Is anyone using Horizons Executable Lockdown

Discussion in 'other software & services' started by bgoodman4, Mar 20, 2009.

Thread Status:
Not open for further replies.
  1. bgoodman4
    Offline

    bgoodman4 Registered Member

    I was wondering if anyone is using Executable Lockdown http://www.executablelockdown.com/ and if its a good addition to a PCs security toolbox,,,,,or is there a better choice out there.

    Thanks in advance.
  2. nanana1
    Offline

    nanana1 Frequent Poster

    Not quite the same, I would encourage you to consider Sandboxie as your next investment.*puppy*
  3. Osaban
    Offline

    Osaban Registered Member

    I've had it for a while and to be honest I was just about to buy it as you don't really need any AV with it, it will just stop any new executables. The reason I didn't in the end was that a discount was available at the time, but "Cleverbridge" the company in charge of receiving payment didn't know anything about it, and I let it go (a matter of principle).

    I do have an alternative, AntiExecutable from Faronics the makers of DeepFreeze. It remains still one of the hardest programs to crack from malware. The new version compatible with Vista has had mixed reviews here at Wilders. I have a license, but I don't use it with my personal computer as it doesn't allow a program (FirstDefense PC Rescue) to work properly. It is based on creating a white list of programs on your computer, and anything new will have to be allowed eventually by the user, very simple and effective (the old version use to deny by default). Some people found it fastidious to have, and as usual a trial is the best way to see how it responds to your system. Support from Faronics is excellent.
  4. bgoodman4
    Offline

    bgoodman4 Registered Member

    Thank you Osaban, I will give them both a try.
  5. bgoodman4
    Offline

    bgoodman4 Registered Member

    I have this program already but I like the idea that the lock programs work all the time, not just when browsing or when a program is sand boxed.
  6. bgoodman4
    Offline

    bgoodman4 Registered Member

    Hummm, just took a look at the pricing of AntiExecutable and I must say I am not crazy about the mandatory maintenance package. The program would cost $31 and the support package $63.

    OOPS found a site where I can get a licence for $45 Canadian $ (I am Canadian) including the maintenance package. This is much better (obviously) and is competitive with the Horizon product.
    Last edited: Mar 20, 2009
  7. Dark Star 72
    Offline

    Dark Star 72 Registered Member

  8. bgoodman4
    Offline

    bgoodman4 Registered Member

    Thanks for your reply. I have Returnil but only use it when I am concerned about something I am doing, such as trying new software or browsing. I like the idea of the lock-down type programs because its on all the time. It does not matter if you have installed something (and installed an unexpected rider on it) or downloaded a file you want to keep (or think you need to keep - such as an infected file from a friend), you are protected. With Returnil at some point you will turn of the virtual mode and leave your PC exposed to something that may begin running in the background. Lock-down programs (as I understand them considering I just became aware of them) will prevent the thing from running in the first place. If anything I would think a lock-down program would replace a virtualization program rather than the other way around. Not that one would really replace the other. Since they work differently I suspect they both have their place in a security regime. Yes there is overlap, but each does something the other does not do. Anyway, thats my impression at this point.

    EDIT: just looked at the links you provided and realised I did not know everything there was to know about Returnil (I have a paid version but have not read through the users guide yet, the program was/is so easy to use I did not feel a need). I will have to learn more about this but my immediate thought is related to you saying the you need to train Returnil. As I understand it you do not have to do this with the lock-down programs, at least you don't have to with the Horizons program. Its just on. Now I realise if you install a lock-down program that will allow anything already on your PC to run then if you have an issue it will continue to be an issue. It is clearly best if you install a program like this on a brand spanking new PC. On the other hand not having to know what to allow and what not to in terms of an OS and legit apps is a big plus for folks like me without a lot of technical know how. At worst if I find that something wants to run and I have no idea what it is I can ask on this forum. With Returnil I would have to know enough to to know if its OK to allow any sort of process to run (I think). I would imagine this would include every essential process and every non-essential but required process. Thats a bit more than I could handle (I think).
    Last edited: Mar 20, 2009
  9. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Sorry for being a bit late replying. In the new versions of Returnil you can have Anti Execute on all the time whether you are using session lock or not, it works with it but is also independent of it. If you have to approve or deny anything in Anti Execute while you have session lock on when you reboot the changes if any to Anti Execute remain after the reboot, if you blocked something it will still be in the black list after the reboot.
    To clarify what I meant about training it, an example - when I installed Returnil it created a White List which had my printer on it, when I went to use the printer I had two requests to allow or deny the printers drivers 'starting up', of course I allowed them. I have a couple of games I play with short cuts on the desktop, I also have a calendar short cut. When activating them I got a request from Returnil AE - allow/deny. Simple things like that. Although they are on the White List you need to approve the running of them. Nothing can start up without your approval. After a couple of days almost anything that needs approval to run has been activated and approved.
    Hope that helps.
  10. demoneye
    Offline

    demoneye Registered Member

    AE conlict with sandboxie drivers . make SB not to load ...
  11. bgoodman4
    Offline

    bgoodman4 Registered Member

    Ah, so its essentially the same as the Horizon product, thats great. Thanks for the info. I will begin to use it immediately.
  12. Firebytes
    Offline

    Firebytes Registered Member

    I have not yet moved to the latest Returnil version myself but the user manual on their website states (on page fifty-seven) that the anti-execute function only works while Returnil protection is on. Am I misinterpreting it, is the manual in error, or are you mistaken that it works all the time independent of Returnil protection being on?

