Anti-Executable

Rather odd, I've reinstalled AE, and it just doesn't keep the 'high' setting over a normal reboot, I wonder whether this is happening to others or I should contact support about it.

 

No, this shouldn't occur. Now, have you configured your system (another application, policy) to force this type of behavior?

Blue

 

Not really. This has been happening with ShadowUser disabled, and I don't have much else that could interfere (LnS, RegDefend, AdMuncher). It's not the end of the world to to set it to 'high' for every session, but if it's not meant to happen, I wonder what else might behave erratically.

I will definitely ask Faronics for advice.

 

This is certainly not normal.
It can't be LnS, because I had LnS on my computer, while AE was on HIGH.
I don't know about the other softwares, you mentioned.
What happens when you disable or even uninstall RegDefend for instance ?

 

So Erik, with Anti-Executable on HIGH as your sig suggests you run, what are the basic folders/files to EXCLUDE if a user is also running FD-ISR? I never tried to go HIGH security with AE just LOW, but am curious as to not prevent something critical to normal operation getting blocked.

 

Well, it will take some time to type them, because I can't copy/paste them.
I can export them to a file, but I can't read that file. The purpose of that file is : when you re-install AE, you can import that file, so that you don't have to do it manually all over again.
I also believe that not all files in that list need to be excluded, but I'm too lazy to find out, which ones need to be excluded and which ones don't need to be excluded.

In those days I was already glad, I found a solution to turn AE on HIGH without having a bunch of errors in the copy/update function of FDISR. Since nobody else was interested in combining FDISR with AE in those days, I couldn't get any cooperation of other members to clean that list.
A few files too many wasn't a problem, so I never cleaned the list, because I had more important problems to solve.

The extension of that file is ".fzx" and its size = 1 KB.

 

As far as I know to disable(and not exiting the program) RegDefend should have the same effect as uninstalling it. I'm still waiting for a reply from Faronics. If there is something worth reporting I certainly will.

 

Problem solved: I uninstalled ShadowUser first, cleaning carefully all its debris (also found a lot of debris from Nod32), reinstalled AE first, and then ShadowUser. They both work well now.

For the record, I had a prompt reply from Faronics suggesting to uninstall AE, clean the temp folder and reinstall it (good try). It's amazing how I had tested AE for the whole of the evaluation period, and didn't notice this problem then.

I also have some second thoughts about registry cleaners (I use RegSupreme Pro). After cleaning with it, I checked the registry for left overs: It was full of them, I had to do it manually.

 

Anti-Executable is another of one of those very rare protection apps that once properly configured to it's database, Xtremely formidable. Additional coverages can't help but to strengthen it's already iron-shield guard against any attempt for malware or a virus to wreak it's dirty work and cost a user wasted time.

It ranks right up there with my short list of INVINCIBLE protections.

 

Another advantage of AE : it's an evergreen, no daily signature updates required, it works always with the same force and therefore ideal for boot-to-restore solutions, which are frozen most of the time.

 

Well Erik. How about re-reviewing at least some whitelist entries as a starter. You got me interested enough if i can add the right programs/folders/files where there'll be no problem then to running it to HIGH SECURITY along with FD-ISR. That HAS to be a very solid guard against potential intrusions since AE stops executables dead in their tracks at-once. LoL

 

Easter,

This list of trusted ISR-executables makes it possible to put AE on HIGH security +
- Network Prevention = marked (Enable)
- Delete Prevention = not marked (Disable). That is a pity.
- Copy Prevention = marked (Enable)
- Windows On Windows = not applicable (greyed out)

To add this blue list, you have to do this :

