Anti-Executable

Yeah it definitely got on my nerves a couple of times during my trial. I can tell you that

But dismissing all those extra features they have over one another and only focusing on the execution control, is AE able to block the execution of something that SSM/PS/PG can't?

This is basically what I'm trying to figure out here. How does their execution control compare. If it is the same then I am happy with my purchase of SSM. If there is a difference then I'll need to do some thinking.

 

Yeah I mean, I don't really care about preventing the downloading of executables. What is important is preventing the execution of executables.

So, as long as SSM is giving me the same level of protection against execution as AE then I'd feel I made the right choice.

Earlier in this thread someone mentioned AE blocks over 80 different executables. I'm still trying to figure out how SSM (or any other HIPS for that matter) measures up to that.

 

I'm still early in this program but from i seen so far (FULL PAID VERSION), you could easily download or copy (as i did) any program from a USB Pen onto your system, but no .exe will launch whatsoever from it UNTILL you add it into AE's accepted or Whitelist as it's commonly referred to here.
That IS PREVENTING EXECUTION!

AFAIK, it's a very formidable suppliment to your basic security programs as-is. It's as easy as pie to turn AE protection off to download OR run certain exe's you deem are indeed known and safe. I actually remember trying this program when it first came out and was shocked at how forceful it was in completely disabling execution on ANY exe's not configured into the initial DB or Whitelist.

It completely compliments my overall shielding strategy and about rounds things out nicely, working in tandem with a HIPS, Sandbox, & Virtual Drive.

Best part for me is that it's 100% stable with no adverse limitations on performance.

 

"...but no .exe will launch whatsoever from it UNTILL you add it into AE's accepted or Whitelist as it's commonly referred to here.
That IS PREVENTING EXECUTION!..."

So how does that differ technically from what SSM, PS, etc. do as as far as I know when an executable that is not allowed tries to run you get a prompt requesting that it is given permission or that it is blocked

 

There are some here much better versed in this program than i ATM, but i can give you my honest opinion since i also have used SSM (FULL) for nearly a year of better now. IMO, and Technically speaking, the difference is relatively equal in a sense, however as opposed to SSM, AE seems to spring a more concise list of EXE's already on a CLEAN system, then starts from there to block and allow for desired programs to be added as you will.

In retrospect though, SSM, goes further in that it covers the REGISTRY and also establishes a RULES list of what is acceptable from what is been denied, and of course features galore.

As i already mentioned, AE simply compliments or completes this HIPS protection for me. HIPS is my favorite security shield followed by Sandboxie, Power Shadow, and an On-Demand AV (or resident guard), plus my newest assistant in PC Security which LOCKS anything thru it's explorer context menu be it files or whatever. Too many other security features to mention.

EQSecure 3.4 has for the moment overshadowed SSM for me in that it is a great HIPS on equal footing if not more with SSM, with plenty of useful data information about activity or any file which trips it's sensors and has won my attention for now. That in no way is to suggest that it greatly discounts SSM's effectiveness, System Safety Monitor is the pioneer AFAIK and it has done a remarkable job in behavioral blocking.

 

In your practical experience over the last year how often have any of these blockers blocked anything dangerous ? and how often have they been just plain wrong ?

 

Both programs are not constructed to necessarily block dangerous objects. You really need to step back and consider the overall design objectives.

The design goals of AE are fairly obvious from their marketing. This program is designed to lock the software configuration of a machine it is installed on. That's it. The implicit assumption is that you have a targeted complement of applications that will be used, those are the only ones to be used, and you wish to eliminate the possibility that users will start putting other programs on that machine.

Institutional PC's (business, public use, open use at school, etc.) are the primary target, often to be used in concert with a reboot-to-restore product such as Deep Freeze of any of the many virtualization offerings. In this setting, having very fine granularity on the use of specific applications that are installed on the PC really doesn't make sense. If the target population isn't to use it, you make sure that program is not a part of the base configuration. Since the target is largely institutional and, as a system administrator or support person, you really don't want to spend the rest of your life configuring systems, it's developed as a "create base system and allow all on the base configuration, default deny all else" solution with a mechanism to add additional applications down the road.

Although AE has plenty of security implications, it's really a product that allows a system configuration to be tightly locked down without invoking sophisticated policies or policy management natively available in the OS.

SSM is more designed to allow a user, any user, very fine control over what and how all applications are used on a machine. It's not really geared (directly) to an institutional setting in that there are a lot of explicit approvals required up front. Unlike AE, it doesn't assume that an application should be allowed to run unfettered if installed.

The two products have a lot of overlap in final functionality, but they are really addressing different needs out there and doing it in different ways. Once AE is installed, you're done. With SSM, once installed, the work is only starting. That's neither good nor bad, it's simply somewhat more suited to certain venues.

