Anti-Executable and ThreatFire + other ?

Here lies the basic difference between Anti-Executable and other products:
AE's Copy Protection prevents the caching of the executable, so nothing can be copied to a system folder.

An example is an old MS06-014 exploit. Even though it's old and patched, I've removed some code so that it won't work:


_______________________________________________________

-- The script calls to download an executable, 2.exe
-- A filename path is created: ...\temp\svchost.exe
-- The executable 2.exe is copied to \temp\ with that filename

As the exploit runs, AE blocks the executable from being dropped to the cache.
Note the reason: Copy. When something downloads, it is "copied" from the web site to the
computer.

The script attempts to execute svchost.exe but Windows displays an error message,
because scvhost.exe is a 0-byte file, since 2.exe did not download:




_____________________________________________

To show how the exploit would run if the executable were permitted to cache,
I'll turn off AE's Copy Protection and let a file download. Since the malicious link
no longer works, I'll substitute a link to win32pad_1_5_10_3.exe, a Notepad replacement,
in the code above.

The file downloads,


____________________________________________

then the script copies it to /temp/ as svchost.exe and attempts to launch the file.
This time, it is a valid file, and AE blocks because not on the White List.

Note also the reason: Open (or run, execute)
Note also that the Program Name (application) is IExplore: this is an IE browser exploit
and IE, not Windows, does the work.


______________________________________________

It's evident in both cases, AE is White List Execution Prevention,
and not a behavior blocker.

Copy protection is a useful feature on computers shared by several users. The Administrator (or parent) knows that no one can download software without permission, and the parent doesn't have to worry about unauthorized files hanging around on the computer, for if the parent turns off AE to download something, those unauthorized files are now included on the White List when AE is turned back on.


----
rich

 

I did a test today, TF against an new virus/trojan and TF stopped this Multi-Admin-Tool.exe from doing any bad things on my system.
http://www.virustotal.com/de/analisis/63bc2ad4802d2f670db2ac10aa15ac65

It locked down two exes, Multi-Admin-Tool.exe and multiadmin.exe and denied the creation of the sys32.exe in system32 dir.
Therefore I assume it protected me.

A HIPS like EQSecure would of course generate a lot more prompts and detailed informations, but maybe not as much as the Secure Systems Lab from the Vienna University of Technology.
http://anubis.seclab.tuwien.ac.at/result.php?taskid=5ef5903acb339e44f112fe1e5912e3af

So is TF as reliable as HIPS? I think so.
Is it worse than a HIPS in regarding to protection? Depends on the HIPS.

Cheers

 

AE would do the same thing and even when AE = off, I remove all these changes during reboot.
I'm looking for a good argument to use TF.

 

Suppose a good authorized executable is used as an exploit. Will TF stop that ?

 

When TF pop-ups an alert about malicious behaviour and you decide to Quarantine, TF rollbacks all the changes done

Yes The question is, how to exploit that authorized executable without another executable (for example a DLL for rundll32.exe). That other executable will be stopped by AE before exploiting anything. But you can save and run executable code even with the watchful eye of AE: scripts Here, we enter theoretical land.

 

Yes, that's a nice feature. But in the situations where I install AE, it's for remote code execution protection only, or preventing unauthorized installation of software, and I don't want users prompted for a decision; I want Default-Deny.

 

Clear as crystal

AE is the app to choose if you want to lock-down a machine and don't want users deciding what to do

For Erik,
Since you want an inmediate rollback of malware execution, TF offers this possibility when you quarantine a malicious app. You still need to decide what is malicious behaviour and what is a FP. If you think that the FP rate of TF is low enough for you, give it a go.

 

Right, that is exactly the problem : malicious or harmless. I don't see the difference between both. I hope TF gives a good explanation to make it easier for me to decide. Most average users will have that problem.

 

With a qualified and knowledgable human programming control of a HIPS compared to say ThreatFire which employs a database of submissions, i just wonder what the percentage of differences there really is between two such methods.

Personally with HIPS, i know enough areas of potential misuse and where i don't, others usually contribute their knowledge to that end for adequate coverages missed, and you might could say thats something of a community support whitelist/blacklist method itself.

I don't believe the two are so far apart as their made out to be although there are striking differences in both approaches and one reason why i once used BOTH system safety monitor & Cyberhawk, but things have changed sine then.