Anti-Executable

@Osaban: No problem

and regarding the network function: when the network prevention function is checked, all executable files on a network drive are blocked from execution, because the software only white-lists the drives that are on your computer. If you want to be able to white-list other drives on a network, you have to get the enterprise version.

/C.

 

Working in a virtual environment (ShadowUser) is in theory probably better than working in a real environment (FDISR).
FDISR removes changes during copy/update from a clean archive to snapshot.
ShadowUser does it differently, but the final result is the same, your harddisk is unchanged after reboot.
Unchanged means also that any possible infection is removed also, not only known infections, but also unknown infections that might even be unknown in the Anti-Malware world, because they weren't discovered yet.

New infections need to be discovered first, then they have to write an anti-dote and then update all computers world-wide. That is days too late and that's why some infections damaged computers world-wide, even well-protected computers.
So you are always days AHEAD with recovery softwares, because scanners can never be that fast. The period between DISCOVERY and UPDATING is too long and some infections have never been discovered.

Even when an infection passes through all your security softwares, it will be removed during reboot as a CHANGE.
That's what infections do, they CHANGE your harddisk, that is their WEAKNESS and recovery software eliminate CHANGES.
Recovery softwares are Anti-Change softwares and that means AV, AS, AT, AK, AR and any other kind of infection.
All immediate recovery softwares remove changes, you only have to choose one and some are a little better than others.
The only recovery softwares that work ALWAYS guaranteed are Image Backup softwares, they beat everything.
If you zero your harddisk, before restoring an image, you have a very clean computer.

So you don't have to be worried about the installation of infections, that only changes the volume of your harddisk and you know already that your reboot will remove these installed infections, IF they passed your security.
You only have to be worried about the execution of infections and that's why you need softwares, like Anti-Executables, Anti-Script, HIPS, ... any security software that stops the execution is GOOD.

You only have bad luck, if installed infections, which passed your security and succeeded to execute themselves during the period between two reboots. These infections must be very clever and very fast to accomplish this.
Lots of infections need to be triggered first by the user or an event, before they can do their evil job, as long that doesn't happen, no execution either and they are removed on reboot without a successfull execution.

That's why I have two groups of images/archives.
1. Clean images/archives for restoration only to get my guaranteed clean computer back.
2. Daily images/archives for daily backups/restores, which I consider as possible infected in theory, because my harddisk has been on the internet too long.

 

I´ve noticed Erik through several posts in different threads that you´re a dedicated "snapshoter", but are you running as an admin or a limited user? Just curious...

/C.

 

As an administrator, like most users do, according a recent poll at Wilders.
I admit that a limited account would be better, but I don't like to be restricted in my actions, like most people.
My complete system partition is replaced by a new one during EACH reboot, so it doesn't really matter, if I'm an administrator or an user with a limited account.

 

I'll give you credit that you have been all along a pioneer of this concept of whitelisting and blacklisting. Conceptually speaking your point about whitelisting being the only way in the future to fight malware seems the most realistic approach, considering that for antivirus companies to exist they need sacrificial victims, and victims who are prepared to report the right stuff.

I've read an interesting thread 'Antivirus is dead', or something like that, where 'Inspector Clouseau, and Bonthchev' (an AV expert) where challenging this new 'trend' at least at Widers to get rid of AVs as being redundant.

Obviously they ARE experts, and when Rmus was giving some real tests about inconsistencies of AVs scanners versus whitelisting applications, they somehow manage to shut him up, listing all the possible ways, knowledgeable crackers (perhaps with PhD's) could demolish or neutralize whitelisting endeavours.

They also admitted that AVs are basically for the average Joe, and anybody who only cares about security can do without an AV: Fair enough.

I for one felt that their reaction towards Rmus was too defensive to be justified, and instantly uninstalled my AV as a result. I also feel that AVs nowadays they have created a sort of 'cartel', and there are no doubts that given the number of operational computers in the world, we are talking about an enormous amount of money involved.

This is no personal criticism on anybody specifically, but virus production on the current scale seems to be escalating and creating new jobs.

 

So am I to understand that you did the DEL C: /F /S /Q while in a frozen snapshot with AE on and you still had problems after a reboot?

 

Yes that is correct, FDISR's frozen snapshot doesn't protect you against this very destructive DEL-command, at least not with a normal reboot, even with AE's maximum security = ON.
I might have saved it via my off-line snapshot (= refuge snapshot) with an archive, but I didn't try this, because if it can't be done with a normal reboot, it's not good enough for me.

So FDISR is certainly not the best ISR-software, but it has other possibilities like creating different work environments, archiving/restoring, ...
In other words you have to combine FDISR with another software to survive a destructive DEL-command attack or destructive virus attack, like the Killdisk Virus. If the Killdisk Virus is an executable, it will be stopped by AE, but not the DEL-command.

 

FD-ISR doesn't virtualize the filesystem, so any damage to FD-ISR itself will result in the inability to copy/update from freeze storage to frozen snapshot.

