Faronics Anti-Executable Version 4 is Released

[Rmus]

The most significant change from Version 3 is the inclusion of DLL protection. Upon installation, Anti-Executable (AE) creates a White List of the following executable file types by default:

.scr, .jar, .bat, .com, .exe.

There is the option to include .dll files.

A word on executables:

By strict definition, an executable file can be a binary file (EXE, DLL, etc) or an ASCII file, aka a script file (BAT, VBS). An executable file "executes" code, carries out instructions.

By convenience, we use "executable" for binary files,and "script" for the ASCII or plain text files. AE has added a script file type, .bat, to the list of executables it monitors.

Anti-Executable's sole purpose in life is to block these executables from running from disk if not on the White List.

I've had a chance to run a few tests -- WinXP SP3.

Remote Code Execution - Autoplay/Autorun from CD-ROM
Not being on the White List, AE will alert if Autoplay/Autorun are enabled for the CD/DVD drive, and attempt to launch the executable:



Note the Alert message and compare with the following:



The first is the Alert message that the AE Administrator and her/his trusted users see.
The second is what all other users, called "external" users, see.
It is completely Default-Deny so that these users cannot run any executable without your permission.

This would also alert a user if certain music CDs happened to have certain types of (ahem, unwanted) software bundled...

Remote Code Execution - Browser Exploit - IE8
A quick search found this -- I think it is a Java exploit since my firewall alerted to an outbound connection:



Tests continued in next post

[Rmus]

Remote Code Execution -- LNK vulnerability - POC
The DLL file is blocked from executing.



Note the program executing: rundll32.exe.
By accident I discovered that IExplore.exe can also trigger the exploit, as I saw when uploading a file to virus total. As IE browses to the Desktop, the specially crafted LNK file is triggered. Note the program executing.



NOTE: If you followed this exploit last year, you know that the LNK file has to point directly to the target. To see an actual exploit in the wild in action, you would need the particular USB drive with the specific files pointing to that particular drive by ID number. Hence, the POC requires putting the DLL on C: so that the LNK file can find it. It's the only way of demonstrating the vulnerability.

Remote Code Execution - email attachment -- embedded executable, SCR file
This SCR file is triggered by packager.exe, a trusted Windows file, which extracts the "package" -- in this case, an executable.



Remote Code Execution from USB -- Autorun.inf
Autorun from USB has been fixed but I use it as an easy way to demonstrate the remote code execution type of exploit. It could be a PDF file or Flash object.

I renamed a non-whitelisted executable to .tmp to show that AE doesn't just look at file extensions:

Code:

[autorun]
open=xc4.tmp

Here, I have the autorun.inf file call a .bat file:

Code:

[autorun]
open=1.bat

The BAT file:

Code:

start xc4.tmp

The AE4 Release notes indicate that certain file types bring up a Windows Alert rather than the AE alert.

CONCLUSION:

If you are looking for a stand-alone anti-execution program, AE4 is very robust and easy to set up. While aimed at organizations and institutions, I've used it for home systems for years because of its ease of use, and its Default-Deny.

If you decide to download an evaluation copy, please be sure and read the User Manual FIRST -- especially the instructions on how to open to the configuration window, and how to uninstall the program!

The User Manual comes with the installation file, and can also be downloaded separately.

regards,

-rich

[Noob]

Sounds like SRP

[Rmus]

Indeed!

I complained for years that Microsoft did not include SRP in the Home editions. That is, until I saw the tutorials by Wilders Experts Tlu, Sully, Lucy.

I don't think it would be that easy for the average home user to set up -- perhaps this is why MS did not include it for those editions.

Also, I understand it's a bit cumbersome to set up with DLL protection.

regards,

-rich

[Osaban]

Thanks Rich! I'll test it on my Vista machine, besides the .dll files the last version was still buggy with Vista (it runs perfectly with XP).

[Boost]

Might have to try this out again!

