Anti Exes

It actually just implies that something has gotten in - you don't need to install, or run a separate payload, to have access to internet.

 

Microsoft would appear to share your view on the outbound significance of a firewall.If it were that important then windows firewall would have better outbound control.
A firewalls purpose is to keep bad guys out.

 

That seems right to me.

One possible configuration would be running the browser inside Sandboxie configured with start/run restrictions (i think this would also address Hungry Man concern); and complement that with a system wide anti-exe (NVT, or Faronics,for instance).

 

This is where EMET would probably be helpful too....

 

Hi Pete,

The main difference is that with High, signed user-space executables are allowed to run guarded, and with Locked Down, signed user-space executables are denied execution. How significant the difference is depends on how likely you think you will run into digitally signed malware that is able to bypass the protection AppGuard applies to guarded applications. The trouble with Locked Down is that it is extremely inflexible with regard to user-defined configuration settings.

Personally, for normal operaton I use High. I don't believe that BRN would have made High the default mode when AppGuard is initially installed if they thought it were unsafe to use. Barb_C said that she uses High on her own machine. That said, if I wanted to engage in a high risk activity such as deliberately visting a malware distribution site for research purposes, and I weren't also using Sandboxie and Shadow Defender, I would temporarily engage Locked Down for extra safety. Locked Down is a good way of applying maximum protection providing that the inflexibility it imposes in terms of loss of configuration options is acceptable.

Kind regards
pegr

 

yes it does. leak tests do have something to do with something coming in. for example java might piggy back on another application which has internet permissions to connect out and download a exe file.

Umm No it doesn't imply that something has gotten in and installed already, what it means is that something has gotten in but not actually installed, because how can it install if AE intercepts it from running?

AE doesn't prevent the process from happening in the first place, it prevents the malicious file from running after the malicious file has already entered the system. Its the firewalls job to prevent the whole process from starting in the first place by stopping the malicious file being downloaded to the OS.

 

Checked some Xyvos WhiteList Antivirus screenshots, and it seems to have some interesting features. Maybe i´ll try it later.

http://www.softpedia.com/progScreenshots/Xyvos-WhiteList-Antivirus-Screenshot-195861.html

 

interesting

 

Yeah, it does look interesting, but the only thing that puts me off is an almost total lack of technical info on their web site. It looks more like just some kind of marketing effort than anything else. But it might be worth a try just to find out...

 

It looks very plain jane ,but what is under the hood is what counts.

 

Yes, you´re right. I cant even find if it is compatible with Win7 x64.

I´ve also seen in another post that it wont block a .exe file with a long name...

This is a post dated from August 30th, 2011, so maybe something has changed meanwhile.

Edit: ...or maybe not. The last version is dated from August 7, 2011...

 

Hmmm.. Yeah, maybe it's best to pass on this one..

 

Agree... those are 2 serious flaws.

I wonder if the same works with NVT.

 

I don't know. Only one way to find out I guess..

 

I wrote earlier that I thought Java was like PDF and didn't connect to the internet. I said I hoped someone could confirm that.

Well, it appears that at least one web site that uses a Java applet does connect out.

Upon connecting, a firewall alert displays:



Note that the outbound connection is to the site itself (same IP address). From Whois:

Permitting the outbound connection causes the buttons on the left side to load. This is the navigation menu for the site.





----
rich

 

I hope my memory still serves me well. Last year I was testing something with Java, and for testing purposes I used the Secunia's online service used to scan outdated programs on our computers, and I believe I had to create exception rules for Java processes in the firewall.

 

It was already on forum...
https://www.wilderssecurity.com/showthread.php?t=306496&highlight=xyvos
https://www.wilderssecurity.com/showthread.php?t=324971&highlight=xyvos

 

I´ve seen those already and i even quoted Pedro in a post above. Thanks anyway.

 

I've reproduced the tests made by Pedro in this other thread:
https://www.wilderssecurity.com/showthread.php?t=306496&highlight=xyvos

But instead of using Xyvos i used NVT EXE Radar Free.

First i run procexp.exe (Process Explorer 15.3), and added it to the blacklist.

Then i renamed it to a very long sequence of A's "aaaaaa(...)".exe and executed it.
Result: EXE Radar blocked it (a warning shows up:"Blocked [blacklist]").

Then i renamed it to "something.exe", moved the file to another directory, and executed it.
Result: EXE Radar blocked it (a warning shows up:"Blocked [blacklist]").

Nice

edited for clarification

 

Yes, thanks AlexC, that is great to know...