Anti-Executable

O.K. I got it now. You can do a scan of the HD and then add individual files/folders later.
Thanks.

 

I noticed that ExeLockdown will block an executable inside an archive from running even though the archive is in the access list. Is there any way (other than adding executable to access list or adding 'Allow' button) to allow the executable to run?
Thanks.

 

I would hope not! This is one of the best features of such a program: preventing inadvertant extracting of an executable from a zipped file.

Every "feature"you add to such a program to make it less inconvenient to use, is one more potential weakness in the program.

BTW - used in conjunction with a reboot-to-restore program, an anti-execution program makes testing malware a breeze. Using Anti-Executable as an example: you dis-able it to run the malware. It is put on the White List. After testing, you zip the malware, reboot, and the White List reverts back to previous state, ie, without the malware being on the List.

Keeping a directory with malwares zipped prevents any accidental launching of them, especially by another user, if you share your computer.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I second that. AE protects itself very well :
- no access to its program folder
- all settings are password protected
- you can't edit the whitelist
- you can't uninstall it via Windows Add/Remove programs.
- you can even hide the AE-icon in the system tray.
Most security softwares are an open book and that makes it possible to disable them via infections.
I don't consider this as an inconvenience, it's just another way of working and you get used to this, like anything else.

 

If HIGH security is ON and delete prevention box is marked, you can't delete any .DLL-file, I've test this personally.
There is also a copy prevention box, but I don't know what it really means. I think it means you can't copy a false .DLL-file with the same name over an existing true .DLL-file, but I'm not sure.
Maybe Rmus knows this.

Of course in my case the reboot puts any .DLL-files back as it was. So I probably can work with LOW security also.
I use AE to prevent execution of unauthorized executables, not to protect executables although it seems possible too.

 

Hello Pete,

see example here:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Does setting the protection level to high and enabling deletion and copy protection interfere with Windows operation?

Thanks.

 

One drawback to enabling those settings is it prevents files from being downloaded off the internet.

 

Hey farmerlee, and whoever used both: How would you compare AE with AppDefend's execution interception? Like setting default to block new executables (i assume no prompts are given). Are they protecting the same areas? Remember, execution only.

 

When you set appdefends default rules to block execution it will work the same way as AE. However it doesn't prompt you when something is denied. I don't know if AD covers 80 types of executables as AE claims but from my experience it definitely covers a lot.

 

I noticed that ExeLockdown loses its functionality after I run a CheckDisk (Windows XP Home, SP2). Can anyone verify this?

Thanks.

 

What a nightmare i had with this app. Installed it yesterday and it did the customary full scan to whitelist everything. Then rebooted and set a password. Then discovered that either right clicking or double clicking the system tray icon didn't do anything. So i was left with an app that wasn't configurable, close downable, uninstallable. I couldn't access it's folder as access was denied. Thank god system restore worked. Won't be going near that bugger again. Worse than malware.

muf

 

Press the Shift Key down and click on the AE-icon and you will get access to the configuration of AE or RTFM.
If you want to uninstall it, doubleclick the AE installation file again and AE will start the uninstalling procedure.
That's because AE protects itself, while other security softwares are an open book for the bad guys and malware.

 

Thanks EA for the reply and explanation. Well that's cetainly a novel way of doing things. Ok, i'll try it again. Must say that when i couldn't access it's config file, couldn't end it's process or uninstall it i practically sh!t myself. Pardon the expression!!!

muf

 

I understand. AE is a very UNUSUAL software compared with others.
If you want to download and install new software, you have to turn OFF AE and turn it back ON after installation.
So it's a bit annoying and if don't like that at all, you better uninstall it.

 

Hi,Folks: AE needs to be turned off during new prog installation? then there will be a tiny opportunity for malware's execution. In BlackIce's application control feature, user can switch application protection from complete to partial during new app's installation. This partial protection is to have BI asking user's permission if it detects unknown execution. Perhaps this needs to be placed on AE's wish list.

 

If you turn OFF internet first and then turn OFF AE would that make a difference ?

 

Ok, re-installed it and i've now been able to access the config. Yep, i should have read the manual but i simply didn't anticipate the shift+mouse click thing. That will teach me!

Thx for the help.

muf

 

The only VISIBLE objects are :
1. a folder under "Program Files", that can't be accessed
2. an icon in the system tray. This icon can be hidden too, but don't do it before you know how to get it back.

 

Thanks for the chuckle.
If you're like me you have had your fair share where you ran into a program or two that was worse than malware. I even found $M applications and some of it's built-in actions in XP almost as bad. Anymore for me, it's not malware or even rootkits that raise eyebrows or makes cause for some apprehension, but so called legitimate programs and almost always the commercial offers.

In comparison, at least for me (since i'm well acquainted dealing with m'ware),
malware is a walk thru the park and nothing to fear like b4.

 

flinchlock asks about spoofed executables in another thread, and I thought I would bring it over here:

Aigle asked if an executable with a spoofed file extension would execute if you double-clicked on it.

I've given some examples here:

Spoofed Executables

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

THANKS, Rich!!

Good News: Looks like AE is now risen to the status of FD-ISR... must have!

Bad News: More money out of my wallet!

GREAT research!

Again, thank you very much!

Mike

P.S. The thread where I asked my question is also a great thread https://www.wilderssecurity.com/showthread.php?t=136452&page=14 starting at post 330.

 

You are welcome.

Most of the software discussed in this forum provide evaluation periods.
This is the time to try out the software:

• Read the User Manual
  
• Learn and understand all of the features
  

Eg: AE is not a behavior blocker. It does not distinguish between a good or bad executable.
It just says NO to any executable not on the White List. There is no Yes/No prompt.

Decide how the software fits into your security strategy, ie, what points of entry by malware does it cover.

This often prevents overlapping and other conflicts.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​