Software Restriction Policy vs Antiexecutable

I was thinking about SRP and how it compares the software Antiexecutable. If they are comparable?
I tried AE long time ago but it was too much hassle with it for my liking and I dont remember the exact function more than it too prevented anything not whitelisted to run.

I have set up a Software Restriction Policy in windows that prevents anything that is (new) executable to run.
I have allowed shortcuts (.lnk) to start software.
If I want something allowed to run I whitelist (path rule)
Some software needs a entry there to run right on boot, like FDISR.
It didnt take more than a couple of minutes to whitelist the software I wanted to be able to start.

Having done this way there is no excecutable code* that can run unless I whitelist it or do a run as a different user as far as I can see.

I do run as limited user, but I guess ther would be no problem having SRP in a admin account too.

So could one say that having this kind of SRP would be the same thing as running Antiexecutable?


* Default filetypes that are not allowed to run automaically or by accident:
.ADE .ADP .BAS .BAT .CHM .CMD .COM . CPL .CRT .EXE .HLP .HTA .INF .INS .ISP .MDB
.MDE .MSC .MSI .MSP .MST .OCX .PCD .PIF .REG .SCR .SHS .URL .VB .WSC and I can add whatever filetype I want

Most of them I have not heard of and I am surprised that windows runs at all but any new file, after I set the policy active, with the filetypes that I mentioned above wont run.

 

My understanding of SRP is that it whitelists by file extension. Also, I don't believe that you can whitelist .dlls.

Anti-Executable, on the other hand, white lists every executable filetype upon installation. As far as unauthorized executables, AE uses code analysis in addition to checking the file extension. This allows blocking of spoofed executables -- those renamed with file extensions such as .jpg, .gif. I'm not sure if SRP can allow for this.

Also, by blocking by filetype using SRP, you can include script types, such as .vbs, .bat, .reg, which Anti-Executable does not block. Some people using Anti-Executable also run a script blocking program.

As you point out, AE is much more restrictive than SRP -- having such restrictions is ideal in certain environments.


----
rich

 

I´m using both SRP and AE. Main reason for me using AE are for protection against spoofed executables while the main purpose for SRP are blocking scripts. I don´t use SRP for admin mode. AFAIK SRP doesn´t do any code analysis.

/C.

 

Thanks for you replies.

I will try that and see what happens

I dont think so either, SRP is just a relatively dumb but effective executable code blocker, if I understand it right. And that is just fine with me, I like to keep things simple then I dont have to worry about if I can really trust this and that softwares analysis. And it wont use any resources while doing it.

 

I really don't understand what is ment by Software Restriction Policy, could you please explain by what happes when you do this.

 

Link1
Link2

 

Thanks for the links. Too bad there is no easy way to do this in vista basic or home premium(which is what i use) as they don't contain the local policy editor in basic or home premium.

 

Gee thanks lucas1985

I've only ever had XP Professional so this is right up my alley. Although i been plenty secure enough running as Admin for a long time, this is a nice revelation i never even considered before.

Best of all, it appears water tight too.

 

When properly configured, yes
Call it a poor man's HIPS .

 

any update on this? can spoofed exes trick SRP? is there a way i can test this out myself?

 

Where can I block scripts in SRP ? You only have to give me the click path, I know the script extensions already. Thanks in advance.

 

To open the Group policy editor: Start > Run, type "gpedit.msc"

To add file extensions: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types, type the file extension in the box and then click "Add".

/C.

 

Thanks for showing me the path of illumination.

 

it´s the road to Shangri-La...

/C.

 

Indeed that it is. Also saves from clogging up system arteries with groups of various this and thats which can soak up resources/memory.

Hey it's there, why not make use of it right?

 

Did you add something else than .VBS, .VBE, .JS, .JSE, .HTA, .WSF, .WSH,. SHS and .SHB? Those are Script Defender extensions. Some of those are there already but not all.

 

(run gpedit.msc) - SRP is one of the first things I configure after installing xp pro. It always surprises me that a user don't know about or use it.

 

It is a bonus for XP Pro users no less, but with the torrent of security apps flooding or saturating the field with consistently new and ever more exciting innovations, it's always going to be more tempting to tack on a do-all app as opposed to configuring XP Pro thru Gpedit, even though it is quite thorough.

 

Well it doesn´t surprise me at all. How could one expect for example a novice that just enough know how to boot the computer, how to check the e-mail and finally how to use the browser for visiting some sites (and it´s hardly security sites with guides how to harden Windows), would possibly know how to enter the GPM console for doing some tweaking? Or, for the more knowledgeable user, it´s just plain habit to be in admin mode without been aware of using these harden tools, and rather use different third part tools for securing the OS...

/C.

 

Cerxes your probably right but then again I probably wouldn't expect the policy editor to be on their machine, that much of a novice anyway perhaps would be using xp home in most cases - just a thought.

 

Anyone? I just want to know exactly what to add in that list

 

what difference does it make how AE looks at exes, in the end if it's not on a white list it can't run, so I don't see how all the fancy code looking it does for malware does any good if an exe is not white listed it just doesn't run plain and simple.

 

These are the extensions I´m blocking:

.ADE,.ADP,.BAS,.BAT,.CHM,.CMD,.COM,.CPL,.CRT,.EML,.EXE,.HLP,.HTA,.INF,
.INS,.ISP,.JS,.JSE,.MDB,.MDE,.MSC,.MSG,.MSI,.MSP,.MST,.OCX,.PCD,.PIF,
.REG,.SCR,.SCT,.SHB,.SHS,.URL,.VB,.VBE,.VBS,.WSC,.WSF,.WSH,.XLM,.XLS

/C.

 

So you add these:

.EML
.JS
.JSE
.MSG
.SCT
.SHB
.VBE
.VBS
.WSF
.WSH
.XLM
.XLS

.MSG and .XLM are the only one without "This file type can become infected and should be carefully scanned if someone sends you a file with this extension." However I understand why those extensions are good to add.

Thanks a lot!

-MikeNAS

 

A simple spoofed extension should bypass the SRP.