Anti-Executable

Discussion in 'other anti-malware software' started by LoneWolf, Apr 12, 2007.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,564
    Location:
    New York City
    O.K. I got it now. You can do a scan of the HD and then add individual files/folders later.
    Thanks.
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,564
    Location:
    New York City
    I noticed that ExeLockdown will block an executable inside an archive from running even though the archive is in the access list. Is there any way (other than adding executable to access list or adding 'Allow' button) to allow the executable to run?
    Thanks.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I would hope not! This is one of the best features of such a program: preventing inadvertant extracting of an executable from a zipped file.

    Every "feature"you add to such a program to make it less inconvenient to use, is one more potential weakness in the program.

    BTW - used in conjunction with a reboot-to-restore program, an anti-execution program makes testing malware a breeze. Using Anti-Executable as an example: you dis-able it to run the malware. It is put on the White List. After testing, you zip the malware, reboot, and the White List reverts back to previous state, ie, without the malware being on the List.

    Keeping a directory with malwares zipped prevents any accidental launching of them, especially by another user, if you share your computer.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I second that. AE protects itself very well :
    - no access to its program folder
    - all settings are password protected
    - you can't edit the whitelist
    - you can't uninstall it via Windows Add/Remove programs.
    - you can even hide the AE-icon in the system tray.
    Most security softwares are an open book and that makes it possible to disable them via infections.
    I don't consider this as an inconvenience, it's just another way of working and you get used to this, like anything else.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Curiosity question. Obviously AE blocks unauthorized exe's, but what about a DLL file that gets swapped out. Would AE catch that?

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If HIGH security is ON and delete prevention box is marked, you can't delete any .DLL-file, I've test this personally.
    There is also a copy prevention box, but I don't know what it really means. I think it means you can't copy a false .DLL-file with the same name over an existing true .DLL-file, but I'm not sure.
    Maybe Rmus knows this.

    Of course in my case the reboot puts any .DLL-files back as it was. So I probably can work with LOW security also.
    I use AE to prevent execution of unauthorized executables, not to protect executables although it seems possible too.
     
    Last edited: May 15, 2007
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello Pete,

    see example here:

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Rich

    Cool. Thanks, thats an important thing.
     
  9. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,564
    Location:
    New York City
    Does setting the protection level to high and enabling deletion and copy protection interfere with Windows operation?

    Thanks.
     
  10. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    One drawback to enabling those settings is it prevents files from being downloaded off the internet.
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hey farmerlee, and whoever used both: How would you compare AE with AppDefend's execution interception? Like setting default to block new executables (i assume no prompts are given). Are they protecting the same areas? Remember, execution only.
     
  12. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    When you set appdefends default rules to block execution it will work the same way as AE. However it doesn't prompt you when something is denied. I don't know if AD covers 80 types of executables as AE claims but from my experience it definitely covers a lot.
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,564
    Location:
    New York City
    I noticed that ExeLockdown loses its functionality after I run a CheckDisk (Windows XP Home, SP2). Can anyone verify this?

    Thanks.
     
  14. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    What a nightmare i had with this app. Installed it yesterday and it did the customary full scan to whitelist everything. Then rebooted and set a password. Then discovered that either right clicking or double clicking the system tray icon didn't do anything. So i was left with an app that wasn't configurable, close downable, uninstallable. I couldn't access it's folder as access was denied. Thank god system restore worked. Won't be going near that bugger again. Worse than malware.

    muf
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Press the Shift Key down and click on the AE-icon and you will get access to the configuration of AE or RTFM. :)
    If you want to uninstall it, doubleclick the AE installation file again and AE will start the uninstalling procedure.
    That's because AE protects itself, while other security softwares are an open book for the bad guys and malware.
     
  16. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Thanks EA for the reply and explanation. Well that's cetainly a novel way of doing things. Ok, i'll try it again. Must say that when i couldn't access it's config file, couldn't end it's process or uninstall it i practically sh!t myself. Pardon the expression!!!

    muf
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I understand. AE is a very UNUSUAL software compared with others.
    If you want to download and install new software, you have to turn OFF AE and turn it back ON after installation.
    So it's a bit annoying and if don't like that at all, you better uninstall it. :)
     
  18. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi,Folks: AE needs to be turned off during new prog installation? then there will be a tiny opportunity for malware's execution. In BlackIce's application control feature, user can switch application protection from complete to partial during new app's installation. This partial protection is to have BI asking user's permission if it detects unknown execution. Perhaps this needs to be placed on AE's wish list.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you turn OFF internet first and then turn OFF AE would that make a difference ?
     
  20. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Ok, re-installed it and i've now been able to access the config. Yep, i should have read the manual but i simply didn't anticipate the shift+mouse click thing. That will teach me!

    Thx for the help.

    muf
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The only VISIBLE objects are :
    1. a folder under "Program Files", that can't be accessed
    2. an icon in the system tray. This icon can be hidden too, but don't do it before you know how to get it back. :D
     
  22. EASTER.2010

    EASTER.2010 Guest

    Thanks for the chuckle. :D
    If you're like me you have had your fair share where you ran into a program or two that was worse than malware. I even found $M applications and some of it's built-in actions in XP almost as bad. Anymore for me, it's not malware or even rootkits that raise eyebrows or makes cause for some apprehension, but so called legitimate programs and almost always the commercial offers.

    In comparison, at least for me (since i'm well acquainted dealing with m'ware),
    malware is a walk thru the park and nothing to fear like b4.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    flinchlock asks about spoofed executables in another thread, and I thought I would bring it over here:

    Aigle asked if an executable with a spoofed file extension would execute if you double-clicked on it.

    I've given some examples here:

    Spoofed Executables

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 24, 2007
  24. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    THANKS, Rich!!

    Good News: Looks like AE is now risen to the status of FD-ISR... must have! :D :D

    Bad News: More money out of my wallet! ;)

    GREAT research!

    Again, thank you very much!

    Mike

    P.S. The thread where I asked my question is also a great thread https://www.wilderssecurity.com/showthread.php?t=136452&page=14 starting at post 330.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    You are welcome.

    Most of the software discussed in this forum provide evaluation periods.
    This is the time to try out the software:
    • Read the User Manual
    • Learn and understand all of the features
    Eg: AE is not a behavior blocker. It does not distinguish between a good or bad executable.
    It just says NO to any executable not on the White List. There is no Yes/No prompt.

    Decide how the software fits into your security strategy, ie, what points of entry by malware does it cover.

    This often prevents overlapping and other conflicts.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.