Anti Exes

Discussion in 'other anti-malware software' started by DX2, Mar 1, 2013.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Only really if you are always adding new programs to your OS. Applocker is something where you set it up and forget it.

    But isn't Appguard a HIPS? Therefore all you would really need is ERP with Sandboxie. ERP and Sandboxie would provide near bullet proof protection.


    I don't use Java so I not sure on this one, but I thought that Java is needed to connect to the internet? like for example the Java plugin on browsers, if you connect to a java website then wouldn't you have to allow java anyway to connect out?
     
  2. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    AppLocker is only available in Ultimate and Enterprise versions of Windows 7.

    Many people use HP and Pro versions. ;)
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I don't know anything about Java, except that a plug-in is required. I have only one site that uses a Java applet on its contact page, but the Java application executable doesn't connect out.

    My guess is that things work like the PDF plugin - you can read a PDF file in your browser via the Plugin, but the PDF Reader Executable doesn't connect out. However, in a drive-by exploit, the Reader application executable does attempt to connect out to download malware, using code embedded in the booby-trapped PDF file:

    [​IMG]

    [​IMG]

    Perhaps someone can confirm all of this...


    ----
    rich
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not really. Appguard doesn't stop anything in the Program files area, it does stop everything in what it defines as the user area. User Area are thing such as the Desktop, My Docs etc. They can be over riden in two modes. Unguard which means the program can do anything. Guarded means it can run, but not mess with system stuff.

    So I have Outlook, all browsers rundll32.exe, cmd.exe etc running guarded. I also run Java, Adobe stuff guarded. This way they can run, but not have any exploits touch the system.

    I suppose you could accomplish this with a standard HIPS, but nowhere as easily.

    So this way, one can whitelist certain programs to let them run, but they still are protected from doing mischief.

    Pete
     
  5. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    What about Xyvos?

    Anyone using it or tried it?
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Not familiar with it. Do you have a link to their commercial site?
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
  8. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My interest in it stops at the words anti virus. I won't put them on my system. To much drag.

    Pete
     
  10. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I don't know why there is AV in Xyvos name.
    During my testing I have never seen a single malware detection.
    It always detected launching of a process and asked me what to do.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    From what I could see looking at their web site, it seems that they are using the term "antivirus" in the name as a marketing tool more than anything else. I think it is just another anti-executable app, although I'd have to actually install it to know for sure... There isn't much tech info on the web site at all, which puts me off a bit..
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Appguard is not a HIPS. Appguard is an AE.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Says right at the top of the page

    XYVos Antivirus.

    then further down the page

    No way are they detecting virii.

    This is so misleading and confusing, I find it hard to consider them seriously.
     
  15. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Well whats the difference.?:cautious:
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Behavior Blockers, HIPS, and AE's are also considered Antivirus in the sense they prevent / mitigate infection. So they can actually say that, and not be lying. Yes, it's a marketing move on their part. I call your common scan based AV that uses signatures a Traditional AV. This is how I prefer to categorize AV's that rely on signature updates, whether they be heuristic or not. There may be better or more accurate words to distinguish a scan based AV from BB's, HIPS, and AE's. I prefer Traditional AV.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Well, it can be a fine line. HIPS normally prompt the user for a response to a potentially dangerous behavior. The user will then allow or deny the action. HIPS usually give more granular control. A pure AE will deny potentially dangerous actions by default without prompting the user to allow or deny the action. This is what Appguard does. Appguard definitely behaves as a AE, and not a HIPS.

    I know some AE's like Faronics, and Voodoo shield now prompt the user to allow or deny some actions. These applications are essentially behaving as a HIPS would while operating as an AE at the same time. I believe these applications have become sort of hybrids.

    I believe many security applications will evolve over time using both technologies to the point of not being able to distinguish the application from a HIPS or an AE.

    You may find some good reading in this thread. I'm not sure how correct the information within that thread will be since I have not read that thread in a long time. https://www.wilderssecurity.com/showthread.php?t=251629
     
  18. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
  19. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Thank you for the information.:thumb:
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Their trusted enclaves technology still behaves as an AE lol Its just their own patent method of mitigation. Though I do understand your argument for it not being an AE. It's a fine line. I guess AG could be considered a hybrid also, and there are no true AE's. I just believe it belongs to the category with AE's because of the way it functions to mitigate attacks.
     
    Last edited: Mar 5, 2013
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    No problem!
     
  22. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Not true. AE is based on the concept of default deny; trusted enclaves are based on the concept of restrict the unsafe. Although there is some overlap, they are fundamentally different security models.

    With AppGuard, whether an executable is allowed to run and the set of behaviours it is allowed to engage in if execution is permitted, depends on the relationship the executable has to the trusted enclave, the policy applied, and the protection level chosen. This is a more complex arrangement than a pure AE that depends solely on whitelisting to determine whether execution is allowed, with no further attempt to restrict behaviour based on policy once execution has been allowed.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Maybe you are right. There are some fundamental differences there. AG exhibits the behavior of an AE because it does not prompt the user to allow or deny a potentially dangerous behavior. It just blocks the action without the user's input. In very layman terms AG guards applications from performing unsafe actions. In a way it actually sandboxes the rights of a particular process. I just don't believe in order for an application to be considered an AE that it must employee the use of whitelisting.

    I'm glad you disagreed with me though since it has raised some questions as to the finer mechanics of how AG operates. The article was a good read as well, but vague.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Btw.. it seems AG employees the use of AE, and sandboxing technologies. It blocks the execution of executables in the user space. It blocks child processes from spawning or executing in the userspace. It also limits the rights of what one process can do with another process preventing injection attacks. It even protects the memory, and does not allow script to run. Those are just a few reasons it is one of my favorite security apps :)
     
  25. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    The way AppGuard functions to mitigate against attacks is by applying different policies, depending on the trust level of the executable. AppGuard is, in essence, similar to DefenseWall which works in a similar way. These kind of applications are probably best thought of as policy restriction applications, rather than AEs which prevent or allow execution based on whitelisting.

    I agree that there is an overlap between the two in terms of execution control, but there are also fundamental differences so it may be best not to use the term AE as a catch-all, as it obscures some important differences between the two types of application.

    For example, If a browser is running guarded, AppGuard will prevent the browser, or any process spawned by it, from writing to system space which is inside the trusted enclave and must be protected. It won't stop a guarded browser from downloading an executable to user space and, depending on the protection level, running it; but if allowed to run it too will run guarded and won't be able to compromise system space. An AE, on the other hand, would automatically prevent an unknown downloaded executable from running, as it wouldn't be whitelisted.

    Also, the range of protection that AppGuard provides includes things that are not directly connected with execution control: things like MBR protection, ActiveX protection, protection of the HKLM area of the registry, privacy mode for folders containing sensitive data, etc. All of this fits the concept of policy restriction, but are not things that are normally associated with AE.

    Regards
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.