Remember that FD-ISR is a technology created with servers in mind. I think that the beauty of FD-ISR resides in these capabilities.

 

Excellent Reply and very TRUE!

In today's world of computing theres absolutely no excuse for neglecting IMAGING or becoming complacent with even rollback apps. It's like building a reliable underground bunker or at least knowing for certain the closest ones in proximity against planetary weather elements like Tornadoes for one example; once a watch or warning is issued, the human trait of survival overrides everything else against harm and immediate action is paramount.

Imaging is just that type of a safe shelter in the event of some surprise problem that is suddenly rendered your operations disabled to function, you then can turn to your backup plan and in a matter of minutes restore complete functionality before such misfortune whether visited by forced intrusion or some other sudden failure beyond machine control.

The human element in all this is the very core of preserving, and you must make every effort to plan for the unexpected.

 

Very interesting results indeed.

So in effect, no executable or let's say .exe is used but instead a .vbs file with that DEL command is issued to the system, for that, a Script Interceptor would seem appropriate, but what about a .bat file which still runs as well today as they always did back on 98's/Me's?

And from the point of someone simply typing in that same command at your control console, would of course easily render AE ineffective, but what about a monitoring app to control the command console?

I fell into a somewhat similar dilema recently for leaving my virtualization program off and got some fairly nasty returns on ALL my system confined snapshots. No matter what, i couldn't even get a "clean" archive to Copy to a new snapshot and ended up revamping the whole partition from square one.

So what concerns me most is what IF, another type of entry point is introduced via .bat file or other extension and proceeds to file infect .exe's including AE? Scary thought.

 

easter, this got me thinking. remember "exe lockdown" (it's like a freebie version of antiexecutable) by horizon datasys? in the pdf help file they address this issue. they said you could forbid wscript.exe from executing thereby stopping .vbs or .js scripts from running.

i bet there is a way you could block this with "exe lockdown". i wish i messed with it more.

 

Hello again zopzop

Erik's quest has me thinking all the time

I always have used ScriptSentry and others prefer ScriptDefender i think it's called, but SS is proven sufficient enough for my needs.

Indeed, the .bat file surely can be dealt with also. I applaud Erik and many others like him for pressing again & again over all the potential possibilities of forced intrusion/interactions that by design or not, work against our current security programs authorization or permission, and moving closer to that INSTANT one-step/single-boot solution that assures 100% elimination of undesired changes.

I like the philosophy of not leaving a single stone unturned, trouble is though that $M has in-built a huge inventory of documented as well as undocumented entry points and methods that our present nemesis groups seem very attentive to and use them to huge advantage if only to boaster or brush another stroke to their ego.

More On Topic Though:

I really like Anti-Executable and it is quite exceptional but maintains a common weakness like with HIPS, recently exposed by a nice write-up & test by NicM i think. It's driver CAN BE unhooked from the Security Service Descriptor Table Then what?

I'm speculating regarding AE's .sys driver at the moment since i haven't yet read into whether it's driver is better protected from such unhooking compared to test results of some popular HIPS. If memory serves, i believe ProSecurity was said to have PASSED unhooking from this table.

Anyone with more info on this plz feel free to interject or compare. This is a topic on AE and although it's not a HIPS per say, it still exhibits a HIPS-style behavior IMO.

 

So how do you stop wscript.exe from executing? The only thing I can find is to limit the number of seconds globally you allow scripting. 1. Click Start, and then click Run. 2. In the Open box, enter wscript, and then click OK. The Windows Script Host Settings dialog box appears. 3. Select the Stop script after specified number of seconds check box. 4. In the seconds box, enter the time limit you want to place on all scripts. -------------------------------------------------- What else can one do besides running say, script sentry or scriptdefender or noscript?

 

Plz don't forget the .bat file.

It was a .bat file virus named Hard Drive Killer that pillaged a laptop of mine a few years back on 98. Unknown to me untill i tracked down the underground site and origins of it did i find that when i noticed something was going drastically wrong after i accidently clicked the bat file, i instinctively rebooted the Laptop which allowed the virus to finish off the entire drive of everything. One of those, DELETE everything destructors.

Batch files are as lethal as an executable and just as deadly.

 

easter, i thought of something according to this wikipedia entry (assuming i'm reading it right ), .bat files NEED command.com OR cmd.exe to run. what would happen to a pc if someone was to forbid command.com and cmd.exe from executing? would the pc boot and would windows still function correctly?

i'm thinking if you were to block wscript.exe and cscript.exe (to stop scripts from running) and command.com and cmd.exe (to stop .bat files from running) you'd be safe. exe lockdown i think allows you to enter those executables in it's "deny" list.

 

ZopZop,

There is a easier solution to your wish. Just set Scriptdefender as an untrusted application in GeSWall. The scripts will run, but have limited rights.

