Executable Lockdown 1.0 released

Discussion in 'other anti-malware software' started by Diprivan, May 3, 2008.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You're referring to the extra protection level from AE and DF.
    I'm just pointing out that this is something that should work effectively and reliably, because you're counting on it.
    This is one simple job, blocking execution. If you don't expect it to work, why do you want it.
    Indeed. As things progress, and more programs use scripting - i believe that's the problem, script downloads the payload no? - it will be hard even for me.

    If it turns out to be widely used, sooner or later a friend will send me a video and i will want to see it.
    Though, if the trick is so basic (as it likely will be) that the browser asks me to download an exe, it's easily detected.
    I should thank you and others for that, you gave me an easy framework to think about these things. If i learned anything in here, this is included.
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I see your point Chris. But the thing is, it's still beta. jk :D
    Try AE beta 3. It's very fast, and going for flexibility.
    It's stable, reliable and fast.
    I would add or change a few things myself, definitely. One thing i disliked is the pop-ups. Allow or Deny or add to whitelist. To turn that off, i only see the option to hide icon AND notification. That's not acceptable to me, if i were to use it.
    This is not AE v2 for sure, though it should be able to act like v2 once configured.
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    One question. When you guys performed this test, was DEP enabled or disabled?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I thought this product does still use a whitelist:

    http://www.horizondatasys.com/169602.ihtml


    ----
    rich
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I do not have DEP.


    ----
    rich
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I have DEP in my hardware and also configured DEP the way Wilders suggested and even wrote a post about it, but I didn't do the Comodo test, because it doesn't run properly on my system.

    I also wonder why users are bothered by the installation speed of AE, which is an one-time operation. I didn't consider this as a disadvantage or even thought about this. AE is certainly not slow when it is doing its job. I wished I had more of these whitelists on my computer that act so fast. My second whitelist acts only when I reboot and that is way too late. :)
     
    Last edited: Jun 3, 2008
  7. MDA904

    MDA904 Registered Member

    Joined:
    May 31, 2008
    Posts:
    7
    Just did some tests with Lockdown,

    you can't compare it with AE it doesn't look into the files,
    so it is extremely easy to bypass.

    Thus Lockdown is unsafe !

    :thumbd:
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you describe details of your tests, and post some screenshots?


    ----
    rich
     
  9. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    any program can be bypass this way or another if u in to it , also AE can be bypass and some of us so some tricks to do it...so light /fast is the name of the game :cautious:
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you show a test as to how an executable file not on the White List can bypass AE and download/install/run?


    ----
    rich
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Any OS and any software can be broken once it is a target. I ignore all such remarks until they prove it to me, just like Rmus.
    What is common for ALL softwares, doesn't interest me. That is only good for scaring average users, who don't know any better.

    I'm more interested in what a security software does and above all does NOT do. What a security software doesn't do needs to be fixed with another security software.
    My knowledge isn't strong enough to find out, if EL is better or equal or less than AE. So I stick to AE, until somebody can show me that EL is better.

    Besides AEv3 is on its way and I'm waiting for the final version to see what is improved. AEv3 might even have more possibilities, than ELv1. :)
     
  12. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    It does use whitelist but not the same way AE does. So it install much faster since it doesn' scan your pc for some minutes..

    Thanks,
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Please explain the difference, and why it is quicker.
     
  14. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I don't know the technical details of how it creates the whitelist but I do no the install time is about 20-30 seconds and thats when the white list is created and AE takes way longer than that.

    Thanks,

    Chris
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    this is from the Executable Lockdown website:

    If all it does is search for a list of executable file extensions, then I can see this taking a short time.

    AE, as you know, analyzes the file looking for binary code, hence, during the initial scan, it would take a lot longer to look at each file on the computer.

    1) Do this test: rename an executable file to extension .gif

    2) Install EL and see if that file is indeed put on the white list.

    To test, rename it back to .exe -- it should execute if it is on the White List.