I ran Faronics Anti-Executable with their Deepfreeze,nothing got by that setup

[Osaban]

Bad news installing AE V4 on my my Vista Ultimate: my boot time went from 45 seconds to 4 minutes, the white list was at times accessible at times grayed out, it blue screened while I was rebooting, and last but not least it took 5 minutes for the AE icon to appear on the tray. A real disaster. AE V3 works flawlessly on 2 XP notebooks, but I have never had any luck with Vista.

[jmonge]

this program sounds very interesting

[Cutting_Edgetech]

I was looking for a data sheet on Faronics website for AE4, but i could not find one. I'm wanting to know what filetypes or extensions AE protects the user from executing malicious code.

[Rmus]

These are mentioned in the User Manual, which can be downloaded from the product Download page.

I listed the filetypes in my first post.

----
rich

[jmonge]

it is similar to appguard protection

[Blackcat]

Would be great if Rmus has the time to put AppGuard through some similar tests.

[CloneRanger]

@ Rmus

Great news regarding Faronics listening to you at long last and once again including .DLL protection

Quite they removed it before ? Doesn't make much sense

I detect that you're a happy chappy now and rightly so

I might even think about trying it

[Rmus]

Well, I don't think my complaints carried too much weight -- I'm not connected with Faronics in any way.

Yes, I'm happy they have reinstated DLL monitoring, however, I discovered last evening that it doesn't block DLL with a spoofed file extension. I've notified Faronics about this.

It does block with EXE when spoofed -- I posted one test earlier in the thread.

Regarding AppGuard -- I did test it when it was originally released, and posted to the original thread. At that time it didn't block DLL, but I assume it does now. Yes, it is a very good, robust product.

----
rich

[jmonge]

indeed my friend

[trismegistos]

Quote:

Originally Posted by Rmus

Yes, I'm happy they have reinstated DLL monitoring, however, I discovered last evening that it doesn't block DLL with a spoofed file extension. I've notified Faronics about this.

Hopefully, future AE releases/updates will cover that issue.

[farmerlee]

Just gave it a spin on Windows 7 64 bit and i seem to be having some issues. It seems to add a significant delay to system start up for some reason and then after a few reboots its decided to completely freeze my system on boot up. Had to do a system restore to fix it. Anyone else experiencing similar problems?

[aigle]

Quote:

Originally Posted by Rmus

Regarding AppGuard -- I did test it when it was originally released, and posted to the original thread. At that time it didn't block DLL, but I assume it does now.

It doesn,t still.

[Cutting_Edgetech]

How do you make the GUI visible? I have not tried AE in years. Clicking on the tray icon does nothing.

[Thankful]

Quote:

Originally Posted by Cutting_Edgetech

How do you make the GUI visible? I have not tried AE in years. Clicking on the tray icon does nothing.

Try <Shift> double-click mouse.

[Blackcat]

Quote:

Originally Posted by Cutting_Edgetech

How do you make the GUI visible? I have not tried AE in years. Clicking on the tray icon does nothing.

Hold down the Shift Key then double-click on the tray icon.

Remember to keep hold of the installer file or you will not be able to uninstall the program.

[Thankful]

Version 3 was very buggy. I'm sure version 4 is the same. Not worth $45 plus maintenance IMO.

[Cutting_Edgetech]

Thanks guys that worked!

[Rmus]

Hello, Thankful,

I used Verison 3, and currently using Version 4, on WinXP SP3 with no issues. Did you contact Faronics Support?

regards,

-rich

Quote:

Originally Posted by Thankful

Version 3 was very buggy. I'm sure version 4 is the same. Not worth $45 plus maintenance IMO.

[Thankful]

Yes, many times.

Quote:

Originally Posted by Rmus

Hello, Thankful,

I used Verison 3, and currently using Version 4, on WinXP SP3 with no issues. Did you contact Faronics Support?

regards,

-rich