Anti-Executable

Rmus,
Thanks for the additional info and for the corrections of the SD-list.

 

Very Easy. The web is loaded with freely accessible file joiners. A .bat file can be easily concealed within an executable, jpg, bmp or many other extensions. I used to play with these just to satisfy my curiosity of them by joining say a .jpg file into a regular program.

Suffice it to say, web pages also have had their way with getting a user to land on them (drive-by) and proceed to manipulate the holes in IE to drop a launcher file.

Those file joiners have been used by revolving advertisers of certain freebie sites and put into screensavers and the like to detour traffic in their direction in order to collect a profit per clicks/install etc.

 

I have to Resurrect this Topic once more. I loyally use Faronic's Anti-Executable on some of my systems. This app is the most effective protection against executables i ever seen! Listen to this set up i employ where i use it most, PC Security = DataLock! SandboxIE = Trapped! AE = DENY! That's all folks! This is total Lockdown and Confinement & without even a HIPS!

It's but a small matter to temporarily disable AE to add good clean programs plus my data partition is 100% concealed and locked down from entry. I tested this in various scenarios and came out completely unscathed.

AE is another work-of-art, i just like to see it include more file associations such as .reg/.vbs/.hiv etc. to make it FULLY complete.

Any thoughts? Pros or Cons? This trio protects great without any need for AV/AS scanners, HIPS, or anything else. A truly streamlined approached that reaps benefits.

 

I use AE and really like it. I'd like to see Vista support. I also occasionally see a bug where Windows on Windows protection turns itself off.

 

Good idea. Faronics can add a new function for this, to block any file extension, not just scripts. Let the user decide which file extensions he wants to block.
And that will be the end of all script blockers, most of them aren't good enough anyway.

 

Exactly my point Erik. I been trying in vain to live with the old script defender but it needs updated because it disrupts the normal functions of scripts after uninstall. Yeah, i use Doug Knox's file associations .reg files to return them to defaults or else use my RegCrawler program to return them again & pull out it's connections but that should just not be required. Apps should return their changes right back as before when uninstalling.

 

AE is already blocking 80+ file extensions (executables) and it would be more complete when they allow to block other extensions, choosen by the users.
Just leave it up to the users which extensions he wants to block and nobody will complain anymore. The user will soon find out how far he can go. There must be still a choice to run : allow, deny or block always.

 

To include a choice would defeat the basic premise of AE, which is Default Deny.

AE does more than just look at file extensions. The effectiveness of the program lies in its code analysis, where AE looks inside a file to determine the presence of binary executable code, no matter what the file extension.

Earlier this year, there was a targeted exploit to businesses, where an email contained a Document with malicious code inside. I created such a document to see if AE would flag it, and it did. Note that .rtf is not an executable file extension:


__________________________________________________________

You may remember the spoofed .gif file exploit, discussed earlier in this thread. Where the classical HIPS programs blocked the program from running after it had downloaded, Anti-Executable prevented it from downloading, based on its code analysis as the file was being cached.

Could a program like Anti-Executable be designed to do the same thing with Scripts? I corresponded with Faronics shortly after AE was released - it superceded their former program, FreezeX. I asked about a script-blocking program, and their response was that it was being considered. There has been nothing more said about it. It would require a completely different type of analysis engine.

At that time, I was testing script blocking programs, including WormGuard. I discussed this a couple of years ago in the WormGuard thread, and will repeat some of it:

The problem with most script blockers is that they set Registry entries to point designated file extensions to the script blocking program. Therein lies the weakness: if a malicious script is embedded in a MSWord document, for example, unless you have blocked the .doc extension, the script program will not flag it.

WormGuard is different. It uses three different Script Analysis Engines. One is the Advanced Script Analysis Engine (ASAE). From the WG Help file:

Consider the following script embedded in a MSWord document:

Code:

<SCRIPT LANGUAGE="VBScript">

<!--
function fnCreateFolder()
dim oShell 
dim oFolder
dim sDir

sDir = "C:\SomePath" 
set oShell = CreateObject("Shell.Application")
set oFolder = oShell.NameSpace(sDir) 
end function
--> 

</SCRIPT>

With WormGuard installed, the file is flagged upon execution:


_______________________________________________________

Unfortunately, WormGuard is no longer being developed, although one might be able to find a copy...

After testing a number of script blocking programs, including WormGuard, I opted not use such a program.

As good as WormGuard is, it's one flaw -- and this pertains to all script blocking programs -- is that it does not prevent malicious scripts from running via the web browser, referred to as "browser interpreted scripts." That was my primary concern about malicious scripts.

Because of the daunting task of developing a code analysis engine for scripts that works in the manner that Anti-Executable's code analysis engine does, and incorporating it into a White List program, I'm not optimistic that Faronics will develop such a program.

