A sensible approach to anti-executables?

Discussion in 'other anti-malware software' started by Gullible Jones, Jul 29, 2012.

Thread Status:
Not open for further replies.
  1. Generally the way I hear about anti-executables being used is with either with a whitelist approach, or by querying the user. Both are pretty inconvenient, especially the latter.

    But how about using an anti-executable to control what processes can launch stuff, instead of having default-deny for all applications? This is theoretically a weaker approach, but in practice I suspect it would be less annoying and less error prone.


    Your browser is an obvious threat gateway, and most persistent malware makes use of a process launched by the browser... So you set up the AE program to block the browser from launching anything, period, and never ask you. This puts the kibosh on a large percentage of drive-by installs. Same for the PDF reader, the media player, etc.

    With a more advanced AE program you might be able to have per-application whitelists, so the browser could launch the media player or the PDF viewer but not anything else.

    The obvious weak point here is that this approach doesn't cover Windows Explorer, so things like the infamous LNK exploit would not be prevented. OTOH, I'd say that using AE software on a per-application basis removes a lot of the human error factor associated with AEs.

    Any thoughts on this? Does it sound reasonable? I realize it's far from a perfect strategy, but this method seems to me to be much more amenable to use as a security layer than a whitelist.
  2. Hungry Man

    Hungry Man Registered Member

    May 11, 2011
    Any decent MAC system will allow this. Naturally AppArmor does. Sandbox Firefox and don't give it read/mmap/write access to an executable file and it can't execute it. Voila.

    Of course if your goal is "only let firefox launch firefox" you have to define what a "launch" is and then programatically define it in such a way that it can be intercepted. This is impossible in any practical way. I can launch anything from your browser and Apparmor won't do **** about it and neither will any AE. You'd need to intercept way more calls then a typical AE.

    Check out Trusted Path Execution.
    Last edited: Jul 29, 2012
  3. Not sure but for most AE software I suspect the definition involves invoking an actual executable file, probably with a CreateProcess() call. Obviously this won't intercept a lot of stuff, e.g. code execution by a buffer overrun in your browser's Javascript engine. Which is why I would call it a security layer, not a security solution.

    I could be completely wrong about that though - I don't know the internal mechanisms of AE software, either userspace or driver based.

    (And AppArmor is unfortunately limited to Linux. Which is too bad, because there are a lot of machines that Linux does not fully support, even now. I'm thinking more along the lines of Windows slopware.)
  4. Brandonn2010

    Brandonn2010 Registered Member

    Jan 10, 2011
    AppGuard is like an anti-executable. Does it meet his criteria?
Thread Status:
Not open for further replies.