Anti Exes

Discussion in 'other anti-malware software' started by DX2, Mar 1, 2013.

Thread Status:
Not open for further replies.
  1. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I too am glad we are having this discussion, as it is giving both of us a chance to explore this in more detail. I also want to thank you for continuing this in a friendly spirit. :)

    I agree the article is vague on detail. Here is the link to BRN's trusted enclave patent application if you are interested.

    http://www.google.com/patents/US7712143

    This is my understanding of how AppGuard works in relation to the trusted enclave concept: -

    AppGuard looks at the whole computer system as consisting of two parts. There are files, processes, and registry keys forming a sub-system within the whole that must be protected against being compromised by malware. This sub-system is called a trusted enclave. The primary goal of AppGuard is to protect objects within the trusted enclave. Objects that lie outside the trusted enclave may be compromised by malware but they must be prevented from compromising objects within the trusted enclave.

    Regards
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Agreed! Policy restriction makes up a huge part of how AG works.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thanks for the info! I will read more on trusted inclaves. I've been using AG since its first beta release. I have done lots of beta testing for them over the years. They have been really good about adding functionality, and features I have requested. There are a few things pending over at the AG thread that i'm waiting for to be added such as being able to add an entire C:\ Program Files folder as a Powerapp instead of each individual executable. Also one should be able to see the full path of a blocked object from the alert log without having to go in as though one is going to create an exception rule. Another is one I have not mentioned before. I believe the GUI would look nicer, and provide faster access to settings if they would remove the customize button. They could just integrate the protection level UI box in with the rest of the tabs. Instead of having the home screen or tab that AG has, and then having to click on the customized button the tabs could all be combined on one UI screen. Also click on the customize button, and then look at the first tab ( the alerts tab). Look at how the ignored message box below alerts is too small, and the paths are cut off so you can't see them. That should be easy to fix.
     
    Last edited: Mar 5, 2013
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I agree with your suggestions for improving the GUI. It could do with a makeover IMHO. :)

    Kind regards
     
  5. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    Agreed. I'm a AG paid owner, but not user, because to me it seems as if AG has grown stale with zero development. I now use EXE Radar Pro because of the rapid development.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not sure I understand the logic here. Sure the GUI could be a little better, but it is still one of the best apps for stopping malware.

    Eventually ERP will mature. Is that a reason for stopping using it?
     
  7. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    One of the reasons I don't use appguard is the initial setup. Trying to figure out what is causing what to be blocked is a little much for me. I'm sure once I understand how it works, it would be easier to configure. I know that in lockdown and even High it's pretty bulletproof. Just not something I'm willing to take the time to learn about.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You are right it takes take a bit of time to figure it out, but again you are right about it being solid. I now do run in lockdown mode.

    Pete
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dbone

    I hope what I said didn't come across as putting you down. Wasn't meant that way. But as an example FDISR development totally ceased about 2 years ago, and I will continue to run it as long as I can. It still is a top notch application, and lives on even to Windows 8.

    Pete
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Have you had bug problems with AG? Their actually working on a new build of AG, but I don't know when it is going to be released.

    There's no reason for me to drop AG because I have not found anything more secure or that works so well with my setup. It's without a doubt one of the best security applications I have ever used. IMO there is nothing else out there that offers better protection. It blocks malware like shooting a BB gun at a tank lol

    Also I have never beta tested for a finer company than BRN. They are always polite, and appreciate any feedback given to them. I can't say that about many other companies I have beta tested for. They listen to their beta testers. They have added most of the functionality, and features that have been requested by beta testers here at Wilders. The request that have not been incorporated yet are being worked on presently. I will get in contact with Eric or Barb, and see when we can expect the next release of AG.

    Btw.. VoodooShield is awesome to! Its comparable to AG, and they even work well together. I'm getting ready to buy some more license for VS since I only have 1 now.
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    CUttingEdge,
    DOn't take offense to this but how is VoodooShield "comparable to AG"? Just curious what you mean.
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I did try Appguard once when I was looking for security programs that pass the "PCFlankLeaktest" and Appguard failed. I am probably going to permanently add Outpost8 to my setup and configure Outpost HIPS instead of having Appguard, have been using Outpost firewall pro 8 for a few weeks and I like it. Anyway back ontopic I use Applocker instead of ERP for my Anti Exe and I also have Sandboxie in my setup.
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I agree that an AE based on whitelisting should, in principle, combine well with AG, as they work in different ways. I've been thinking of combining AG with either VS or ERP myself, but I've no experience of either program.

