Faronics Anti-Executable?

Correct me if I wrong, I'm just trying to catch the philosophy behind this software.

From my understanding, this software scans your computer first for executable objects and Anti-Executable (AE) recognizes more than 80 different executable object types and that results in a whitelist of all the executable objects installed on your computer at that time.

I assume that you better install AE, when you are absolutely sure that your computer is CLEAN, otherwise malicious executable objects will be also included in the whitelist.

Once the whitelist is created, NO other executable objects (GOOD or BAD) can be installed on your computer, unless you install them yourself, while AI is turned OFF.

So AE is a kind of a pain, if you install/uninstall software on a regular base.
I also assume that you can't even install and try new software for a short period as long AI is turned ON, not even a screensaver (.scr)

So I still need an Anti-Virus Software.
Will DeepFreeze remove macro viruses and malicious scripts during the next reboot ?

Am I right about this ?
DeepFreeze will allow to run any bad executable/non-executable object between two reboots, but will remove all of them during the next reboot.
Anti-Executable will prevent installing and running any bad executable object, which is not on the whitelist, while bad non-executable objects can do their job, until they are removed by an Anti-Virus software.

 

That is correct.

Wrong. Executables can be "installed", but they can't be executed. You can place an executable, say, in your Windows directory, but you will not be able to launch it. Notice also, a malware that uses and exploit to make an executable behave in a way it was not intended o behave can still do damage to your system; if there is a vulnerability in, say, IE dry that can make it delete any files at will, it will be able to trash a system even if anti-executable is on the computer.

Yes. You can turn anti-executable off, though.

Yes... but 'bad non-executable' objects are not many.

 

TNT,
Thanks for your reply. For now, it's enough for me to understand the basics.

I'm trying to understand this.
Are you trying to tell me, that a good executable file can be abused by another malicious object and let it do bad things ?

 

Yes. That's the basic concept of an exploit: you "give" the executable data that makes it behave in a (harmful) way it was not intended to behave. Of course, the 'good' executable must be vulnerable.

That's why AE can protect you from malicious executables, but not from exploits.

 

Thanks that seems to be a very nasty one.

 

What does?

 

I don't understand what you do mean by this question.
When malicious objects are abusing good executable files and can harm your system or delete even your personal files, I find that very nasty.
How can you remove these exploits ?

 

Exploits.

I suspect it's darn hard to make any good piece of software do exactly what the attacker wants, exploit or no exploit, particularly if it is something sneaky that the original program isn't designed to do.

Or so it seems to me, since most exploits we make a big deal about are used to download and execute another foreign exe planted by the attacker...... So Anti-executable and it's cousins do help indirectly. Or maybe it's because these guys are weak?

To prevent the trash your computer scenario, i guess you need some kind of file permissions thingie so even the good programs cannot be tricked into deleting too much.

 

Oh, ok. Yeah, exploits are nasty but I thought that was a given. As for your question, you can't do MUCH apart from setting an extra layer of defense "outside" the vulnerable program, so that there's a non-exploitable "layer" that prevents the vunlerable program to do the damage.

Of course (as I said) exploits work only if the 'good' application has a vulnerability, and I'd say the vast majority of these are because the programmers did not bother to 'filter' the data that's passed to the application:

http://www-128.ibm.com/developerworks/linux/library/l-sp2.html
http://www.owasp.org/documentation/topten.html

 

Well I can't delete any file on my computer, without confirming it.
Are these malicious programs able to overwrite this confirmation, when they delete a file ?

 

No, it's not that hard, actually, especially because any skilled attacker knows exactly where and how the most common mistakes are.

 

That was a "theoretical" exploit scenario, but yes.

 

So I guess a "format C:" or "format D:" is also easy to do for these malware programs.
I guess only a regular backup can save me from malicious deleting of objects and formatting one or more harddisks. Pffft.

 

Hmmm... let's not mix up exploits with 'malware'; and more, the question here is, why would one want to create a malware that only has that kind of destructive behavior anyway?

 

I've only got limited experience of AE so I'm just wondering about some of the things that have been stated. Can the exe's on the white list really be abused? In the AE manual it states

Presumably, an exe on the white list but not on the trusted list can't open and modify other executables. Doesn't this mean that exe's on the list can't just do whatever they want. For example, on the machine I saw it installed on, you couldn't run a disc defrag until the defrag exe had been put on the trusted list.

Also, AVG couldn't update until a specific folder had been added to the exempted folder list.

I guess you can create a special folder and exempt it so you can test out software by installing it to and running it from your special exempted folder.

Also:

I guess that this means that IE for example can't just delete all your files and trash your system.

I don't know the answers, I'm just guessing but that's the way it looks to me.

 

As I said, AE will NOT stop exploits. An exploit is a way to abuse a "good" executable; AE or Process Guard won't stop the exploits, they will just stop a malware if it gets on your system through the exploit. If there is an exploit on a whitelisted executable, there's nothing that AE can do to prevent it. If one can instruct IE (or any whitelisted executable) to delete files, AE will not prevent this.

