Faronics Anti-Executable v3 Beta

AE is pain in the ass when u test lots of software

 

I only have to turn it OFF, not turn it back ON, my boot-to-restore does that for me + uninstalling the tested software + total cleaning, while I'm drinking a cup of coffee. Getting much and doing nothing is my favorite game.

 

Patience is supposed to be a virtue but impatience and haste rules where concerns our waiting for softs to complete their rounds, whatever it is.

Theres always a trade-off when it comes to security apps no matter which way we look at it. Some are acceptable, some are frustratingly annoying.

 

If a program is on the whitelist has a vulnerability that is exploited, AE won't stop it. However if the ultimate payload of this exploit is to download an executable, then it stop it from executing.

However, can anyone think of a scenario where an exploit's final payload is not an executable and will compromise a system even with AE installed? I'm just trying to cover all my bases.

Also, if I want to use it to disable VBS, I can just disable wscript.exe right? What other scripting interfaces are on Windows Vista that I need to restrict to prevent scripting?

EDIT

After reading this http://en.wikipedia.org/wiki/VBScript I realized that I also need to disable Cscript.exe and mshta.exe. What other executables do I need to disable to stop vbs and js running? Additionally, are there other active scripts I need to be aware of?

 

Off-topic :/
To disable scripting, try Symantec's noscript.
I tried it and it works very well. It removes all relevant entries in the registry (per extension).
I tried running scripts with cmd, and they won't run either. Script Sentry and WormGuard (the best script blockers imo) block if you run 'test.vbs', but not if you call wscript, 'wscript.exe test.vbs' . noscript effectively disables to that point, you just can't run any scripts.

Then there's exploits, buffer overflows among them.
Your bigger question

is also what some of us are looking for. No working example so far, afaik. Only assumptions.
Follow Rmus's posts

 

Thanks for that. Does noscript working in Vista? The reason I ask is that the last update on noscipt seems to be in 2005.

In terms of exploits on the host system, if scripts and executables are disabled, is there anything left?

I do remember a little while back where browser scripts could be used to change your router's settings if the default password is still the same. But that can be easily mitigated by changing the password.

 

Vista adds stuff, and i don't run Vista (ie i don't know).
Assume noscript does not run on Vista, unless stated otherwise by Symantec.
I would begin with a google "disable scripting vista". Vista is likely to have additional means to control it.

You mention browser. That's the beginning of the problem with scripts. There are more programs other than wscript and cscript that interpret scripting. You just have to "tackle" each, case by case.

Search Wilders for "malicious scripts". There's a thread with that name which could get you started, read it, and post there or a similar one.

This is AE v3 beta

 

Thanks for that. I will post there if I have any more inquires.

 

If there is a buffer overflow attack, will AE prevent execution of the code in the buffer?

 

If the code downloads/launches a binary executable, then yes.

Some examples from my notes:

One of the .wmf exploits:
http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

Some Storm threats
http://blog.threatfire.com/2007_08_01_archive.html

.................................................

W32/Mydoom
http://vil.nai.com/vil/content/v_129630.htm

.................................................

Iframe buffer overflow
http://www.finlandforum.org/viewtopic.php?t=7685

.................................................

W32/Zotob.worm
http://vil.mcafeesecurity.com/vil/content/v_135433.htm

.................................................

Edit:

One that I tested was the .wmf exploit -- screenshots here:

https://www.wilderssecurity.com/showpost.php?p=1227757&postcount=29


----
rich

 

Thanks for that. Where do you source all the info for the exploits?

What if the scenario is not that the buffer overflow downloads and executes a trojan/spam bot. What if the code in the compromised buffer was itself a very simple trojan, will this trojan be allowed to execute? What if the code in the compromised buffer draws on windows API to do a low level format of the disk, will AE stop that?

Cheers
Jeremy

 

You are welcome. I edited my post to include the links.

I'm not sure what you mean. You will have to find an existing attack to test.

I don't know. You will have to find an existing attack to test. Of what value to today's malware writers would this scenario be?

I have not found any in-the-wild buffer overflow attacks which do anything besides download a trojan. (I'm still looking!)

The *possibilities* for shellcode exploitation are endless, of course . If you are concerned about these, then you need one of the products discussed in the Buffer Overflow thread.

All Anti-Executable does is prevent any non-White Listed executable from downloading/running.