You can do the same with command.com and cmd.exe (but I have ear marked them as blocked applications, same you problably do with AVnotify).

Regards Kees

 

I took care about that too. ScriptDefender will have these 33 file-extensions in alphabetic order after polishing my new installation :

.BAT,.CHM,.CMD,.COM,.CPL,.CRT,.DLL,.EML,.HTA,.HTM,.HTML,.INF,.INS,.ISP,
.JS,.JSE,.LNK,.MSC,.MSG,.MSI,.OCX,.PIF,.REG,.SCR,.SCT,.SHB,.SHS,.SYS,
.VBE,.VBS,.WSC,.WSF,.WSH

ScriptDefender is nothing but a warning software .
I still have to say "yes" or "no" and that could be a wrong "yes" or "no". I have at least 50% chance to answer correctly, which is better than the lottery.

 

Thanks Eric. A little out of the loop here but nice to know .bat extensions among plenty of others are ALL intercepted.

ScriptDefender (AnalogX) is really changed since i used it years ago.

Very worthy protection shield against lauchable scripts.

At least while SUSPENDED, you're given the PATH to it's location long enough to open it in Notepad for closer exam of the commands, then it falls to knowing between safe or potentially unsafe.

You amaze me with your tenacity to probe ALL potential threats where viruses like to sneak thru, keep up the pressure.

Also, do you by chance use AE with FD-ISR? I understand there may be some compatibility issues with those two in combo?

Cheers

 

Although ScriptDefender might sound OFF-TOPIC, somebody told me that AE is weaker regarding scripts.
I'm not an expert in anything, so I don't know if this is true or not.
Anything about internet or security is NEW to me and I usually listen to other members.

Yes, I combine AE with FDISR in my on-line snapshot, my off-line snapshot doesn't need AE.

AE = ON constantly, except when I download and install new legit softwares for testing.
It's impossible to work with new executables, when AE = ON. I'm sure you know this already.
I always turn AE back ON, when the software is installed.
IF something would happen during that brief moment of vulnerability (AE=OFF), my boot-to-restore will fix it.

AE is also on HIGH security with these settings :
1. Network Prevention is enabled.
2. Delete Prevention is disabled.
3. Copy Prevention is enabled
4. Windows On Windows is greyed out and is only required with LOW security.

I also have 21 .exe-files of FDISR as "Trusted Applications" and that means no errors anymore in copy/update or freeze.
However my theoretical assumption is that I don't need all 21 .exe-files.
When I have the time, I will find out which ones I really need and then I will remove the rest. This is not an important detail, I only have too many .exe-files as trusted applications, that's all.
In those days, I was already glad, that FDISR and AE didn't cause any problems anymore, the rest is polishing.

 

I completely understand. I was a bit annoyed back in 98 days because i regularly used reg files & vbs to achieve automating some useful pc automations so i got used to it in exchange for it's security, plus the app is quite lightweight.

I do see and approve of the LOGIC and defense strategy that Erik is working toward whe it comes to these extensions.

By the way, this also works with .com? extensions also? Wish ScriptSentry could also update it's program to accept more extensions though.

 

I didn't test this yet, but SD seems to accept any extension. I hope there is room enough to store all these extensions.
I also said that I'm planning to use all these extensions in my new installation, I need more time.

 

Yep. WORKS!!!

Thanks again for the comments regarding it. Coupled with AE and the rest of the squad i'm about ready to put these programs to a real challenge, including KillDisk.

 

Just to clarify: it is greyed out because it (16-bit protection) is enabled by default when on High setting:

A reminder, that "Copy" also means "download" - - when you download a file from the internet, you are creating a copy of the file on your computer. This also works with external media, such as an external HD, CD, DVD.

If you remember the infamous spoofed .gif file which was really an executable, Aigle showed that with Copy Protection enabled, AE blocked the file from downloading. With Copy Protection disabled, AE permitted the file to download, but of course, it was blocked from executing. This caused some consternation with HIPS users because those HIPS programs did not have Copy Protection. Of course, they prevented the file from executing, so HIPS users were not less-protected. Both HIPS programs and AE provide execution prevention.

AE's Copy Protection eliminates what I call the "nuisance factor," where in institutional settings, or home environments where parents control their young children's computing activities, no unauthorized programs get onto the computer.

Blue has covered extensively this "tight" control that Anti-Executable can exhibit, and I will just add that over the years, many have wished that the Standard (Home) editions of AE and Deep Freeze could be more lax. I am glad that Faronics has chosen not to do so.

AE does not block scripts. By the way, some of the extensions you list are executables covered by AE:

.DLL, .MSI, .OCX, .PIF, .SCR, .SYS

While script files such as .vbs and .js can "execute" code, they are text files and can be opened in a text editor. Files designated as "Executables" such as .scr on the other hand, are comprised of binary code and cannot be opened in a normal text editor:



Anti-Executable deals with "Executables" which contain binary code.

regards,

-rich