Anti-Executable

Discussion in 'other anti-malware software' started by LoneWolf, Apr 12, 2007.

Thread Status:
Not open for further replies.
  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Everything of AE is unusual. So you are warned in advance.
    It's the most hidden software I've ever seen.
    The uninstallation is different from any other software.
    The icon is different from any other software and doesn't seem to work, unless you know how it works.

    The introduction email contains everything you need to know, but you better download the User Guide.

    AE is an evergreen software because it works with a WHITELIST, based on the softwares installed on your computer. So no definition files updatings, like in scanners.
    Everything that is not on the whitelist is refused by AE.
    If you change your system partition constantly AE might be a pain.
    AE recognizes more than 80 executables and works as advertised.

    Unfortunately, I can't buy it because the online store doesn't work me.
     
    Last edited: Apr 12, 2007
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I first heard of AE when I was interested in some type of security for two families, where one computer in each family served everyone. The parents wanted some control over installing of games and other programs.

    I compared AE and Process Guard, both of which would block installing of executables. AE won out because by default, it denies installing of any executable. So does PG but PG has other features which complicate the situation for what I had in mind. AE is password-protected.

    When installing AE, it creates a "White List" of all of your executables (programs). Nothing else can install without your permission.

    To install a program, you just disable AE from the Systray Icon, install, then turn AE back on and the program is auto-added to the White List.

    Later, I began to see how "White List" protection was a sure prevention against Zero-day exploits.

    Just today at sans.org: EXE/ZIP e-mail viruses (editorial)

    " 'Storm' is yet another hint that current AV software is no longer an adequate means to protect yourself from current and relevant threats. Subscription based business models direct mainstream consumer anti-virus systems into a dead end of signature updates, which haven't work at least since Zotob showed up."

    To check out what it would do, I ran some tests:

    Anti-Executable Tests


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes very nice, especially when used with something like Deep Freeze or similar program.
    (A similar free alternative would be Abtrusion Protector.)
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rmus! I think u can get same thing by SSM free. Install, keep it in learning mode for a while and then disconnect the GUI( u can protect it with a password). The only problem is that u might miss a few rules during training while AntiExecutable seems to make allow rules for all applications currently installed on ur system that makes it more appropriate in the scenario u described above.

    Winsonar has a similar feature to kill unrecognized processes, it scans memory. It,s free too.

    BTW, what if u have some uninstalled exes on ur system? I think they will be added to rules list as well. Also can u hide the notification pop ups and make it completely invisible to user so that he will not know what is blocking new exes. Can u edit the allowed exe list( whitelist)? Sorry for too many Qs.
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    aigle,

    When you look at the API calls hooked by AE and see it in action, it really doesn't follow the same model as programs like SSM. Basically, the primary defense mechanism is at the file open stage. If an executable is not on the whitelist, you can't open it never mind run it. You can also see this via various behaviors in Windows Explorer (i.e. hovering the mouse over an unapproved exe file generates an alert).
    Yes and no. If you have a setup program, you can run that, but you won't be able to run the installed program since it's not the setup (unless you exit AE to perform the install)
    No. Once allowed, as far as I know, you can't disallow a program. Also if a program is disallowed, it seems as though you need to go through a complete reinstall process to get it on the allowed list. Running it with AE disabled does not reset the listing.

    Blue
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Blue!
    That,s not a good feature at all. I can,t believe it. It might be a pain to use AE without this feature.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So if u disable AE, then re-enable, whatever is added to ur system in that time is automatically added to the white list. Am I correct?
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Yes.

    It keeps track of file opens and adjusts the whitelist accordingly. As a corollary to this, don't perform a comprehensive system on-demand AV scan with AE disabled. It's basically the same as a complete install scan on enabling (I made that mistake once..., should have figured it out beforehand)

    Blue
     
  10. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: So, if I run AE within frozen state(or shadow mode), this would give me an ideal defense mechanism ? AE to stop any unauthorized exe and frozen mode to rid of any changes the system may have. Perhaps this is the optimal and ultimate approach. But AE's strict policy make me feel a bit taking back. o_O
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Maybe not foolproof, but enough to save the period between two reboots. A frozen snapshot cleans your computer anyway after reboot.
    AE is a pain, when you change your system partition constantly, but a frozen snapshot is also a pain, if you change your system partition constantly.

    With FDISR you can create enough snapshots to test any software, not each snapshot needs AE and you can always remove a snapshot after testing the software.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You can't have EVERYTHING, having a strict policy and total freedom at the same time is not possible, at least not at first sight.
     
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    So I basicly understand how AI works but is it worth the trouble installing it.
    Seams to me like theres mixed feeling about this one.Do the benifits out weight the fact that it can be a pain in the a**? Then theres the possibility of conflicks with other apps.Thats allways a concern. Can allways rollback to anothr snapshot but I like to avoid trouble if I can.(Still like tring new security software thou)
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you have to install a new software, you have to turn OFF AE, install the software and then you have to turn AE back ON. This is considered as a pain by some users, because they want to be infected and run 20 scanners to remove the malware.
    AE isn't created for keeping softwares a short time, once your system partition is installed completely, AE will protect you and you can do whatever you want with the installed softwares, because they are whitelisted by AE.
    Executables, which are not whitelisted, won't have a chance to install/execute themselves, even when they are legitimate executables.
    Just try it and see for yourself, if you can live with it. AE had a 60 day trial, if I remember well.
     
