Is anyone using Horizons Executable Lockdown

[bgoodman4]

I was wondering if anyone is using Executable Lockdown http://www.executablelockdown.com/ and if its a good addition to a PCs security toolbox,,,,,or is there a better choice out there.

Thanks in advance.

[nanana1]

Not quite the same, I would encourage you to consider Sandboxie as your next investment.

[Osaban]

Quote:

Originally Posted by bgoodman4

I was wondering if anyone is using Executable Lockdown http://www.executablelockdown.com/ and if its a good addition to a PCs security toolbox,,,,,or is there a better choice out there.

Thanks in advance.

I've had it for a while and to be honest I was just about to buy it as you don't really need any AV with it, it will just stop any new executables. The reason I didn't in the end was that a discount was available at the time, but "Cleverbridge" the company in charge of receiving payment didn't know anything about it, and I let it go (a matter of principle).

I do have an alternative, AntiExecutable from Faronics the makers of DeepFreeze. It remains still one of the hardest programs to crack from malware. The new version compatible with Vista has had mixed reviews here at Wilders. I have a license, but I don't use it with my personal computer as it doesn't allow a program (FirstDefense PC Rescue) to work properly. It is based on creating a white list of programs on your computer, and anything new will have to be allowed eventually by the user, very simple and effective (the old version use to deny by default). Some people found it fastidious to have, and as usual a trial is the best way to see how it responds to your system. Support from Faronics is excellent.

[bgoodman4]

Thank you Osaban, I will give them both a try.

[bgoodman4]

Quote:

Originally Posted by nanana1

Not quite the same, I would encourage you to consider Sandboxie as your next investment.

I have this program already but I like the idea that the lock programs work all the time, not just when browsing or when a program is sand boxed.

[bgoodman4]

Hummm, just took a look at the pricing of AntiExecutable and I must say I am not crazy about the mandatory maintenance package. The program would cost $31 and the support package $63.

OOPS found a site where I can get a licence for $45 Canadian $ (I am Canadian) including the maintenance package. This is much better (obviously) and is competitive with the Horizon product.

[Dark Star 72]

I have used Executable Lockdown and like it, however I have been using the new returnil personal (free) without a partition in memory caching mode and find the Anti Execute function built into it very good. It will take a couple of days to train it like using a HIPS does. A couple of links to relevant pages here at Wilders:

http://www.wilderssecurity.com/showthread.php?t=235177

http://www.wilderssecurity.com/showthread.php?t=236602

[bgoodman4]

Quote:

Originally Posted by Dark Star 72

I have used Executable Lockdown and like it, however I have been using the new returnil personal (free) without a partition in memory caching mode and find the Anti Execute function built into it very good. It will take a couple of days to train it like using a HIPS does. A couple of links to relevant pages here at Wilders:

http://www.wilderssecurity.com/showthread.php?t=235177

http://www.wilderssecurity.com/showthread.php?t=236602

Thanks for your reply. I have Returnil but only use it when I am concerned about something I am doing, such as trying new software or browsing. I like the idea of the lock-down type programs because its on all the time. It does not matter if you have installed something (and installed an unexpected rider on it) or downloaded a file you want to keep (or think you need to keep - such as an infected file from a friend), you are protected. With Returnil at some point you will turn of the virtual mode and leave your PC exposed to something that may begin running in the background. Lock-down programs (as I understand them considering I just became aware of them) will prevent the thing from running in the first place. If anything I would think a lock-down program would replace a virtualization program rather than the other way around. Not that one would really replace the other. Since they work differently I suspect they both have their place in a security regime. Yes there is overlap, but each does something the other does not do. Anyway, thats my impression at this point.

EDIT: just looked at the links you provided and realised I did not know everything there was to know about Returnil (I have a paid version but have not read through the users guide yet, the program was/is so easy to use I did not feel a need). I will have to learn more about this but my immediate thought is related to you saying the you need to train Returnil. As I understand it you do not have to do this with the lock-down programs, at least you don't have to with the Horizons program. Its just on. Now I realise if you install a lock-down program that will allow anything already on your PC to run then if you have an issue it will continue to be an issue. It is clearly best if you install a program like this on a brand spanking new PC. On the other hand not having to know what to allow and what not to in terms of an OS and legit apps is a big plus for folks like me without a lot of technical know how. At worst if I find that something wants to run and I have no idea what it is I can ask on this forum. With Returnil I would have to know enough to to know if its OK to allow any sort of process to run (I think). I would imagine this would include every essential process and every non-essential but required process. Thats a bit more than I could handle (I think).

