hello Chris,

Stress and performance testing are integral part of our QA testing. Can you please tell me more about the unexpected performance hit you have experienced after AE installation? This is abnormal behavior and we want to make sure we know what is causing it. Please PM me with details or check in with our support at support.faronics.com, feel free to reference our conversation here.

Quote:

Originally Posted by Cutting_Edgetech

I would give it another try, but i'm more than happy with Appguard at the moment.

Hello CE,
"never touch a running system" If you ever change your mind, I will be happy to see you advocate for our products in their thread as well!

Quote:

Originally Posted by Osaban

I've just downloaded from your link and I still get v421, probably not all servers have been updated.

Cache on all distribution servers was purged at original launch of the new version, if you are still getting 4.21, can you please let me know which specific URL you are pulling the code from?

Quote:

Originally Posted by Zyrtec

I'm guessing if by ticking "DLL Monitoring" setting creates such a burden on your computer CPU/Memory, then this setting hasn't been implemented correctly by Faronics.
Other applications similar to Faronics A-E [such as AppGuard] monitor DLLs by default and doesn't cause slows downs from everyday use of your PC.
I hope the Faronics representative [the OP I guess], can give us a little insight of why checking DLL monitoring on A-E causes more problems than it solves.
Carlos

Hello Zyrtec,
Unfortunately, I won't be able to shed any light on why DLL monitoring causes problems as it was not our goal or architectural desire.
DLL monitoring has a higher level of performance hit (a performance hit is expected, but it shall be minimal), because it increases the number of files that need to be evaluated before allowed in runtime. Even if a file is marked as allowed to run, it needs to be checked, as it might have been manipulated, injected, or otherwise changed to sneak in some payload. A system lockup or even visible performance degradation is considered a bug and I would like to ask you to report it to our support, so we can have a closer look.

Another element in complexity of the DLL monitoring is that the same DLL can be accessed by a group of programs simultaneously and multiple times. We have seen cases where unsigned (some Publishers do not sign their DLLs) DLLs are pulled by dozens of programs several hundreds of times at program launch, causing a bottleneck for I/O bandwidth. Such cases are rather corner-cases and we have solved them through our support.

@ALL
The main new feature of AE5 is its ability to control publishers in one window, making the process of setting up AE easy and fast. We want AE to work behind the scenes and not be in your face with additions to the control list, once a publisher or a program, or a file certificate is allowed, we want the user to be able to run it without any limitations or interruptions.

I have seen comments about a comparison of AE to AV and want to address this as well. AE is not a replacement for AV. AE works on default deny, where AV works on default allow, unless there is a definition available, or heuristic observation fits a defined pattern. We often see users trying to replace an AV solution with our Deep Freeze product as well. These are all different tools for different purposes and ideally should work all together as multiple layers of protection. Faronics sells an enterprise edition of AV as well, it does not come in a standard standalone flavor (we have not seen much market evidence for offering such standalone version).

In a business setting a security triumvirate of DF+AE+AV is impenetrable

[Zyrtec]

Quote:

Originally Posted by faronics

@ALL
The main new feature of AE5 is its ability to control publishers in one window, making the process of setting up AE easy and fast. We want AE to work behind the scenes and not be in your face with additions to the control list, once a publisher or a program, or a file certificate is allowed, we want the user to be able to run it without any limitations or interruptions.

Hi,

First of all, thanks for taking the time out of your schedule to address some of our concerns while testing this latest version [5.0] of Faronics A-E.

I beg to differ somewhat from you on this quoted statement above.
You claim that A-E "work behind the scenes and not be in your face".
I have seen that statement happening the most part of the time but, I've seen unnecessary prompts from A-E when a trusted program is, for example, updating. I'm referring to Microsoft Security Essentials [MSE]. A-E will block that anti-virus from updating its virus definitions whenever there is an available update, It treats the virus defs. update stub like if it was a new program being installed, prompting you to make an Allow/Deny decision [whenever you try to manually update it] and, completely blocks it whenever it tries to automatically update itself.
And, this is just to mention one example.

I know your program is top notch and it works as you advertise it and the way it's intended to but, those bugs may need to be addressed.

Furthermore, I have la last question: since you're somewhat admitting yourself that by ticking "Monitor DLL Execution" put some burden on I/O [CPU], would a computer still be protected by NOT ticking the DLL Monitoring option just to avoid incompatibilities and/or too much I/O?


Thanks,



Carlos

[Zyrtec]

@Faronics,

Before I forget, another thing I did notice [may be some of the other posters on this thread may chime in on this] is, A-E v5 does NOT prompt ALLOW/DENY when you are installing a program that is an .MSI installer [Windows Installer]. I noticed this behavior and it's kind of worrisome because somebody could pack malware using Windows Installer [.msi] and still A-E would let it install on the system without prompting the user with an Allow/Deny message.




Carlos

[m00nbl00d]

Quote:

Originally Posted by faronics

Hello m00nbl00d,
AE is localized in six languages: English, German, Spanish, French, Japanese and Simplified Chinese. Localized user guides for version 5 are in production right now and will be posted shortly. The lack of the localized user guides has been reflected in the release notes. Do you experience any problems with a specific locale?