    Attached Files:

  13. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    I queried this function with Coldmoon while Returnil 2.1 was still in beta. This is the answer he gave me:

    http://www.wilderssecurity.com/showthread.php?t=231230

    If i have misunderstood his answer my apologies, or perhaps they have changed it when it came out of beta. I cannot test to confirm one way or the other at the moment as I have Rollback Rx on board for some beta testing but will have a look at this for my own information later when I have uninstalled Rollback.
    Don't fancy trying to run Rollback and Returnil at the same time to find out if they are compatible or not :D
  14. Firebytes
    Offline

    Firebytes Registered Member

    Thanks Dark Star 72, it looks to me like he is saying that it works regardless of protection status as well. Maybe they need to reword their user manual in regard to the anti-execute function.
  15. Rmus
    Offline

    Rmus Exploit Analyst

    This from the vendor's web site:

    Evidently this doesn't include all executable file types. I was able to use MSWord to load a DLL from a flash drive.
    I use a version of the DLL different from the current XP file.
    I show that Executable Lockdown is running:

    hmmapi-exeLockdown.gif

    Anti-Executable v.2 successfully blocks:

    hmmapi-AE.gif

    As you know, conficker loads a DLL.

    Otherwise, Executable Lockdown seems to be a pretty good product. It's just not as robust as it is made out to be.

    ----
    rich
  16. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Rmus,
    Is there any chance you could run those or any other exploits against the Returnil Anti Execute sometime? I unfortunately do not have your experience or expertise at this. As this thread is about Executable Lockdown and I was partly responsible for taking it off line perhaps you could start a new post if it is possible to test Returnil.
    With Faronics AE2 no longer available quite a few people must be looking for a viable alternative.
  17. bgoodman4
    Offline

    bgoodman4 Registered Member

    Its interesting that you should mention this at this time as I just had the experience. Without thinking (I tend to do that more often these days) I turned Returnil on and went into protected mode. I have RollBack set to take a snap each hour and had 2 snaps taken during the time Returnil was active. I must admit I rebooted the PC with some trepidation but was pleasantly surprised when the PC booted normally. I was also surprised to find that the snaps RollBack had taken while Returnils protection was enabled were present. Now I did not try reverting to one of these snaps but..........
  18. bgoodman4
    Offline

    bgoodman4 Registered Member

    No need to do this as I am interested in both apps (and I started the thread so I guess I can give permission to take it a tad off topic).
  19. Rmus
    Offline

    Rmus Exploit Analyst

    No, but I've got the files on my web site so you can do the test yourself. It's really better to test on your own system so you can observe the results first hand:

    http://www.urs2.net/rsj/DLL.zip

    DLLzip.gif

    Place both the MSWord document and the DLL in the same folder, then open the MSWord document.

    DESCRIPTION OF TEST

    Hmmapi.dll executes the Hotmail MailTo protocol. The DLL resides in

    C:\Program Files\Internet Explorer

    and the command is invoked from this Registry Key using rundll32.exe:

    hotmail-registry.gif

    Now, this DLL will be White Listed by an execution prevention program, so I use the Win2K version of the DLL and in WinXP,
    I made the MSWord document with that command in a macro. If successful in loading the DLL,
    the Windows Live login page will launch in Internet Explorer:

    hotmail-load.gif

    But since the Win2K DLL is not White Listed, it should be blocked as it was by AE v2 as I showed in my previous post.
    Executable Lockdown and AppGuard did not block. Lucy showed earlier that SRP will block unauthorized DLLs.

    You can also attempt to load this DLL from a USB drive using Autorun.inf:

    Code:
    [Autorun]
    
    Shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1
    
    Put the Autorun.inf and DLL files on your USB drive then connect the drive with Autorun enabled.

    Regarding Returnil, it is not useful for the home environments I have in mind, where I want a "set and forget" solution. Fortunately, AE2 can be used until Win2K/XP become obsolete and require an upgrade.

    By the way, here is something not many programs will do: I attempt to copy the Win2k DLL to overwrite the WinXP DLL and AE v2 blocks with its Copy Prevention:

    hmmapi-xxcopy.gif

    Lucy says that SRP will also prevent this.

    If you attempt this, be sure and make a copy of your DLL.

    ----
    rich
  20. Peter2150
    Offline

    Peter2150 Global Moderator

    Yes, there is. It's not the OP's prerogative to give permission to take a thread off topic. It's forum policy that threads stay on topic.

    I agree, if RMUS can do it that would be great but another thread is the right way to do it.

    Pete
  21. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Thanks for that bit of info, perhaps when I have next taken a full back up image and can do an up to date restore if necessary I'll try that out :D
  22. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Rmus,
    thanks for the link and info, as soon as I have the time I'll see if I can try it out.
  23. bgoodman4
    Offline

    bgoodman4 Registered Member

    OK, sorry about that.

    HEY YOU GUYS,,,,,,STAY ON TOPIC,,,,,,thanks.
Thread Status:
Not open for further replies.