But one never knows... and since the topic has resurfaced, I may write Faronics and ask


----
rich

 

Hi rmus

I had no idea that AE actually analyzes code structure, thats what i get for rushing into it without reading the details, but it's a set-it-and-forget app so as long as i could disable it according to need it was good enough.

But looks like it delves deeper yet in it's monitoring of individual executable code, and therein is another benefit. Thanks by the way for the info.

So in your view is this of even more advantage that AE also analyzes files?

I'll say one thing, it's a squeeze tight app especially if you run the scale all the way up to high

 

Hi Easter,

It's an added feature.

Another example: I uploaded a spoofed .doc file (really an executable).

I attempted to download the file (save to disk). Note that AE blocks the file as it attempts to cache. The file has not yet executed, so AE's analysis engine has identified it as an executable.


____________________________________


----
rich

 

Very Good.

As you might know i've grown accustomed to letting HIPS eqs 3.41 handle program launches which also includes files/executables and of course can be configured easily to intercept all forms of associations, but AE intrigues my interest in the fact that it also does a code analysis of sorts and it's an agenda/plan of mine to impliment the most minimalistic of preventions as opposed to heaping layers if at all possible. AE seems to make up plenty of ground in that respect but like ErikAlbert, i would think a user would gain a good deal of trustworthy coverage if more associations & preferable user selections could be made available to make up the difference on those not yet monitored.

 

Is there any/much of a performance hit with AE ? From what I've read here it seems to cause a fair amount of grief with the need for end user involvement - initially at least. Do users find that it stops nasties operating on a daily basis, weekly, monthly, rarely or dare I say it never ? I do like another Faronics program - DeepFreeze but have always had misgivings about AE - can't put my finder on the problem.

 

Contrary to Peter2150 I don´t have any problem at all. However, I´ve noticed that some users can have problems when using the "High" security setting and/or, as in Peter2150 case, when the "Copy Prevention" and/or "Delete Prevention" settings are checked. My settings:



Everything runs just fine together with several other security programs activated (Avast, AVG AS, TF, DW, LSP)

/C.

 

I can understand your desire, but I think a different program will have to be designed.

Going beyond what user configurations are now implemented in the program would weaken its robustness, IMO.

Creating the White List automatically within a Default-Deny environment is the most secure approach to keeping out unauthorized executables.

Including file associations other than those that contain binary executable code would require a different code analysis engine, as I explained in my post above.

On the systems that I've installed AE, I've not noticed any performance degradation

I'm not sure what you are referring to. Users configure various parts of the protection. I always set to High for the systems I install on.

For myself, I use AE mainly for testing known exploits. Otherwise, I would not expect (and never have had) an alert, since I can't imagine a situation where I would encounter such exploits in normal work.

My interest in AE is in environments where several share a computer, and the owner or parents want to control what gets installed. AE prevents the installation of any executable not already on the White List. The Copy and Delete prevention features are ideal in these situations. The Copy feature prevents any executable from being downloaded to disk. Without Copy feature enabled, you still have execution protection, of course -- the file will not run. But in the home environments I'm thinking of -- keeping such files from even downloading -- screen savers and other such "free" stuff" -- is a nice feature.

There are two possible solutions here. From the User Manual:

----
rich

 

The Freeze Storage (FS) and AE are both whitelists.
1. AE = whitelist of executables only.
2. FS = whitelist of all objects on my harddisk (except 5)
And both work with the "Default Deny" principle.

Unfortunately there is a big difference between AE and FS.
1. AE stops the installation of an unauthorized executable IMMEDIATELY, so there is no execution either.
2. FS allows the installation of an unauthorized executable and the execution, if it is activated, but removes the unauthorized executable DURING REBOOT as if it was never there.

That is the reason why I have AE installed, to stop these bad executables, because FS allows them to run.

On the other hand FS removes ALL the changes made on my harddisk during reboot and that is the perfect removal tool. DeepFreeze and all the other ISR-softwares do the same thing, they remove any change, but TOO LATE.
The only one that isn't too late is AE, but AE doesn't cover all objects.

If FS would remove any change immediately and not during reboot, it would be perfect and I wouldn't need AE anymore.

 

Another scenario just came to mind: protection against Auto-Run.

https://www.wilderssecurity.com/showthread.php?t=191115

From the articles linked:

Anti-Executable would alert to these exploits. See some tests here:

http://www.urs2.net/rsj/computing/tests/autorun/

----
rich

 

I run AE on HIGH without troubles, only the Delete Prevention isn't marked and like Rmus already said, the trick is to use "Trusted Applications", where you have to store a bunch of FDISR executables. I think I put too many of them in "Trusted Applications", but I'm too lazy to find out, which ones are too many.

 

Thanks for your confirmation. I don't test known exploits and was already beginning to get the feeling that this approach has little or no merit in normal work situations. For me Returnil or Deepfreeze is more than adequate.

 

We assume that folder is $ISR

 

This is exactly the folder that was giving me a lot of alerts. Is it normal for the settings to revert back to 'low' once one reboots?