  15. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Not a pain for me.
    So your saying as long as you have your system the way you want it and remember to turn off AE when you install new software then turn it back on it will increase your security enough to be worth it.
    Also would I need to turn off AE when updating software or just installing new?
     
    Last edited: Apr 13, 2007
  16. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yet another free alternative is "Exe Lockdown" (from the makers of rollbackrx) :
    http://www.horizondatasys.com/169602.ihtml

    i tried it and got a blue screen :) it seems it was blocking something important in windows. so i uninstalled it. it's not a bad program, it's just that i couldn't be bothered to more fully test it. geswall has spoiled me :)
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's what the website says about AE.
    AE is an evergreen, because it works with a whitelist.
    AE isn't perfect either, but that is common for all security softwares.
    For instance : when a bad object uses legitimate WHITELISTED executables to do its evil job then AE won't protect you, I believe they are called "exploits".
    Bad scripts seems to be also a problem for AE.
     
  18. tepe2

    tepe2 Registered Member

    Joined:
    Jan 18, 2006
    Posts:
    539
    Are not those exploits a problem for all security applications?
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I trialed AE in a frozen snapshot without problems.
    However there was a conflict with FDISR, when I choosed the maximum security of AE with all THREE switches marked.
    The copy/update of FDISR works by adding, removing and replacing objects and AE doesn't allow this always. I could keep the maximum security, but I had to unmark two or three settings.
    I don't have AE anymore, because I can't buy it. I don't have access to their online store
     
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    very good point! i didn't even think of that.

    the makers of exe lockdown in a pdf help file suggested that if scripts were bothering you, you could block "wscript.exe" from running.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The only way you will know is to try it yourself! Faronics provides an evaluation version. You can email Faronics support with a list of your programs to see if they know of any conflicts.

    Addressing some points raised by others:

    Upon installation, AE creates a White List of all currently installed executables. To install another program later, you turn off AE using the icon on the Systray, install the program, then turn AE back on. You will see an "updating" box appear and the new program is now on the White List. Just doing a time check: Turning AE on-off takes 4 seconds each.

    If you uninstall a program, it is not removed from the White List, and as Blue points out, you have to uninstall-reinstall AE and create a new White List.

    Can you explain why this would be?

    Can you explain what you mean by this?

    Can you give an example? How will the "bad object get installed?

    Can you give an example of a bad script?

    Yes, they work very well together. Back to the question of compatibiltiy: with so many security programs today competing for space down at the kernel level, it's wise to check things out. Faronics made both of these programs to be compatible with each other.

    Deep Freeze is most ideal in what Blue nicely refers to as "static" situations, where the computer isn't continually being changed, since you have to thaw DF before installing something - this requires a reboot. People have complained that there should be a Thaw-on-the-fly feature, but you can understand the security implications here: without a reboot-to-restore, you could not be assured that something hadn't contaminated the system during the current session.

    Anti-Executable standing alone, on the other hand, does not require a reboot to install/update the White List. However, , in conjunction with Deep Freeze, it's:

    Reboot DF Thawed,
    Turn off AE,
    Install program,
    Turn on AE to update White List,
    Reboot DF Frozen.

    An interesting side feature of running both AE and DF is in testing malware. If I turn off AE to download a trojan, then turn AE back on to catch what the trojan does ( install a dll, etc) - that trojan will be on the White List. However, with DF, a reboot will restore AE's White List to previous state.

    This also permits evaluating programs as long as a reboot isn't required, since putting a program on AE's White List while DF is frozen means that it won't stay on the White List following a reboot.

    Regarding the icon: there is a Stealth Mode (as with Deep Freeze) which hides the icon. Interestingly, at the University, the System Administrator chooses not to use Stealth Mode because you might not be sure if DF (or AE) is on or off, since the icon blinks or has a red X in it when the programs are disabled.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Apr 13, 2007
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't know much about security softwares, but I can READ.
    I like AE very much, because it is a security software, I do UNDERSTAND, because it has a simple clear philosophy. It's easy to configure also and it works forever, because it has no definition files.
     
  23. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    How so?
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AE doesn't appear in Windows Add/Remove screen to uninstall softwares, so you can't uninstall AE this way. It has no uninstall program either.
    AE doesn't appear in the list All Programs.
    AE has only a folder in Windows Explorer, but you can't open it.
    The icon doesn't react on a left click or right click, you can even hide this icon, once you know how to do it.
    Very unusual compared with other softwares.
    You have to read the User Manual to know how it works or the introduction email.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is a security feature to keep unauthorized people from attempting to uninstall the program - effective in institution situations mainly, but also useful where someone shares her/his computer with others.

    Again, protection from tampering. There are no user files, so no need to access the folder

    I'm not sure what you mean here

    This keeps most unauthorized people from fooling around. The icon doesn't even have mouse-over text identifying the program.

    Yes, quite innovative, don't you think?! :)


    -rich
     
Loading...
Thread Status:
Not open for further replies.