    I'm interested to know from anyone who has tried both VS and ERP, which one they preferred and why. Just to clarify, I'm not asking which is better as I'm sure they are both fine applications. I'm asking for people's personal preferences and their reasons for choosing one over the other.

    Thanks
     
    Last edited: Mar 5, 2013
  14. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    No offense taken. ;) I never felt comfortable with AG, and if I'm being totally honest, I didn't fully understand how to set it up. Also never liked all of the warnings about AG blocking this app from read this apps memory, ect... ERP just feels better to me, and I really like how the dev comes to Wilders and actually incorporates our suggestions into the next build. :thumb:
     
  15. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Me too.

    I'd like to hear about those and other similar apps.

    I hope these types of apps will get tested like AVs do right now.
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    I would like to run AG with the protection level set to Locked Down, but Locked Down applies Privacy Mode globally to all guarded applications, overriding individual Privacy Mode settings, which isn't what I want. I posted on this elsewhere, and it is something that BRN have said they will consider changing in the next release.

    Regards
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    In the level of protection they offer. I'm not saying they operate the same. No offense taken.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ah so it only globally applies in Lockdown. How would you compare the protection of High versus lockdown?

    Pete
     
  19. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Actually your right Rmus the PDF Reader Executable doesn't connect out. I just tested. So I presume the same is with Java. my bad, you learn something every day.

    But how good is your old kerio firewall at leak tests? for example if Java can't make an internet connection is your old kerio firewall going to be able to stop java piggy backing on another program like your browser to connect out?
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello, arran,

    I'm proud to say that Kerio 2 has passed every firewall leak test that I've thrown at it! How about that!

    OK, a bit of explanation...

    When I first looked at firewall leak tests back in 2006 or 2007, the test method was to download a leak test executable and let it run its test.

    Well, I thought, that leak test executable is simulating what a trojan executable would do if permitted to download and run.

    So, I thought, a real test would be to put the leak test executable into a drive-by exploit and see if it can get onto my system.

    So, I created an exploit based on the well-known MDAC exploit that attacked IE and inserted the URL to the leak test
    web site to download tooleaky.exe, one of the real nasty tests at that time:

    [​IMG]

    Then, I clicked on the link to my web site which triggered exploit to download the leak test executable from the
    leak test web site, simulating what would happen in a real drive-by attack:

    [​IMG]

    Aha! Exploit failed.

    My conclusion was, that if the leak test executable, which is simulating what a trojan executable would do,
    can be blocked from installing, then my trusty little Kerio has nothing to worry about.

    Probably not. But the malware that would do some trick like that, first has to be able to install and run.

    That's the way I see it, anyway.


    ----
    rich
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Its good how faronics anti exe can always block it. But Its always better to have more than one security layer, firewall 1st defense layer and anti exe second defense layer. Its better to prevent the virus from being downloaded to your pc in the first place so you won't have to navigate to the file to delete it after you get a pop up from Faronics. So does kerio 2 pass the "PCFlankLeaktest" ?
     
  22. Anti Exec's Achilles heel are data/code cross overs: e.g. data formats which contain meta data with executable code (e.g. a picture), mix code and data (e.g. XML) or contain scipted code (e.g. Javascript) within a host application (PDF or Browser).

    That said Faronics AE has a strong track record of surviving those cross border (data to code) attacks (better than NVT) and AppGuard has its own memory protection mechanism to deal with those in memory attacks.

    I would not drop AE for NVT (track record) and AG for AE (memory protection and admin space protection on top of AE on user space), but everyone has its own favourites.

    With Low Intergrity sandboxes and overflow protection mechanisms (DEP, SEHOP, ASLR, etc), the chances of succesfully passing Anti Executable restrictions are decreasing. In future the mitigation techniques of the OS and the browser will only become stronger. I have simular setup just with the OS internal capabilities, in theory weaker than those third party applications (see sig), but in daily practise it is never been passed.
     
    Last edited by a moderator: Mar 6, 2013
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I'm sorry, I don't understand what you mean here.

    I don't know, I've not tried it.


    ----
    rich
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Just a query please.Besides my inbuilt security,is there any form of windows built in anti-executable feature.

    I know there is a whitelisting feature in the parental controls of windows but beside installing EMET what other measures can i take to harden and secure my system.?
    Thank you.
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    The "leak tests" have nothing to do with something coming in, which is what you are arguing above that one should block or stop. An up to date browser, perhaps with NS, is the best protection against that. If something does get past the browser, then AE, as Rmus has shown, will stop that cold.

    Leak tests test your firewall's outbound protection. That implies that something has gotten in and installed already. AE would have prevented this from happening in the first place, so the firewall's outbound protection is largely moot anyway.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.