Anti-Executable

But, AE blocks the dropped executable not the malicious Word file, right?
That opens a (theoretically) door in AE. The shellcode may have instructions to disable AE first and then download/drop the payload.
Think about the tests done by nicM with malware which unhooks kernel functions of security software.
Scripts and shellcode are the two only possible backdoors of AE, which otherwise is 100 % bullet-proof.

 

That's correct. The same situation occurred with the .wmf exploit: AE did not block the .wmf file, rather, prevented it from downloading the trojan executable.

Yes - AE blocks executables only. To date, I've not seen examples of AE being disabled.

My understanding of those tests was that they were not scripts, but trojans - demonstrating what they could do if installed:

So, you have to ask yourself, with AE running, how would such a trojan or rootkit get installed?

It reminds me of the firewall leaktests: they demonstrated the weakness of traditional firewalls, yet simulating trojans, had to first be installed on the computer. Ask yourself, how could that happen on your computer?

Another example that comes to mind was the Deep Freeze exploit a couple of years ago. In order to work an executable file had to be installed.


----
rich

 

I got it right

This would be a case of security through obscurity, don't you think?

Correct.

A trusted friend sends you a .doc file (clean at Virustotal/Jotti) which carries shellcode to disable/unhook AE and then download the payload.

A side though: IMO, blocking executables is rather easy and there are plenty of solutions for the informed user. But blocking/dealing with shellcode in data filetypes is the real problem for those with a security setup in place.
That's why I like sandboxes. You can sandbox/isolate your doc viewers.

 

Thanks to everyone for some very detailed and much thought provoking discussion into this. Theres really very little room left anymore for forced intrusions code beit whatever, but the door is not 100% completely sealed untill every possibility is been raised and researched then proven by actual results.
Pandora's box may soon be left with just only cobwebs as a reminder of what was compared to it's former intent of mischief contents making them completely OBSOLETE once all the bases are covered.

Excellent Topic.

 

Will that ever happen? I doubt it. Kareldjag, who used to test regularly, wrote:

(has that been demonstrated?)

Infected .doc files, of course, have always been a possible scenario, long before the sophisticated security programs we have today. In those days, you had to rely on practical approaches to security.

Regarding .doc files, standard procedure was -- and still is for me -- to open .doc files from other people in a text editor, such as Wordpad, which will not run code. An early exploit was the macro virus. While everyone was rushing around keeping their AV updated -- and many macro viruses were still able to sneak in -- those in the education field who used a text editor had no worries. I normally viewed 30+ MSWord documents/week received as email attachments from students. We never bothered scanning them.

Common practice was to configure MIME types in both the browser and email program to pass .doc files directly to a text editor, instead of opening in the browser, or MSWord -- still a procedure I implement for myself and users that I help.

Teaching practical approaches to security problems is still the best and most reliable approach to developing a security strategy.


----
rich

 

Only in my mind As you said, any piece of code can be disassembled, debugged and/or reverse engineered.

Being proactive always pay off in the long term

That's my approach too. But this approach will die sometime as web 2.0 and the convergence of web and desktop continues. Data isn't data anymore. PDFs can have Javascript, documents have macros/scripts, media files may have embedded code, etc.

Couldn't agree more.

 

Hope this is accepted as not too much off topic. I have recently re-installed
Firetrust Begnign http://www.firetrust.com/products/benign
It certainly removes lots of HTML stuff. It sits between Outlook and my mail provider and hopefully would remove any of the bad things before they get to me. I would rather rely on something invisible like this than AE. Or am I just
wasting my time ?

 

I don't think you can compare Benign and AE. One specifically deals with your mail the other with anything executing in your computer.

I use Outlook too as my mail client through Gmail, but I never open my e-mail in Outlook, I do it directly on the web which is always sanboxed by ShadowUser. If something sneaks through Gmail (I doubt it), AE should block it, and everything is sandboxed anyway.

I got Benign as a present when I bought MailwasherPro (I don't use them anymore since I joined Gmail). I tried it for a week or so, and it really slowed down reception a lot. I ended up uninstalling it as the whole mechanism of receiving mail was slow and it often hung. I also remember posting about it, didn't get one single reply (obviously not very popular at Wilders).

 

There are relatively few ways for bad things to get on a computer - e-mail is one of them. For those who don't continually down load "free" programs and have conservative surfing habits I would imagine that e-mail from friends posses by far the greatest practical threat ?

I can't explain the slowness you experienced ( I don't use Mailwasher Pro as I have a good mail provider take care of that). Certainly Benign has caused me no slow down at all. I'm not trying to compare two solutions except in the sense that I feel that it is better to not let something bad on rather than try to stop it working. If something bad ever did get on I wouldn't be at all happy with a program that simply stopped it working. what about the future ? would it still be there ? I would restore an old clean image rather than trust a program to clean up.

