Faronics Anti-Executable V.3.501111.406

Sorry I haven't used Faronics AE.
So question.
Dosen't it work like SRP?
If so, it should block you from merging reg file, shouldn't it?

Regardless of regedit.exe being whitelisted.

 

Thought it may have been my XP vm so fired up a Vista vm and still no warning when merging after taking regedit out of the whitelist with AE a goner at reboot.

 

I've never used it either but at one time wanted to try it but just never did. I do like SRP though and so far haven't found anything that beats it to the punch.

 

AppLocker

Sorry for offtopic

 

I don't think this version runs on Windows 2000, at least I don't see it on Faronics site.
I wonder if Faronics fixed the problem with Laptops yet?

doubleyadoubleyadoubleya

betanews.com/article/Faronics_latest_version_of_AntiExecutable_heads_back_to_the_lab/1222976682

 

Franklin, I don't know what to say at this stage, if I take regedit.exe out of the white list, I can't open the registry(apparently you get different results). Thank you for pointing out the registry issue as I'm going to take it out of the white list, although as I already mentioned this program in the hands of an expert can stop anything from executing (particularly when given to a user who doesn't own the computer).

There's also another feature which is new in V3, that is the so called "Black List" where (I presume as I've never used it) one can have enhanced security from certain files.

@ pidbo

My computer with AE is a laptop.

 

No probs Osaban, AE is a great product but not for me and I'll leave it at that.

Only found this reg setting a coupla days ago so I'm gonna move on and test a few other apps against it.

 

It looks like good software, but after scanning aeservex.exe virustotal showe several virus/trojans. See the analysis below:

~VirusTotal link removed per Policy.~

Any comments on this?

 

Well, thanks for the accolade, however, my area of interest in attack vectors is rather limited!

By "tight" I meant that AE no longer blocks all executable file types, such as DLLs. And thus, the Conficker worm which uses a DLL could bypass AE.

Having said that, Conficker should be a no-threat for those saavy enough to use AE, since Conficker requires unsecured ports, and unrestricted execution of Autorun.

The other changes in v.3 involved doing away with Copy Protection, which I found very useful in testing remote code execution exploits: no unauthorized executable can download/extract (Copy) to the HD. Here, I cannot extract an executable not on the White List:

​

With v.3, the executable can download, but of course, will not run. NOTE: I tested this with an early build of v. 3 -- someone may want to check to see if the action is any different.

The message window is different. With v.2 you get more information.

Here is a test of AE catching a spoofed executable (EXE changed to TMP).

Version 3:

​

Version 2:

​

The VBS script used WinMgmt.exe to launch the executable. Version 3 no longer reports that in the Alert box. There is also no "Reason" since the only action AE blocks is executing (Open) the file.

The original v.3 made the user create the White List. Subsequent builds gave back the option to have the White List created automatically.

Another interesting change is the inclusion of .bat as a protected filetype. A .bat file, of course, is a script executable, not a binary executable.

In correspondence with Faronics, I learned that marketing decisions led to many of the changes, since they received complaints about AE being too restrictive.

Other changes seem to be geared towards institutional environments; in fact, home use isn't even mentioned anymore on the AE home page:

AE is still a powerful Anti-Executable program for those who want a stand-alone program of this type.

----
rich

 

Aren't Administrative privileges required to merge a .reg file?

----
rich

 

I allways thought that depended on the keys touched.

Regards Kees

 

When it is not pending file name operations, please PM how this works

Thx

 

This is my understanding:

Applying the Principle of Least Privilege to User Accounts on Windows XP
http://technet.microsoft.com/en-us/library/bb456992.aspx

If Franklin wants to elaborate, he can specify which section of the Registry is used.

----
rich

 

was it AE2 which blocked DLL's from loading? its white list must of been rather big to maintain to block DLL's as well, because with MD I have hundreds of DLL rules that are allowed to run. I'm just wondering if it is better just to block the creation of new malicious DLL files on the OS?

 

To alleviate a lot of people's fears I set new keys/string values to HKLM to which only Administrators can write and all my XP/Vista/7 installs are full blown admin..

Thanks Rmus as I really didn't know that.