Anti-Executable

why too late ? There is nothing on this machine that any malware can damage.
Perhaps I'm wrong but assuming that confidential details like credit card numbers are safe what damage can be done that I can't undo simply by rebooting ?

As I've said I have never sen a virus nor suffered with malware but if something bad gets on - so what - I would just reboot. If the program was clever enough to mess up FD-ISR I could always fall back on acronis.

 

I always have the average user in mind and not everybody has a computer like YOU.
I know one thing for sure :
- FDISR doesn't recognize any malware.
- FDISR allows the installation of any malware
- FDISR won't stop the execution of malware
- FDISR only removes malware as a CHANGE during REBOOT, not because it is malware.
So between two reboots ANYTHING is possible in your system partition, that's what I'm telling you. If you are absolutely sure that nothing SERIOUSLY can happen in your system partition, then I have nothing more to say

PS: you have a data partition on a second harddisk, just like me.
Are you really sure that a malware can't hurt that second harddisk

 

No - I'm not absolutely sure - which Is why I'm still involved in this discussion.

can a virus or malware get across to a 2nd physical harddrive ? if it can - can it do any damage to data ? I think there is a tendency to assume that viruses and malware can make the user impotent to attribute almost magical powers.

So can a virus or malware do any real permanent damage ? without FD-ISR Acronis etc life would be hell -if a Trojan got on board but with the ability to simply reboot - is there really a problem ?

In summary - when I update my good snapshot by going to the Microsoft site
I understand that there is a theoretical risk of being contaminated BUT is there much real risk and even if contaminated - so what ? - just restore an earlier image.

Nothing in life is certain but I think FD-ISR and frozen snapshots provide better security than all the AV, antispyware and HIPS programs combined
--- without slowing down the system.

 

The same questions are going through my mind also and I don't know the answers, only an experienced malware expert can tell you this.
If killdisk virus is able to destroy C:\, I assume that another virus can destroy D:\ . There is nothing special about D:\, it is just another harddisk like any other harddisk.

 

Not disagreeing with you. Lets say Son of Killdisk is born and kills my data drive - so what - Its a pain but I would just reformat- partition -restore my data image.

It seems to me that I can never be quite sure of being protected no matter how many AV, antispyware, HIPS programs I install. No matter what anyone says I feel that the more of these programs that are loaded the more the pc suffers. One program might be ok but 5, 6 or even more and a typical machine will spend more time protecting itself than running real programs.

Solution - good hardware firewall. Firefox, and decent imaging program and a decent freeze program. 2nd hard drive better ( for many reasons) but optional.

 

I just gave one example. Most infections aren't that destructive. The smart bad guys, don't kill the goose with the golden eggs. They prefer to steal the golden eggs as much and as quiet as possible, which can be money, information, identity data, passwords, ...
If you don't have all that or it is protected by encryption, I guess, there won't be much to steal.
I also think that most infections target the partition [C:], because that partition is common for most users and the most interesting one for the bad guys.
Malwares that target more than one partition will be a threat for your data partition of course.
There are so many malwares around that you can expect anything and as long you are lucky, nothing serious will happen and very important : you start with a clean computer after each reboot. So possible infections need to be quick to do anything.

Instead of Anti-Executable, I would like to have something like an Anti-Malware software, that acts immediately on each unauthorized object in your system partition (Windows + Application) and that would be more effective as protection and certainly faster than reboot, which is too late.

Faronic's Anti-Executable works like that but ONLY for executable objects. You can't even move your mouse over an unauthorized executable on your data partition without getting a warning from AE. I have this often in my data partition, when I move my mouse over an installation-file of a software that isn't installed yet.

 

In order for Malware 1 to execute every few minutes, there must have already been something else executed and loaded into memory, in order to trigger Malware 1 every few minutes. Malware 1 cannot self execute on its own.

AE would block the execution of the trigger for Malware 1 and also Malware 1.

 

BootIt™ NG already came with your needed RAID drivers?

A *nix fdisk utility would also not work unless it had your RAID drivers?

Mike

 

Yes, such as Red Hat, SUSE, Mandriva, Fedora , Ubuntu, Debian, Gentoo, ...

Mike

 

The recent mypics worm: if allowed to run YMworm.exe downloads and then creates several files.

New Folder.exe is created on each partition. G:\ is my second HD:

http://www.urs2.net/rsj/computing/imgs/newfolder.gif
___________________________________________________________________________

Erik, in all of the many possible scenarios you have described, you never say how you think malware can install and execute itself.

You've indicated that you trust your installations (as do I) so that leaves

1) breech of firewall (not likely)

2) email attachment (you say NEVER)

3) drive-by download. Possible, BUT:

If you accept the premise: If it can't execute, it can't infect** then what are the ways you can be protected
against something executing?

