Faronics Anti-Executable Standard 5 is live with granular publisher control

Discussion in 'other anti-malware software' started by faronics, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. hrnayy
    Offline

    hrnayy Registered Member

    Why one should opt Anti-Executable when you have SRP or AppLocker there?
  2. m00nbl00d
    Offline

    m00nbl00d Registered Member

    SRP isn't present in all Windows versions. You can use the registry, though. Or, even Sully's application. But, AppLocker is only present in Ultimate and Enterprise versions of Windows 7, if I'm not mistaken.
  3. Zyrtec
    Offline

    Zyrtec Registered Member

    I've been testing this new version of Faronics A-E on Windows 7 32-bit and, so far no glitches.
    However, I wanted to see how it reacts when you throw in some security solutions to that configuration. So, I installed/uninstalled several anti-malware solutions to see how they interact with A-E v5.0

    I ran Avast! 7 with A-E and no problems and/or bugs detected. Tested with Avira and found no problems. Tested with AVG and not bugs detected. Tested with MBAM and no problems were seen.

    However, when I threw in MSE v4, I noticed that whenever MSE updates its definitions [manually], A-E blocks it, and you have to click allow for it to be able to finish updating. If MSE tries to update automatically, then it's blocked by A-E and MSE icon on systray becomes red, and MSE GUI freezes. It looks like A-E treats any definitions installer stub for MSE as a new [and unknown] executable trying to install on the system and thus, have to be authorized first every time.

    Thus, if somebody plans to use those two together, better keep that in mind before running those two programs.



    Carlos
  4. moontan
    Offline

    moontan Registered Member

    you can also use Parental Control for SRP if you use the Home edition of Win7.
  5. faronics
    Offline

    faronics Registered Member

    Hello m00nbl00d,
    AE is localized in six languages: English, German, Spanish, French, Japanese and Simplified Chinese. Localized user guides for version 5 are in production right now and will be posted shortly. The lack of the localized user guides has been reflected in the release notes. Do you experience any problems with a specific locale?


    Hello Osaban,
    Can you please let me know which incompatibility you are referring to? If you have a ticket or a bug number, I will be able to provide a detailed update.


    Hello Blackcat,
    Application control industry represents a niche market with relatively low price elasticity of demand, we rarely get complaints about our pricing. Educational institutions have 50% discount, volume pricing is also available. The only store pricing you are referring to is a subscription pricing, perpetual licensing is also available through other sales channels, our channel partners, for example. We believe that AE is priced competitively based on the benefits it provides and features that have been made available. If you have feedback on this, I will be interested to hear it. PM me with details.

    Hello Chris,

    Stress and performance testing are integral part of our QA testing. Can you please tell me more about the unexpected performance hit you have experienced after AE installation? This is abnormal behavior and we want to make sure we know what is causing it. Please PM me with details or check in with our support at support.faronics.com, feel free to reference our conversation here.

    Hello CE,
    "never touch a running system":D If you ever change your mind, I will be happy to see you advocate for our products in their thread as well!

    Cache on all distribution servers was purged at original launch of the new version, if you are still getting 4.21, can you please let me know which specific URL you are pulling the code from?

    Hello Zyrtec,
    Unfortunately, I won't be able to shed any light on why DLL monitoring causes problems as it was not our goal or architectural desire.
    DLL monitoring has a higher level of performance hit (a performance hit is expected, but it shall be minimal), because it increases the number of files that need to be evaluated before allowed in runtime. Even if a file is marked as allowed to run, it needs to be checked, as it might have been manipulated, injected, or otherwise changed to sneak in some payload. A system lockup or even visible performance degradation is considered a bug and I would like to ask you to report it to our support, so we can have a closer look.

    Another element in complexity of the DLL monitoring is that the same DLL can be accessed by a group of programs simultaneously and multiple times. We have seen cases where unsigned (some Publishers do not sign their DLLs) DLLs are pulled by dozens of programs several hundreds of times at program launch, causing a bottleneck for I/O bandwidth. Such cases are rather corner-cases and we have solved them through our support.

    @ALL
    The main new feature of AE5 is its ability to control publishers in one window, making the process of setting up AE easy and fast. We want AE to work behind the scenes and not be in your face with additions to the control list, once a publisher or a program, or a file certificate is allowed, we want the user to be able to run it without any limitations or interruptions.

    I have seen comments about a comparison of AE to AV and want to address this as well. AE is not a replacement for AV. AE works on default deny, where AV works on default allow, unless there is a definition available, or heuristic observation fits a defined pattern. We often see users trying to replace an AV solution with our Deep Freeze product as well. These are all different tools for different purposes and ideally should work all together as multiple layers of protection. Faronics sells an enterprise edition of AV as well, it does not come in a standard standalone flavor (we have not seen much market evidence for offering such standalone version).