[Dark Star 72]

Sorry for being a bit late replying. In the new versions of Returnil you can have Anti Execute on all the time whether you are using session lock or not, it works with it but is also independent of it. If you have to approve or deny anything in Anti Execute while you have session lock on when you reboot the changes if any to Anti Execute remain after the reboot, if you blocked something it will still be in the black list after the reboot.
To clarify what I meant about training it, an example - when I installed Returnil it created a White List which had my printer on it, when I went to use the printer I had two requests to allow or deny the printers drivers 'starting up', of course I allowed them. I have a couple of games I play with short cuts on the desktop, I also have a calendar short cut. When activating them I got a request from Returnil AE - allow/deny. Simple things like that. Although they are on the White List you need to approve the running of them. Nothing can start up without your approval. After a couple of days almost anything that needs approval to run has been activated and approved.
Hope that helps.

[demoneye]

AE conlict with sandboxie drivers . make SB not to load ...

[bgoodman4]

Quote:

Originally Posted by Dark Star 72

Sorry for being a bit late replying. In the new versions of Returnil you can have Anti Execute on all the time whether you are using session lock or not, it works with it but is also independent of it. If you have to approve or deny anything in Anti Execute while you have session lock on when you reboot the changes if any to Anti Execute remain after the reboot, if you blocked something it will still be in the black list after the reboot.
To clarify what I meant about training it, an example - when I installed Returnil it created a White List which had my printer on it, when I went to use the printer I had two requests to allow or deny the printers drivers 'starting up', of course I allowed them. I have a couple of games I play with short cuts on the desktop, I also have a calendar short cut. When activating them I got a request from Returnil AE - allow/deny. Simple things like that. Although they are on the White List you need to approve the running of them. Nothing can start up without your approval. After a couple of days almost anything that needs approval to run has been activated and approved.
Hope that helps.

Ah, so its essentially the same as the Horizon product, thats great. Thanks for the info. I will begin to use it immediately.

[Firebytes]

Quote:

Originally Posted by Dark Star 72

Sorry for being a bit late replying. In the new versions of Returnil you can have Anti Execute on all the time whether you are using session lock or not, it works with it but is also independent of it.~snip~

I have not yet moved to the latest Returnil version myself but the user manual on their website states (on page fifty-seven) that the anti-execute function only works while Returnil protection is on. Am I misinterpreting it, is the manual in error, or are you mistaken that it works all the time independent of Returnil protection being on?

[Dark Star 72]

Quote:

Originally Posted by Firebytes

I have not yet moved to the latest Returnil version myself but the user manual on their website states (on page fifty-seven) that the anti-execute function only works while Returnil protection is on. Am I misinterpreting it, is the manual in error, or are you mistaken that it works all the time independent of Returnil protection being on?

I queried this function with Coldmoon while Returnil 2.1 was still in beta. This is the answer he gave me:

http://www.wilderssecurity.com/showthread.php?t=231230

If i have misunderstood his answer my apologies, or perhaps they have changed it when it came out of beta. I cannot test to confirm one way or the other at the moment as I have Rollback Rx on board for some beta testing but will have a look at this for my own information later when I have uninstalled Rollback.
Don't fancy trying to run Rollback and Returnil at the same time to find out if they are compatible or not

[Firebytes]

Thanks Dark Star 72, it looks to me like he is saying that it works regardless of protection status as well. Maybe they need to reword their user manual in regard to the anti-execute function.

[Rmus]

This from the vendor's web site:

Quote:

Its' small kernel mode driver, filters all executable files; regardless of its file extension (.exe .com .sys .dpl etc...).

By default all applications and executables that are already installed on the PC are added to Executable Lockdown's allowed list of applications (White-List). Any new executable that is launched or introduced via any media (physical or removable drives, network shares, USB drives, Internet ftp etc.) will be
prevented from running.

Evidently this doesn't include all executable file types. I was able to use MSWord to load a DLL from a flash drive.
I use a version of the DLL different from the current XP file.
I show that Executable Lockdown is running:



Anti-Executable v.2 successfully blocks:



As you know, conficker loads a DLL.

Otherwise, Executable Lockdown seems to be a pretty good product. It's just not as robust as it is made out to be.

----
rich

[Dark Star 72]

Rmus,
Is there any chance you could run those or any other exploits against the Returnil Anti Execute sometime? I unfortunately do not have your experience or expertise at this. As this thread is about Executable Lockdown and I was partly responsible for taking it off line perhaps you could start a new post if it is possible to test Returnil.
With Faronics AE2 no longer available quite a few people must be looking for a viable alternative.