----
rich

 

This just in this evening:

Adobe Reader and Acrobat 8.1.2 Security Update
http://isc.sans.org/diary.html?storyid=4616

As with Buffer Overflow, I've not found any current attacks that do other than download a trojan.

Some earlier examples:

http://isc.sans.org/diary.html?storyid=4330

http://blogs.pcworld.com/staffblog/archives/005775.html

http://www.avertlabs.com/research/blog/index.php/2008/02/11/another-adobe-pdf-exploit-in-the-wild/

http://www.cio.com/article/182055/Attacks_Aimed_At_Adobe_Reader_Acrobat_Flaws_Intensify

Anti-Executable would stop all of these attacks.


----
rich

 

Maybe it is because I misunderstand buffer overflows. But from what I can gather, it means arbitrary code can be executed. So I want to know if this abritrary code will be recognised by AE and stopped.

 

My understanding of how AE works is that if this abitrary code does something besides launch a non-white listed binary executable, then the answer is no -- the code is not stopped .

When the above-mentioned .wmf exploit surfaced, someone at DSLR created a .wmf file which launched the windows calculator.
AE did not block that code from executing:


_______________________________________________


The same with scripts.

Note here, you can see that the script does run, but cannot execute the code because it attempts to run an executable, and so, it fails.

Code:

wscript /e:vbscript "c:\temp\03Bx.tmp"

_______________________________________________


On the other hand, here is an AutoRun.inf test: A VBScript file executes a .bat file which starts the calculator.
AE does not stop the script from executing the code:

Code:

set shell = CreateObject("WScript.Shell")
shell.Run "start.bat"

............

start calc.exe

______________________________________________________________

----
rich

 

Also on this exploit from http://secunia.com/advisories/30832/

So when it says that "potentially execute arbitrary code" what does it mean? Is it just using js to download a trojan and execute? I understand that when the trojan is executed, AE will kill it. Is this the case?

 

rmus quick question, what if you use AE to block wscript.exe and cscript.exe from running? won't that block all scripts?

 

I believe that it wont block them if they were invoked in another way. This can include from firefox or adobe reader.

 

Security advisories are reporting a vulnerability, not a specific attack, and as such, have to cover all bases.

Microsoft's standard statement is, "vulnerability could allow remote code execution if a user ________________ (fill in the blank)."

Here, for example:

http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx

From both of these advisories, the user has no idea what the exploit could do.

The fact that the code could do most anything is not very helpful. I can spend hours thinking of what code in a pdf file could do, look at every PoC that people devise, attempt to fortify against every conceivable attack I can think of. That approach leads to never ending frustration and misery.

That is why I prefer to look at specific known attacks, where the analysis tells me exactly what the attack does. Now, I know what to protect against, while waiting for the patch. Sans.org is pretty reliable about reporting known attacks exploiting a vulnerability.

As I indicated the examples I cited in above posts, all of the pdf attacks I have seen want to download a trojan.


----
rich

 

Unless something changes in the new version, I'm not aware that you can exclude applications from the White List.

Using Registry files to toggle Enable/Disable of Windows Script Host (WSH), you can prevent both wscript.exe and cscript.exe from running. Here, using an Autorun.inf file to execute wscript.exe and cscript.exe:


______________________________________________________


______________________________________________________

Correct, WSH does not prevent the browser from interpreting scripts in a web page.


----
rich

 

Good point. My apologies for beating this point to death and thanks for bearing with me. I'm just trying to design a security system that includes AE that will cover all my bases. I was thinking too much 'theory' and not thinking about real risk factors.

Cheers
Jeremy

 

You needn't apologize - everyone should "beat all points to death" to narrow down the specifics so that you know what to protect against.

Security advisories call attention to vulnerabilities, and by necessity, are general with respect to details of attacks. On the other hand, they can be helpful. For example, the Microsoft advisory I cited: if you don't use IE, then it's a moot point.

The recent Adobe vulnerability seems to exploit javascript, which is easy to disable in the Reader.

Here, without knowing about a specific attack, you can still take preventative measures.

We just need to get beyond the sensational effect contained in many articles ("10,000 web pages infected") and carefully analyze to see what is really going on.


----
rich

 

FDISR-users watch out for the new AEv3, copy/update might cause errors.

 

Anyone using Version 3? It is released.

 

On the website it does not list Vista as a compatible version. Is this just a typo?