    In a business setting a security triumvirate of DF+AE+AV is impenetrable;)
  6. Zyrtec
    Offline

    Zyrtec Registered Member


    Hi,

    First of all, thanks for taking the time out of your schedule to address some of our concerns while testing this latest version [5.0] of Faronics A-E.

    I beg to differ somewhat from you on this quoted statement above.
    You claim that A-E "work behind the scenes and not be in your face".
    I have seen that statement happening the most part of the time but, I've seen unnecessary prompts from A-E when a trusted program is, for example, updating. I'm referring to Microsoft Security Essentials [MSE]. A-E will block that anti-virus from updating its virus definitions whenever there is an available update, It treats the virus defs. update stub like if it was a new program being installed, prompting you to make an Allow/Deny decision [whenever you try to manually update it] and, completely blocks it whenever it tries to automatically update itself.
    And, this is just to mention one example.

    I know your program is top notch and it works as you advertise it and the way it's intended to but, those bugs may need to be addressed.

    Furthermore, I have la last question: since you're somewhat admitting yourself that by ticking "Monitor DLL Execution" put some burden on I/O [CPU], would a computer still be protected by NOT ticking the DLL Monitoring option just to avoid incompatibilities and/or too much I/O?


    Thanks,



    Carlos
  7. Zyrtec
    Offline

    Zyrtec Registered Member

    @Faronics,

    Before I forget, another thing I did notice [may be some of the other posters on this thread may chime in on this] is, A-E v5 does NOT prompt ALLOW/DENY when you are installing a program that is an .MSI installer [Windows Installer]. I noticed this behavior and it's kind of worrisome because somebody could pack malware using Windows Installer [.msi] and still A-E would let it install on the system without prompting the user with an Allow/Deny message.




    Carlos
  8. m00nbl00d
    Offline

    m00nbl00d Registered Member

    Damn. I missed those localizations. :oops: Anyway, do you folks plan other localizations as well? If so, which ones? :)

    Thanks
  9. Rilla927
    Offline

    Rilla927 Registered Member

    Thanks Osaban!
  10. Zyrtec
    Offline

    Zyrtec Registered Member

    Whatever happened to the O.P. which, it's correct to assume it's a Faronics representative?

    You only posted here to advertise a new version of your product but you haven't taken the time to follow up with the problems and bugs people have been reporting.
    If that's the way Faronics deals with its customers, then you're going to lose user base.

    There are still problems [bugs] that haven been addressed and, furthermore, I e-mailed technical support a week ago with some questions and haven't yet received an answer. :thumbd:


    Thanks.

    Carlos
  11. LoneWolf
    Offline

    LoneWolf Registered Member

    Perhaps you missed post#55
    http://www.wilderssecurity.com/showpost.php?p=2040212&postcount=55
  12. chris1341
    Offline

    chris1341 Guest

    Thanks for taking time to respond, unfortunately I've uninstalled. In general AE UI navigation resulted in non-responsive freezes, complete locking of the system requiring hard reboots when opening certain applications and browsers taking in excess 20 seconds to open then sluggish tab navigation. Win 7 x64 HP SP1 with only Sandboxie installed.

    I might try again and will use support.faronics.com so I can send you what you might require to resolve. Hope the project goes well for Faronics.

    Cheers
  13. Zyrtec
    Offline

    Zyrtec Registered Member


    Thanks, LoneWolf for pointing that out, although, I had already read that post.

    What I was referring to was to subsequent posts I made about a bug that I've been observing with this A-E release [v5.0] and it's related to Windows Defender [and it should apply to MSE as well]. Every time WD gets a definition update of its spyware definitions [when done manually], A-E pops-up a message alerting about "AM Patch 1.123.xxxx.0" [being the number 1.123, the definitions file number] and offers to DENY it [block] or ALLOW it.

    This shouldn't be the case because what WD is doing is just updating its database. But then, when you ALLOW it, your A-E 'Execution Control List" is going to grow indefinitely because if you have, let's say three[3] WD definitions a day, and you have to allow them every time and each one of them on A-E, that list is going to grow out-of-control with entries like: 1.123.xxxx.0 defs. update adding up, and so on.

    Faronics should provide a way so WD can update its definitions normally without triggering an alert from A-E every time asking to DENY or ALLOW the definitions to be applied to WD.