1. Open Anti-Executable
2. Click on "Configuration"-tab
3. Click on "Trusted Applications"-tab
4. Add each exe-file in the text area one-by-one and click each time on "Add Application"-button

c:\$isr\$app\setup\isrcopy2k.exe
c:\$isr\$app\setup\isrcopy.exe
c:\$isr\$app\setup\isrcopyrss.exe
c:\$isr\$app\setup\isrcopyxp.exe
c:\$isr\$app\setup\isrmonitor.exe
c:\$isr\$app\setup\isrservice.exe
c:\$isr\$app\setup\isrsetup.exe
c:\$isr\$app\setup\mbrtool.exe
c:\$isr\$app\setup\removeall.exe
c:\$isr\$app\setup\setuprss.exe
c:\$isr\$app\firstdefense-isr.exe
c:\$isr\$app\isrcmd.exe
c:\$isr\$app\isrcontrol.exe
c:\$isr\$app\isrmonitor.exe
c:\$isr\$app\isrviewlogs.exe
c:\$isr\$app\isrwait.exe
c:\$isr\$app\mbrbackup.exe
c:\$isr\$app\supportinfo.exe
c:\$isr\0\isrservice.exe
c:\$isr\0\isrcopyrss.exe
c:\$isr\0\isrcopyxp.exe

5. When finished, click on "Apply"-button
6. Click on "OK"-button

You better use the function "Export To File" to store all these trusted applications, in case you have to re-install AE.
The function "Import From File" lets you import them back.
It works because I've tested this during my total re-installation from scratch in September.

Happy typing.

P.S.: the list might have too many executables, as I said earlier in this thread.

 

Easter,
In addition do also this :

1. Open Anti-Executable
2. Click on "Configuration"-tab
3. Click on "Message"-tab and mark all these options

- File name
- Reason for blocking
- Progam name
- Bitmap

4. When finished, click on "Apply"-button
5. Click on "OK"-button

The reason why you have to do this : when AE warns again during a FDISR-operation, AE will show a popup menu with an explanation and which executable is responsible.
Write that executable down and put it in the list of "Trusted Applications".
This might happen, when the list is still not complete.

The last executable on the blue list "c:\$isr\0\isrcopyxp.exe" for instance was added much later. AE suddenly complained while I was doing something and I had to add this exe to make it work without errors.

 

Pete, is that with HIGH SECURITY or LOW?

And if HIGH, indeed this is something of interest to nail down. Thanks

I already configure for this of course, i have to SEE just whats being blocked and it's locale. LoL

 

Read post #373 and #374.

 

Can you mark the "Delete Prevention" as well now ?

 

Network Prevention won't let anything execute on the 'network drive'.

"Network Prevention: When Network Prevention is checked, all executable files on a network drive are blocked from execution. The Exempted Folders tab allows access to executable files in specified network folders, even if Network Prevention is checked. If the option is unchecked, all executable files on a network can be executed normally." So that's the reason for all these alerts if one doesn't put C:\Windows\installer in the exempted folders. So this means that these are executables that are activated by the OS and not by the operator. (I find the wording a bit difficult to understand)

With Copy Prevention, you can't download anything from the internet if it is checked, pretty tight.

Am I right?

The attachment shows what I had to put into the exempted folder tab.

 

The only thing I can confirm is that my "Copy Prevention" is marked (enabled) and that I can't download any executable file from the internet.
So if I want to download a software to install it, I have to turn off AE to download it and keep AE turned off to install it. Once I turn AE on, the new software is added to the whitelist.

Turning off AE makes me vulnerable of course, but I don't care about that, because my frozen snapshot removes any change anyway.
Frankly, I don't care about my system partition at all, even when my frozen snapshot would ever fail. I have an army of clean images to get my system back. System partition is peanuts.
I was alot more worried about my unprotected data partition, but not anymore, because I lock it when I surf safely or dangerously.

 

AE is bullet-proof against executables, spoofed executables (fake extension) and file with double extensions. I'm not sure how it would perform against data filetypes carrying shellcode (exploits).

 

Hi lucas1985,

It would depend on what the shell code did. In the MSWord exploits I've seen, the code attempts to install a trojan executable, which of course would be blocked by AE.

In an article last year by Security Focus, the steps in this type of exploit were detailed, and included a nice graphic :

http://www.securityfocus.com/images/infocus/msoff5.jpg

Of course, Shellcode is capable of doing other things. However, to date, I've not seen in-the-wild examples of any.

The money to be made is easier to come by with the installation of a trojan permitting control of the computer by the attacker.


----
rich