[bgoodman4]

Quote:

Originally Posted by Dark Star 72

Don't fancy trying to run Rollback and Returnil at the same time to find out if they are compatible or not

Its interesting that you should mention this at this time as I just had the experience. Without thinking (I tend to do that more often these days) I turned Returnil on and went into protected mode. I have RollBack set to take a snap each hour and had 2 snaps taken during the time Returnil was active. I must admit I rebooted the PC with some trepidation but was pleasantly surprised when the PC booted normally. I was also surprised to find that the snaps RollBack had taken while Returnils protection was enabled were present. Now I did not try reverting to one of these snaps but..........

[bgoodman4]

Quote:

Originally Posted by Dark Star 72

Rmus,
Is there any chance you could run those or any other exploits against the Returnil Anti Execute sometime? I unfortunately do not have your experience or expertise at this. As this thread is about Executable Lockdown and I was partly responsible for taking it off line perhaps you could start a new post if it is possible to test Returnil.
With Faronics AE2 no longer available quite a few people must be looking for a viable alternative.

No need to do this as I am interested in both apps (and I started the thread so I guess I can give permission to take it a tad off topic).

[Rmus]

Quote:

Originally Posted by Dark Star 72

Rmus,
Is there any chance you could run those or any other exploits against the Returnil Anti Execute sometime?

No, but I've got the files on my web site so you can do the test yourself. It's really better to test on your own system so you can observe the results first hand:

http://www.urs2.net/rsj/DLL.zip



Place both the MSWord document and the DLL in the same folder, then open the MSWord document.

DESCRIPTION OF TEST

Hmmapi.dll executes the Hotmail MailTo protocol. The DLL resides in

C:\Program Files\Internet Explorer

and the command is invoked from this Registry Key using rundll32.exe:



Now, this DLL will be White Listed by an execution prevention program, so I use the Win2K version of the DLL and in WinXP,
I made the MSWord document with that command in a macro. If successful in loading the DLL,
the Windows Live login page will launch in Internet Explorer:



But since the Win2K DLL is not White Listed, it should be blocked as it was by AE v2 as I showed in my previous post.
Executable Lockdown and AppGuard did not block. Lucy showed earlier that SRP will block unauthorized DLLs.

You can also attempt to load this DLL from a USB drive using Autorun.inf:

Code:

[Autorun]

Shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1

Put the Autorun.inf and DLL files on your USB drive then connect the drive with Autorun enabled.

Regarding Returnil, it is not useful for the home environments I have in mind, where I want a "set and forget" solution. Fortunately, AE2 can be used until Win2K/XP become obsolete and require an upgrade.

By the way, here is something not many programs will do: I attempt to copy the Win2k DLL to overwrite the WinXP DLL and AE v2 blocks with its Copy Prevention:



Lucy says that SRP will also prevent this.

If you attempt this, be sure and make a copy of your DLL.

----
rich

[Peter2150]

Quote:

Originally Posted by bgoodman4

No need to do this as I am interested in both apps (and I started the thread so I guess I can give permission to take it a tad off topic).

Yes, there is. It's not the OP's prerogative to give permission to take a thread off topic. It's forum policy that threads stay on topic.

I agree, if RMUS can do it that would be great but another thread is the right way to do it.

Pete

[Dark Star 72]

Quote:

Originally Posted by bgoodman4

Its interesting that you should mention this at this time as I just had the experience. Without thinking (I tend to do that more often these days) I turned Returnil on and went into protected mode. I have RollBack set to take a snap each hour and had 2 snaps taken during the time Returnil was active. I must admit I rebooted the PC with some trepidation but was pleasantly surprised when the PC booted normally. I was also surprised to find that the snaps RollBack had taken while Returnils protection was enabled were present. Now I did not try reverting to one of these snaps but..........

Thanks for that bit of info, perhaps when I have next taken a full back up image and can do an up to date restore if necessary I'll try that out

[Dark Star 72]

Rmus,
thanks for the link and info, as soon as I have the time I'll see if I can try it out.

[bgoodman4]

Quote:

Originally Posted by Peter2150

Yes, there is. It's not the OP's prerogative to give permission to take a thread off topic. It's forum policy that threads stay on topic.

I agree, if RMUS can do it that would be great but another thread is the right way to do it.

Pete

OK, sorry about that.

HEY YOU GUYS,,,,,,STAY ON TOPIC,,,,,,thanks.