Damn. I missed those localizations. Anyway, do you folks plan other localizations as well? If so, which ones?

Thanks

[Rilla927]

Quote:

Originally Posted by Osaban

With the old versions one had to disable it to install anything new. With the new versions a window asks you whether you want to block or add the new install to the white list. Obviously if you are not installing anything and the window appears, chances are that it is malware or something unauthorized.

Very effective and light, the only problem was that it worked perfectly with XP, but was very buggy with Vista.

Thanks Osaban!

[Zyrtec]

Whatever happened to the O.P. which, it's correct to assume it's a Faronics representative?

You only posted here to advertise a new version of your product but you haven't taken the time to follow up with the problems and bugs people have been reporting.
If that's the way Faronics deals with its customers, then you're going to lose user base.

There are still problems [bugs] that haven been addressed and, furthermore, I e-mailed technical support a week ago with some questions and haven't yet received an answer.


Thanks.

Carlos

[LoneWolf]

Quote:

Originally Posted by Zyrtec

Whatever happened to the O.P. which, it's correct to assume it's a Faronics representative?

You only posted here to advertise a new version of your product but you haven't taken the time to follow up with the problems and bugs people have been reporting.
If that's the way Faronics deals with its customers, then you're going to lose user base.

Perhaps you missed post#55
http://www.wilderssecurity.com/showp...2&postcount=55

[chris1341]

Quote:

Originally Posted by faronics

Hello Chris,

Stress and performance testing are integral part of our QA testing. Can you please tell me more about the unexpected performance hit you have experienced after AE installation? This is abnormal behavior and we want to make sure we know what is causing it. Please PM me with details or check in with our support at support.faronics.com, feel free to reference our conversation here.

Thanks for taking time to respond, unfortunately I've uninstalled. In general AE UI navigation resulted in non-responsive freezes, complete locking of the system requiring hard reboots when opening certain applications and browsers taking in excess 20 seconds to open then sluggish tab navigation. Win 7 x64 HP SP1 with only Sandboxie installed.

I might try again and will use support.faronics.com so I can send you what you might require to resolve. Hope the project goes well for Faronics.

Cheers

[Zyrtec]

Quote:

Originally Posted by LoneWolf

Perhaps you missed post#55
http://www.wilderssecurity.com/showp...2&postcount=55

Thanks, LoneWolf for pointing that out, although, I had already read that post.

What I was referring to was to subsequent posts I made about a bug that I've been observing with this A-E release [v5.0] and it's related to Windows Defender [and it should apply to MSE as well]. Every time WD gets a definition update of its spyware definitions [when done manually], A-E pops-up a message alerting about "AM Patch 1.123.xxxx.0" [being the number 1.123, the definitions file number] and offers to DENY it [block] or ALLOW it.

This shouldn't be the case because what WD is doing is just updating its database. But then, when you ALLOW it, your A-E 'Execution Control List" is going to grow indefinitely because if you have, let's say three[3] WD definitions a day, and you have to allow them every time and each one of them on A-E, that list is going to grow out-of-control with entries like: 1.123.xxxx.0 defs. update adding up, and so on.

Faronics should provide a way so WD can update its definitions normally without triggering an alert from A-E every time asking to DENY or ALLOW the definitions to be applied to WD.



Regards,


Carlos

[LoneWolf]

Quote:

Originally Posted by Zyrtec

Thanks, LoneWolf for pointing that out, although, I had already read that post.

What I was referring to was.............

Ok, I understand now , hope you get some answers soon.

[Cutting_Edgetech]

Ok, I've installed the 32bit standard version on XP Pro x 32 SP3 pentium 4 3.4 ghz 4 GB RAM. I will report back on my findings in a couple days. I'm an Appguard fan, but I will be unbiased in my findings. I've always lived by the modo, " give credit where credit is due".

[faronics]

Quote:

Originally Posted by Zyrtec

@Faronics,
Before I forget, another thing I did notice [may be some of the other posters on this thread may chime in on this] is, A-E v5 does NOT prompt ALLOW/DENY when you are installing a program that is an .MSI installer [Windows Installer]. I noticed this behavior and it's kind of worrisome because somebody could pack malware using Windows Installer [.msi] and still A-E would let it install on the system without prompting the user with an Allow/Deny message.
Carlos

@Zyrtec
The thing is that .msi is not an actual executable file. It is merely a compressed container, similar to a cab, zip or rar archive. AE does not stop this archive from being deflated, but if any actual installation is taking place and the payload of the msi tries to access runtime, this attempt will be evaluated and blocked if unauthorized.

Quote:

Originally Posted by Zyrtec

... I have seen that statement happening the most part of the time but, I've seen unnecessary prompts from A-E when a trusted program is, for example, updating. I'm referring to Microsoft Security Essentials [MSE]. A-E will block that anti-virus from updating its virus definitions whenever there is an available update, It treats the virus defs. update stub like if it was a new program being installed, prompting you to make an Allow/Deny decision [whenever you try to manually update it] and, completely blocks it whenever it tries to automatically update itself.
And, this is just to mention one example.