 

Doesn't this just mean that IE could be instructed to delete files. However, IE can't delete the files because the file deletion option within AE is enabled? Just curious.

Edit: OK I'm, with you TNT. The deletion prevention only stops deletion of executables, so it could delete your documents.

 

What's the file deletion option in AE? As far as I remember from it, what AE does is just block the execution of executables that are not whitelisted (or that have been changed since the whitelisting).

 

I don't know about earlier versions. The latest version which includes deletion prevention is explained in this link: http://www.faronics.com/doc/FAEStd_Manual.pdf

 

I don't remember seeing that option when I tried it. Though I might have missed it: AE didn't install properly on the computer I tried it and it actually created quite a mess (I couldn't even uninstall it... it wouldn't accept any password). Luckily, it was not a production environment; there was definitely a conflict with something.

The concept behind AE is interesting, but for a home user it seems to me that Process Guard does more and more useful things (other than doing many things that AE does). AE seems more right (combined with Deep Freeze) for Internet cafes or similar.

 

I can't answer that question.
I never used AE in practice and my new computer isn't finished yet.

I'm trying to solve the dangers of having an internet-connection, but without blacklist scanners.

1. DeepFreeze (and ShadowUser) don't protect you during two reboots, but they remove all malwares
during the next reboot and that is a much better job, than AV/AS/AT/AK-scanners do.
So I have to find a solution to stop malware, doing their evil job during two reboots.

2. Anti-Executable is able to stop EXECUTABLE bad objects, but not the NON-EXECUTABLE bad objects,
but most of them are executables.
AE however doesn't protect me against exploits, macro viruses and scripts, but DeepFreeze will
remove these during the next reboot.
So AE + DF is a pretty good protection.

3. To protect my privacy completely, I need "TrueCrypt" and whatever goes out
between two reboots, it will be worthless for the receiver, because he can't read it.

So the chance of getting infected is already pretty small and threats have to be very fast to do anything
in 4-8 hours.

 

ErikAlbert, you might want to try a setup like this (mine is very similar):

- To removes any malware that might have slipped through on the PC, Deep Freeze

- To block any malware from going kernel-level (and possibly try to subvert Deep Freeze or any other low-level process), Process Guard full with all the global protections options checked

- To block executables from reading in folders they have nothing to read from, and to block them from writing on folders they shouldn't write to, and to block them from communicating with the Internet without your knowledge, or to modify the registry in area they shouldn't, Core Force

- To block processes from reading in windows they don't own, SnoopFree

- To prevent any of these from being messed with by malware, Process Guard has protection from termination and modification on most security-related softwares

- Also useful: SpywareGuard, and a packet sniffer (Ethereal is great) for checking what suspect connections are actually doing.

I also optionally use Sandboxie for fast checking "possible" (or probable) malware without setting up a Core Force profile for this; I do use virus scanners and spyware scanners, but they never found a thing and I doubt they ever will.

 

There seems to be a misunderstanding IMHO.

1. Legitimate softwares, I really need will be installed permanently on my harddisk without internet connection
and once the settings are done, I will take an image backup or a snapshot.
Will these softwares infect my computer ? NO. Case closed.

2. All the rest will be installed when I'm protected by DeepFreeze, ShadowUser, ... which means that these untrusted softwares will be removed completely after the next reboot.
Why do I need to know how or with what I was infected during two reboots. Everything is gone after reboot.
I just want to see and try these untrusted softwares without getting infected and without installing them permanently.
If DeepFreeze, ShadowUser, VMware, ... are not able to do this, I'm finished with these products and I will go back to the classical solutions.

OK. KAV detected an infection on your computer THIS time, maybe it won't find an infection the NEXT time.
So KAV can't be trusted either, but after reboot I'm sure I'm clean and you are sure after rebooting with a clean snapshot.
It's the same, the only difference is that you know there was an infection, reported by KAV, but that's because you were lucky KAV detected it.
I don't know if I was infected and frankly, I don't care because it's gone.
If I was infected, I probably wouldn't even notice it, because my experience with malware is very poor.

I know you don't trust ShadowUser as I will, but there is no proof of this. SU never failed until now.
VMware however failed once and SU will fail too in the future, but EVERY software will fail one day.
I have the same trouble with KAV, I don't trust KAV and any other blacklist scanner and this has been proven in the past and I'm not even talking about false positives.

ProcessGuard is probably very safe, IF the user knows the right answers : YES or NO.
I would be worried all the time with PG. Was I right ? Was I wrong ? I don't want that insecurity.

I'm not saying that my security setup is ready : Firewall + DeepFreeze/ShadowUser + Anti-Executable + TrueCrypt.
I'm still missing something.

Isn't this just a matter of opinion and Wilders is FULL of different and even contradictional opinions, which is of course very annoying for me, because I don't get any straight answers and security is a big mess IMO and all these security softwares are incomplete, overlapping, redundant, even unsafe, ...