Executable Lockdown 1.0 released

Executable lockdown 1.0 has just been released. Is this a viable alternative to Anti-executable?
http://www.horizondatasys.com/169602.ihtml

 

Absolutely not. Check this:

https://www.wilderssecurity.com/showpost.php?p=1233232&postcount=21

 

Stay with Anti-Executable. I've never had any problems with it.

 

Why does Executable Lockdown have a Blacklist ?
The basic principle of a whitelist is that EVERYTHING, what is not whitelisted, is blacklisted.
So why wasting space and time on a Blacklist ? The Blacklist is already there.
I don't understand the philosophy behind EL.

 

I would agree with the above folks who both caution on this and suggest staying with Faronic's AE which is an absolutely superb program just like it's mother ship app Deep Freeze which i use both myself.

The Whitelist approach locks in only designated (Deemed Safe) executables and anything else is toast is a welcome preventative measure and one that also drives my own security approach.

 

Its one alternative, however unless they've made huge improvements from the freeware version its protection isn't quite as comprehensive as Faronics AE. AE is slightly cheaper too.

 

The philosophy is the same imo. What changes is flexibility. Different users have different needs.

Setting aside for a moment that it doesn't seem to work, i would prefer something a bit more flexible than AE, or a bit more visibility :
-see the whitelist,
-see what is added when we turn on/off, or have an alternative to turning it off (i don't know)
-and yes a blacklist to forbid Internet Explorer, perhaps ask a password for others like cmd etc.
In other words, a program i'll probably never see.

I liked what i saw in Abtrusion Protector for instance, bugs aside. Not everything, but most of it.

 

Can i ask why you would agree with the others and choose AE over exe lockdown? I'm curious. What features in AE you like over exe lockdown if you dont mind.

Thanks,

Chris

 

Because it works in a different way than AE does. It is much, much faster as well.

Thanks,

Chris

 

Please check my post in that thread https://www.wilderssecurity.com/showpost.php?p=1251428&postcount=24

Thanks,

Chris

 

Chris,
I don't need blacklists, I avoid them as much as possible.
Speed is not a function, I can't do anything with speed. My computer is fast enough.

Anti-Executable v2 has a quintuple verification for each whitelisted executable :
1. File Size
2. File Type
3. File Location
4. Creation Date
5. Code Sample
http://www.faronics.com/html/AntiExec.asp

What about Executable Lockdown, the same or better or less or nothing ?

Anti-Executable v2 on HIGH :
1. Blocks unauthorized 16-bit executables
2. Blocks unauthorized 32-bit executables
3. Blocks unauthorized drivers and .dll files
4. Protects Anti-Executable Standard directory from access and tampering
5. Has optional Copy and Delete Prevention

What about Executable Lockdown, the same or better or less or nothing ?
Thanks

PS. : Anti-Executable v3 is on its way.

 

Does it matter if it has 30 verification schemes as long as it blocks what you throw at it? All I know is I couldnt get anything to get by it. Anyone else bypasss it?? It does not offer copy and delete prevention. I guess the copy protection AE has is similar to a zipped virus. It's harmless.

Thanks,

Chris

 

In other words, you don't really know, if AE is better than EL or vice versa.
So I have no reason to change anything.

 

Its like anything if you dont try it youll never know if its better for you or not. All i know is on install all files on system drive are whitelisted anything new will not run unless you allow it. Time to install on my system about 20 seconds from the time i double clicked the installer till the time i was protected. I doubt AE is that fast so better speed wise for sure. Better protection who knows neither of us has tried every method possible to bypass either of them. OK try this with AE see what happens. rename a file keep the exe extension but for the filename just hold down a key until it can not be any longer. it should be about 255 characters. then try to run the renamed file. hopefully it stops it but on some other programs this will bypass the protection.

Thanks,

Chris

 

Chris,
I will run your torture test somewhere during the day, not only to test AE, but also my boot-to-restore. I'm prepared to do anything to break my security/recovery solution, especially my boot-to-restore, because I don't trust my security softwares.
Be patient, I come back for sure.

 

np its not really a torture test just a simple thing that has bypassed some other software before not just security software but also messes with other software. I'm sure it will pass with ease but I'm curious.

Thanks,

Chris

 

That's interesting
Got to remember that one.
Which programs failed in that situation Chris?

 

Id rather not say since i dont know if they have been fixed yet and people may try to take advantage of the weakness.

Thanks,

Chris

 

With AE's Delete protection ON, you cannot rename a file:


_________________________________________________

Copy Protection prevents an executable from downloading (copying) from the internet or any external media.
The file, of course, still cannot execute.

You can try this with Executable Lockdown (I'll PM you the URL)

1. With Copy protection enabled, this remote code execution exploit on a web site fails to download the malware
(Note the Reason=Copy in the AE Alert message; and the Program=IExplore.exe):


___________________________________________________

The file has not downloaded:


___________________________________________________

Loading the site again, with Copy Protection OFF, the file is permitted to download


___________________________________________________

At which point the file copies itself as cn911.exe and installs in temp
along with a vbs file which then attempts to use wscript.exe to run the executable.

At this point, AE blocks the execution.
Note the Reason=Open (Run); and the Program=Wscript.exe in the alert:


_________________________________________________

It will be interesting to see at which point your program jumps in to stop the attack.


----
rich

 

Chris,
I tried your torture test :
1. Renamed "Firefox.exe" into "Firefoxaaaaaaaaaaaaaaaaaa.exe", holding the key "a" as long as possible.
2. Pressed "Enter"

AE gave me immediately a warning and blocked my renaming attempt.

However if the "Delete Prevention" is unmarked in AE, your test is valid and the file will be renamed.
<snipped another off topic remark>

 

Erik, i believe the test you're trying -just execution blocking- would be:
1-AE on, copy protection off.
2-Download a new exe, rename it according to the test.
3-Execute.

It shouldn't execute.

 

Yes, eaxtly like this.

 

Yes, I will like to see same tests with Exe Lockdown. Interseting!

 

exe lockdown will not stop the exe from getting on your pc. After thinking on this it seems like a mute point almost. I mean thats again like saying hey my av protects against zipped virus'. It cant run anyway so there is not really anyharm. Am i missing something here? Maybe something else that copy protection does besides that?

Thanks,

Chris

 

You are correct, there is no harm.

Using the example I gave, Copy Protection saves having to clean up the files created in the temp folder when the initial file is cached.

For the those knowledgeable about how exploits work, cleaning up in a case like this is not such a big deal.

My initial use for AE was for families where all use one computer, and the parents can control what gets downloaded/installed. AE saves having to do extra "housecleaning," and I find it a nice feature.


----
rich