Since this is the Anti-Executable thread (but see ** below) and you are evaluating AE: nothing gets in.

Not even something like YMworm.exe:

http://www.urs2.net/rsj/computing/imgs/ae-block.gif
_________________________________________________________________

YMworm.exe doesn't execute, no New Folder.exe created on any partition/drive.

____________________________________________



** see https://www.wilderssecurity.com/showthread.php?p=950745#post950745



regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I use "My Computer > right-click > Manage > Disk Management" to change my CD/DVD drive from whatever to R:.

I wonder if this worm would still make the folders if your drives were not right after C:, for example: X: Y: Z: ?

Mike

 

Interesting. Will it work?

 

http://www.urs2.net/rsj/computing/imgs/newfolder-3.gif
_______________________________________________________________

Usually the worm/trojan searches from C - Z with something like

"if exist..."

I've seen them put a log.txt file on each drive -- maybe to store harvested information to be sent out later.

However, back to the point:

If it can't execute, it can't infect


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Of course.

Absolutely, and thank you very much!

Mike

 

I don't know how malware works, because malware are PROGRAMS and only programs can TALK to computers and the smarter the programmer is, the smarter the program will be. You can do ANYTHING with a computer via a program as long you know how to do it.

 

Dear ErikAlbert,

I finally understand the dilemma I find myself in. You are approaching the situation philosophically: you have set up a hypothesis.

I need real examples to deal with. Otherwise, I don't bother, for I could never cover all of the scenarios *hypothetically possible* to malware writers.

regards,

-rich

 

I'm an application analyst. I always have to work with theoretical concepts and philosophies, because my job is to create something, that doesn't exist yet.
Of course my applications have nothing to do with security. That's my problem at Wilders. I don't need to know anything about computers either to do my job. Our computer department does that for me.

 

I'm having a problem with AE. All of a sudden it's decided that one of my apps that it 'whitelisted' STEAM.EXE now says it violates the acceptable use policy. Dunno why as i've not changed anything, upgraded or updated. So i added this exe file to the trusted application's list and it still gives me the warning. The only way to stop it is to add the Steam folder to the exempt list. But just why is it still warning when i've added the STEAM.EXE file to the trusted list. Anyone know?

TIA,
muf

 

Yeah, i know. I'm one of those slow to come around types with certain programs.

Well, i only now got on board the AE train and if i knew it was this simple and solid back when all the buzz was going around, i wouldn't have waited this long to add this EXE LOCKER to the defense arsensal.

Anyone have any useful tips aside from what's already been discussed about it? There was some note of frustration echoed over having to DISABLE ae to install programs and the like, but given the method AE employs to disregard anything not White-Listed, i find no real delay in taking a moment to update it with your acceptable programs.

 

Thank You Pete for that vital tip. For the time being Low Security is adequate enough i think. I would only use it when unleashing researched captured viruses & other forms of possibly destructive malware.

But a question still puzzles me. I have witnessed b4 of .tmp files running as an exe in the past. Is there also a setting to add such extensions? I got a wide-eyed awaking recently from a file infector i let slip completely unnoticed untill NOD32 came on duty and fortunately repaired EVERY exe file that was mass modified. It could have been substantially more aggressive like some have proven in the past.

 

I have a quick question about AE and figured I'd post it here instead of starting a new topic.

I just need to know what the differences are between AE's execution control and the other HIPS (SSM,PS) execution control.

The reason I ask, is because I have a PC in my home that I use in the same way a public PC would be used. It's not a PC that I use myself but it is just for friends and family that come to my house and ask if they can check their email or whatever.

I trialed both AE and SSM and decided to purchase SSM. But now I just want to be sure I made the right choice.

The reason I went for SSM was because it lets me create a list of trusted apps (the ones I want people to be able to use). And then I can simply set a password which will block everything else.

The one thing I didn't like about AE was that I had no control over the "Allowed List". With AE I have to allow everything pre-install and block everything post-install. So just as an example to illustrate this better, with AE I can't block wordpad.exe but with SSM I can.

That's basically the reason I went for SSM. I didn't like the fact that with AE the user still has access to everything on the PC. Why should I allow them access to programs they shouldn't use, or programs I know they wont use. Like regedit.exe, cmd.exe and all the other things. With SSM I have an explicit list of programs that I allow like firefox and some chat programs and that's it. No need to allow them access to everything else.

So I'm having a hard time understanding why someone would choose AE over a HIPS like SSM. Not to mention with SSM you get the added benefits of all the extra protection it provides. But lets only focus on the execution control as I'm not worried about anything else. Does AE do something that SSM can't. Is there something here I'm not seeing? Please educate me.

thanks.