    Regards,


    Carlos
    Last edited: Apr 12, 2012
  14. LoneWolf
    Offline

    LoneWolf Registered Member

    Ok, I understand now ;), hope you get some answers soon.
  15. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    Ok, I've installed the 32bit standard version on XP Pro x 32 SP3 pentium 4 3.4 ghz 4 GB RAM. I will report back on my findings in a couple days. I'm an Appguard fan, but I will be unbiased in my findings. I've always lived by the modo, " give credit where credit is due".
  16. faronics
    Offline

    faronics Registered Member

    @Zyrtec
    The thing is that .msi is not an actual executable file. It is merely a compressed container, similar to a cab, zip or rar archive. AE does not stop this archive from being deflated, but if any actual installation is taking place and the payload of the msi tries to access runtime, this attempt will be evaluated and blocked if unauthorized.

    We need to look closer at this specific case. It is entirely possible that the update is triggered through a different mechanism, several degrees of separation removed from the trusted update engine you have dedicated in AE settings. What I mean by that is that the update engine might be trusted, but this trusted engine might start another process, which, in turn, will start the actual update process without inheriting the trusted status in AE. This corner case will result in the triggered process being intercepted by AE.

    I suggest addressing this scenario through publisher control, just tick the box for the entire MSFT as publisher or MSE on the product level. Microsoft compared to other vendors does a decent job at signing their executables.

    Yes, it would. Absolute majority of our users operates without DLL protection. We see increased levels of DLL protection use in server environments. DLL injection is the main reason for activating dll protection, so if you are not likely to be targeted by such attacks, you might want ease off on your IO and still be protected:) As we all know, protection is not a binary quality like pregnancy, there are degrees of protection. DLL protection wraps another security blanket around your environment.

    No idea what you mean under O.P. PM me with some more detail, I will address then. My name is Dmitry and I am in charge of PM/DV/QA.
    Sorry it took so long for our support to respond, their SLA is to respond within one business day. PM me your support ticket (looks like XXX-111-11111) and I will personally attend to it.

    Sorry to see you go. I hope to see you back one day.
  17. Zyrtec
    Offline

    Zyrtec Registered Member

    Thanks for your reply and clarifications. It took so long for you to get back to us, but, I feel it was worth the wait.

    I still need some further clarification of how to make this suggestion of yours work:

    How do you setup A-E to allow the definitions without prompting with ALLOW/DENY?
    You mention about "publishers". Are you referring to select "Publishers" under "Execution Control List" and ADD the whole folder [under program files] for MSE [or Windows Defender], so it can be excluded from A-E, whenever virus update is performed? What about "C:\Users\<user>\App Data" folder?
    By the way, when I select "Publishers", it's empty, there is nothing to check-mark there.

    Could you point me out how to do this?

    Thanks.


    Carlos


    P.S.: O.P. stands for "original poster", since it was you who started this thread.
  18. acr1965
    Online

    acr1965 Registered Member

    How does this product compare to applocker in win7 ultimate? I've tried applocker but kinda got tired of having to mess with it so much when programs updated. With AE, can java (and other programs) update without me having to shut down or reconfigure AE?
  19. faronics
    Offline

    faronics Registered Member

    Hello Zyrtec,
    a picture is worth 1000 words, a video = 1.000.000
    Instead of working with individual files, use publisher control to allow this specific application to run and update, or the entire publisher, for that matter.

    Once you allow this publisher, signed updates will execute no problem. (In this video I allow anything from Faronics to run in the future, but you can lock it down to a specific version of a file, if you want.)

    http://screencast.com/t/4z9nsRPeDC

    That's kind of the answer:) Instead of individual rules, configuration is much easier. You set it once and use it, instead of constantly tweaking it.
    AE also works in environments without Group Policies.
  20. Gobbler
    Offline

    Gobbler Registered Member

    I must say AE 5 is really a great release, I tried AE about an year ago an had a very torrid time with it as it would cause very frequent PC freeze ups among other glitches and finally therefore got rid of it, but with this release the freezes are gone, the only minor jitters seems to appear when the DLL protection is enabled but the are no more freezes whatsoever.Overall AE 5 is a great release and the publisher based whitelisting is very handy too.Congrats to Faronics :thumb:
  21. jmonge
    Offline

    jmonge Registered Member

    Congrats to Faronics :thumb: :thumb: it runs smooth and fast it feels good:thumb:
  22. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Running smooth here with AppGuard.:D
  23. jmonge
    Offline

    jmonge Registered Member

    :thumb: :thumb:dave
    i am installing in my 64 machine but the instalation is taking for ever it says it is creatingt the initial control list
  24. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Intial control list takes a while,depending on system.It's whitelisting everything you have on your system.
  25. jmonge
    Offline

    jmonge Registered Member

    i see thanks:thumb: it looks interesting:)
Thread Status:
Not open for further replies.