    ----
    rich
     
  16. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I'll try it tomorrow I have to eat in a couple minutes and goto work after that but.. I'm not seeing what it hurts to not search the code. I mean people swear by processguard and the like and it didn't search code but it still blocked executions. Am I missing something?

    Thanks,

    Chris
     
  17. MDA904

    MDA904 Registered Member

    Joined:
    May 31, 2008
    Posts:
    7

    Just as i wrote before, Lockdown doesn't look INTO the file,
    but only looks at the exention. Of course this is terrible.

    Example:

    Install lockdown and test with a small exe file that you get of another system
    like example.exe try to run it, normally you should get a popup which is ok.

    Answer NO

    Then rename the same file example.exe to example.cmd and fire it again,
    voila it runs without questioning ...

    The program should not have looked at the exention, but should only have to look inside the file, to see that it is an executable !
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    No, and Yes.


    No, in the sense that a spoofed executable may download in an exploit, but still not be able to execute.

    Yes, in that as with Copy Protection, Code Analysis is an added layer of prevention, and is useful as I indicated in a previous post about Copy Protection.

    Do you remember the infamous Google Redirect exploit which Noway discovered here? Redirecting to the malicious site resulted in the notorious WinAntiVirus (cousin of WinFixer) download by remote code execution:

    AE-block.gif
    ________________________________________________________________

    This .gif file is really an executable, one of the Trojan.small downloaders. AE identifies the file by code analysis, not file extension, and Copy Protection blocks the download. Sitting in the cache, it can do nothing of itself, of course, because even if a user clicked-to-open, it would fail to run as an image file.

    But its purpose was not to be clicked upon, rather, to be renamed/copied as an executable (Update_0704_KB74073.exe) and then run from the Startup folder:

    Code:
    [B][COLOR=black]daustart=[/COLOR][/B][COLOR=black]obj_WScript.SpecialFolders("[B]AllUserStartup[/B]");[/COLOR]
    [COLOR=black]var fn = " ";[/COLOR]
    [COLOR=black]obj_adodb.[B]SaveToFile[/B](fn,2);[/COLOR]
     
    [COLOR=black]var fn= [B]daustart+"\\Update_0704_KB74073.exe[/B][/COLOR]
    
    At this point, execution prevention programs picked it up (aigle tested this), as I'm sure EL would also block.

    However, if the .gif file downloads, the exploit leaves a mess of files around:

    In the Startup Folder--


    cnte_1.gif
    ________________________________________________________________


    And in Windows/System32--

    cnte_2.gif
    ________________________________________________________________

    Again, for the average home user, who probably wouldn't know what to do or how to clean up in this case,
    blocking the exploit at the gate is a nice feature.

    If Executable Lockdown also analyzes file code, then I'll be impressed that it's initial scan is so short!

    Having said that, I've never timed the intitial scan of AE, so I wasn't aware that it was an issue until you brought it up.

    ---
    rich
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    OK, you have confirmed that EL works by file extension. thanks,

    EDIT: Isn't .cmd an executable file extension?

    ---
    rich
     
  20. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    look mate i got over 20,000 files over here and EL time to install was 20 sec!!! so it doesnt look into my files like AE does even it doesnt looks at the exention is such speed
    maybe it read HD fat for which files it should set its "white list"...

    ps. AE take more than 10 minuts to install over here...


    chers:thumb:
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  22. MDA904

    MDA904 Registered Member

    Joined:
    May 31, 2008
    Posts:
    7

    I think we agree on this ;)
    It only looks at the extention when a file is started.
     
  23. MDA904

    MDA904 Registered Member

    Joined:
    May 31, 2008
    Posts:
    7
    It has no use comparing them, Lockdown is near my opinion a useless tool
    even normal executables are not detected :D

    AE can at least find those, so is better, but does not detect non-executable malware, so you must have a solution for that on you pc as well to be protected.

    ;)
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    PG (and other HIPS) hooks the API calls necessary to execute code (CreateProcess for example). Anything that attempts execution gets caught by a HIPS.
     
  25. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Lucas (global moderator :) ), the thing is:

    el.png
     
    Last edited: Jun 3, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.