Blue

 

Thanks blue

You put all that into a much better detailed and precise content i would surely stumble over to make it understandable and the comparisons are right on center.

Thanks

 

Thanks Blue - good explanation of the objectives of AE and Institutional pcs.

My question to Easter though was more to do with the home market where these programs would appear to be used as security programs. I was simply interested in how often a program like SSM actually did "a remarkable job in behavioral blocking"

 

My own experience was that these products did it all the time, and that's part of the operational issue.

Good and bad behavior is generally not apparent at the machine level. Let's face it, good vs bad is inexorably tied to intent. My credit card number going off to a purchase I want is good, the same information going off to a harvester is bad. Which is which when viewed at a packet level?

The result is that plenty of perfectly good behavior gets flagged for inspection and explicit user approval. Yes, this occurs in a system equilibration phase, after which the program generally quiets down to reasonable levels. However, if your system configuration is not static, quiet will never achieved and there is always the question of whether you are able to survive to that quiet phase before throwing your hands up in frustration. Implementing "learning phases" in which approval is automatically granted and rules are created helps, but really only delays facing the underlying problem until the next major application installation.

Blue

 

Exactly - a simple program will stop you doing what you want to far too often and a more flexible program will leave many confused - saying yes when they should say no and no when the answer should have been yes.

My compromise is a hardware firewall and Deepfreeze.

 

Hi there,

I spent a long while reading this thread, as I'm trialling AE at the moment.

Yes, it is very tempting to do away with Antivirus in general, especially after reading Rmus and EricAlbert' very convincing arguments, and considering how virtualization and sandboxing have drastically changed the whole security landscape.

I have a few questions, hopefully somebody is going to help considering it is an old thread:

I'm using ShadowUser therefore always in virtual mode. What are the most CONVENIENT settings to use with AE? Low or High level security?

Enabling 'Delete Prevention' and 'Copy prevention' would it matter significantly in virtual mode? Is it better to leave them disable (default settings) ?

I've left my computer running for half an hour with AE 'off', so that any internal operations within Windows would be whitelisted once I turned AE 'on'.
As soon as AE was turned on I've got an alert about something within Windows being blocked (please see attachment). Is it important?

A lot of questions, and thanks in advance for any answers.

 

Thanks, I actually remember one of your posts about this problem.

I can't say anything about the context, an alert popped up, and I had to check the log to see what it was.

Can anybody advice about 'low or high level' settings within a virtual session?

 

I´m not working within a virtual session myself, but I would advice you to use the lower setting and only check the "Windows On Windows" function, just for reducing problems when windows does its "stuff". This will prevent 16- and 32-bits software from executing (if they are not on your white-list) and that would be enough for most situations accordingly to how most malware have to function to do its thing = they have to execute.

/C.

 

You know it's funny, I thought 'Windows on Windows' was always grayed out, and I thought it could be a feature for the entreprise version. As a matter of fact it can only be enabled if the setting on security is 'low'.

I'm going to try that and see if I get that alert as in my attachment.

Thanks a lot.

 

I'm running Anti-Executable on High security in a frozen snapshot, only the Delete Prevention is disabled, because it caused errors during the copy/update of FDISR.
AE is only annoying when you are downloading and installing new softwares and sometimes it corrupts automatic updatings, so I disabled all automatic updatings in my frozen snapshot.

 

I wonder if you know what Rmus settings were while he was testing malware, although I guess he was using the maximum settings. Speaking of which how do you interpret the 'network prevention' (see attachment from the manual)? Does that mean that when this feature is checked nothing will execute even if whitelisted?

Thanks

 

Don't know anything about Rmus's settings.
The way I understand it, is that no executable will work, even when whitelisted.
I admit that isn't formulated clearly, so I would ask support. I'm a home user without network.

I will try to use that "Delete Prevention" too, if I have the time. My impression was that this would protect me against the destructive DOS-command "DEL C: /F /S /Q".

 

Yes you are right. The results were better than with an unmarked "Delete Prevention". My off-line snapshot was completely recovered and the FDISR-icon was working after a self-repairing routine.
But my frozen on-line snapshot didn't reboot by itself. Maybe I could fix it via my off-line snapshot, but that's a workaround for me and not what I expected. I want a normal reboot as nothing happened, but that wasn't the case.

 

My mysterious alert (see attachment post #315) doesn't seem to occur with AE's settings on 'low' and 'Windows on Windows checked. Thanks Cerxes.

I also think that by 'network' they probably mean several computers, and it's a way to lock down the system/s completely in an emergency.

I have to agree with Peter2150, running without an AV is noticeable and pleasant. In virtual mode the danger of a 0 day threat slipping through AE shouldn't be worse than having an updated AV. So far so good.