We need to look closer at this specific case. It is entirely possible that the update is triggered through a different mechanism, several degrees of separation removed from the trusted update engine you have dedicated in AE settings. What I mean by that is that the update engine might be trusted, but this trusted engine might start another process, which, in turn, will start the actual update process without inheriting the trusted status in AE. This corner case will result in the triggered process being intercepted by AE.

I suggest addressing this scenario through publisher control, just tick the box for the entire MSFT as publisher or MSE on the product level. Microsoft compared to other vendors does a decent job at signing their executables.

Quote:

Originally Posted by Zyrtec

...since you're somewhat admitting yourself that by ticking "Monitor DLL Execution" put some burden on I/O [CPU], would a computer still be protected by NOT ticking the DLL Monitoring option just to avoid incompatibilities and/or too much I/O?

Yes, it would. Absolute majority of our users operates without DLL protection. We see increased levels of DLL protection use in server environments. DLL injection is the main reason for activating dll protection, so if you are not likely to be targeted by such attacks, you might want ease off on your IO and still be protected As we all know, protection is not a binary quality like pregnancy, there are degrees of protection. DLL protection wraps another security blanket around your environment.

Quote:

Originally Posted by Zyrtec

...rant...

No idea what you mean under O.P. PM me with some more detail, I will address then. My name is Dmitry and I am in charge of PM/DV/QA.
Sorry it took so long for our support to respond, their SLA is to respond within one business day. PM me your support ticket (looks like XXX-111-11111) and I will personally attend to it.

Quote:

Originally Posted by chris1341

...uninstalled..

Sorry to see you go. I hope to see you back one day.

[Zyrtec]

Thanks for your reply and clarifications. It took so long for you to get back to us, but, I feel it was worth the wait.

I still need some further clarification of how to make this suggestion of yours work:

Quote:

We need to look closer at this specific case. It is entirely possible that the update is triggered through a different mechanism, several degrees of separation removed from the trusted update engine you have dedicated in AE settings. What I mean by that is that the update engine might be trusted, but this trusted engine might start another process, which, in turn, will start the actual update process without inheriting the trusted status in AE. This corner case will result in the triggered process being intercepted by AE.

I suggest addressing this scenario through publisher control, just tick the box for the entire MSFT as publisher or MSE on the product level. Microsoft compared to other vendors does a decent job at signing their executables.

How do you setup A-E to allow the definitions without prompting with ALLOW/DENY?
You mention about "publishers". Are you referring to select "Publishers" under "Execution Control List" and ADD the whole folder [under program files] for MSE [or Windows Defender], so it can be excluded from A-E, whenever virus update is performed? What about "C:\Users\<user>\App Data" folder?
By the way, when I select "Publishers", it's empty, there is nothing to check-mark there.

Could you point me out how to do this?

Thanks.


Carlos


P.S.: O.P. stands for "original poster", since it was you who started this thread.

[acr1965]

How does this product compare to applocker in win7 ultimate? I've tried applocker but kinda got tired of having to mess with it so much when programs updated. With AE, can java (and other programs) update without me having to shut down or reconfigure AE?

[faronics]

Quote:

Originally Posted by Zyrtec

How do you setup A-E to allow the definitions without prompting with ALLOW/DENY?

Hello Zyrtec,
a picture is worth 1000 words, a video = 1.000.000
Instead of working with individual files, use publisher control to allow this specific application to run and update, or the entire publisher, for that matter.

Once you allow this publisher, signed updates will execute no problem. (In this video I allow anything from Faronics to run in the future, but you can lock it down to a specific version of a file, if you want.)

-http://screencast.com/t/4z9nsRPeDC-

Quote:

Originally Posted by acr1965

kinda got tired of having to mess with it so much when programs updated

That's kind of the answer Instead of individual rules, configuration is much easier. You set it once and use it, instead of constantly tweaking it.
AE also works in environments without Group Policies.

[Gobbler]

I must say AE 5 is really a great release, I tried AE about an year ago an had a very torrid time with it as it would cause very frequent PC freeze ups among other glitches and finally therefore got rid of it, but with this release the freezes are gone, the only minor jitters seems to appear when the DLL protection is enabled but the are no more freezes whatsoever.Overall AE 5 is a great release and the publisher based whitelisting is very handy too.Congrats to Faronics

[jmonge]

Congrats to Faronics it runs smooth and fast it feels good

[Dark Shadow]

Running smooth here with AppGuard.

[jmonge]

dave
i am installing in my 64 machine but the instalation is taking for ever it says it is creatingt the initial control list

[Dark Shadow]

Quote:

Originally Posted by jmonge

dave
i am installing in my 64 machine but the instalation is taking for ever it says it is creatingt the initial control list

Intial control list takes a while,depending on system.It's whitelisting everything you have on your system.

[jmonge]

i see thanks it looks interesting