To be fair perhaps I ought to try AE one day. I have often wondered how often it stops dangerous things, as opposed to just being a pain when it stops things you want. Does it stop bad things every day, every week, every month, rarely, never ? I expect that experiences as always will vary with some who like to mess around finding that it saves them on a regular basis. But is this a product for the average home user ?

 

It stops any executable that was not installed prior to the latest system scan. That specifically means, not installed prior to the installation of AE or not installed during a period in which AE was disabled. For the primary target market (open access PC's with a fixed and static complement of applications), this is precisely the behavior desired.

How often would the user download executables?

Average home user covers a lot of ground. For someone spending day and night testing applications - no way. For a child's PC for which you desire to preapprove and control the installation of any software, it would be great. Then there's the great middle ground. In broad strokes, if the collection of software on the machine is fairly static, it is a very viable, exceptionally strong, inexpensive, readily understood, and very robust approach.

Blue

 

Thanks - that's the best explanation I have seen. I do use DeepFreeze on some machines which fall into the category of very static. I will have to try this program. Is there any performance hit ?

 

Not that I could see.

AE hooks some of the basic Windows API system calls needed to launch an executable and it will alert on some actions that aren't an explicit launch, but do require, for example, a file open operation. In other words, the approach is conservative.

The only "performance hit" that you'll notice is if you have AE disabled for an exceptionally long period and you perform a lot of file accesses during that time. For example, if you disable AE and perform a systemwide AV scan, the result is equivalent (in time expended) to a reinstall and reinitialization of AE. It clearly keeps track of all those accesses to update it's internal database once re-enabled.

Blue

 

I had an AV that was considered one the lightest in terms of system resources. With AE there was a noticeable change in speed for just about any operation of my computer (particularly booting up). I'd say my machine is 30 % faster with AE (and without the AV).

I also should add that it is nice, psychologically speaking, to have a system that is self contained, and doesn't have to beg for daily updates to give you a sense of security.

 

My computer works also slower, since I have AE on board, at least in my on-line snapshot.
I work mainly in my off-line snapshot, that is malware-free and anti-malware-free, so it doesn't bother me.
Yes, AE is an evergreen, no signature updates required and AE protects and hides itself very well compared with other security softwares, including password protection and you can even hide its icon in the system tray.

 

I think my sentence was a bit misleading: In terms of speed, my computer is definitely FASTER since I stopped using an AV. AE instead has practically no impact compared to my former AV.

 

Thanks for that - I thought it was just me. When I had an AV one particular program took upto 30 seconds to load. without an av it takes 6. adding AE the 6 went to 7. Not massive but observable nonetheless.

So far have only tested ( and removed) on an old p4. when I get time I will try it out on a Core 2 quad and doubt if the impact will be noticeable. If I had to have
AV/AS software firewall etc on the one hand or AE on the other I'm sure I would opt for AE

 

when do they plan to have a Vista version.

 

Version 3.0 will be Vista compatible (Winter 2007/08, info from the member website) and soon V 2.3 should be available (but not Vista compatible).

 

Theres no performance deterioration in my XP Pro units running AE. They zoom along as always nicely. AE reminds me of one of those rare old Windows 98 programs you could always rely on thru thick and thin. It's pretty much set it and forget it and it does it's task the instant an unlisted executable raises it's signal to want to activate. AE snags it in a nan0-second of time and stalls it right there and then.

Great App and most useful.

 

I have my security set to HIGH with Delete and Copy Prevention Enabled. I have added CCleaner to my 'Trusted Application' List. Why am I still getting warning, 'This action violates acceptable use policy' when running CCleaner.
Reason Delete ; File Documents and Settings\.....\historyie5\index.dat ?

Thanks.

 

When you unmark the "Delete Prevention", the message will disappear.
It's my understanding that "Trusted Applications" have the privilege to open or modify other executables and that's it.

You might also try this :
Keep "Delete Prevention" marked.
Clean "Trusted Applications".
Put the program folder of CCleaner as an "Exempted Folder" and run CCleaner and see what happens.

 

Excellent thread, glad that I discovered it.

BlueZ, not sure what you mean by above quote, thanks.

Acadia

 

Never mind, BlueZ, I just found your post #95.

Acadia

 

I noticed the price of AE is now $45, up 10 dollars.

 

Yes, but that didn't bother me, because I pay for an evergreen.
AE doesn't require any signature updates and works always, once you paid for it.
I installed/uninstalled AE a dozen times, since I bought it and I like its concept very much and above all its immediate action. You can't even move your mouse over an unauthorized executable without getting a warning message of AE.
AE is my second whitelist. My freeze storage is my first whitelist, which cleans everything.
Unfortunately my first whitelist is a bit too late in theory, my second whitelist is never too late.