Anything similar to Faronics Anti-Executables?

Discussion in 'other anti-malware software' started by erlee, Mar 3, 2008.

Thread Status:
Not open for further replies.
  1. erlee

    erlee Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    15
    Hi,
    just canvassing opinions about Anti-Exec.. is there anything better than AE.

    AE works fine but whenever i have installed a new program - I need to update the white list & it takes hours if my hard-disk is large. It takes hours to re-scan the HD for exes. Then multiple by the number of PCs i have to update.

    Is there anything better than anti-Exec?

    Thanks:)
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    erlee,

    The initial whitelist scan can take hours on a large and populated drive. However, once this is completed, subsequent whitelist activity (for example following a disable AE/install/enable AE operation) are rather quick since only the new files accessed during the disabled state are added.

    If you perform a system wide disk scan with AE disabled, that will yield a result that appears equivalent to the initial AE scan since all files on the system would have been accessed and their whitelist status will be rechecked on enabling AE.

    Blue
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Not better, but simular without white lists SpywareTerminator's HIPS feature
     
  4. erlee

    erlee Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    15
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    They had one by this name a while back which they had discontinued.
    I believe it was "trust no exe" that they bought out.
    Hopefully the new version will be improved and as good as Anti Executable,as well as compedibly priced.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I really think you should not be deterred or frustrated with AE because it re-inventories your whole file system in order to accept new entries, almost like an AV recovery database, sure it takes some time but hours? I have a 200GB Maxtor and it never took hours :eek:
    So i dunno why that type of delay.

    More on your topic though, if i were in your shoes and felt disenchanted over AE to the point of needing a replacement, i would no doubt have to turn to EQS (HIPS) because it not only covers executables but also scripts/registry etc. something AE is not yet made for if it ever will.
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,302
    Location:
    Location Unknown
    Wow, Easter. It's getting to the point now where I don't have to read your posts to know what you are saying. I think we all get it now....you are pro EQS.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well, the reason is simple, i also have AE and quite a few other security apps of course which i've brought in over time. I just can't find another app that is as full-featured in so many areas of coverage, alerts as expected, never misses, and is super-lite and fully stable even if i install ANY of my other security apps along with it. That's a huge plus when you read of so many marathon conflicts between semi and similar apps, or opposites.

    More OT. The topic author certainly makes a very valid concern here. Any HIPS aside, i don't know of any program that could come close to offering the type of protection that AE does for normal system exectuables and as well. To me it behaves so much like an AV in many ways and that's due to it's in-build code detections.

    I would be just as interested if there is another app as similar to AE myself.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Easter,

    I just sent you PM with an Autorun.inf file and a .vbs file for you to test. Please post a screen shot of the alert message you get from EQS.

    thanks,

    rich
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    From CFP( same is true for EQS I think), I created rule for autoruns in CFP but it is there in EQS by default.
     

    Attached Files:

  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hi Rmus

    Just now seen your PM and am in progress of running it. You must be a Sorcerer of White Magic and reading my mind at a distance because i was thinking today where i might find that EXACT finjan test again. I lost the vbs file i had but thanks to you i can run it again.

    Little slow here but i'll give it a spin per your PM and report back. I'm probably gonna test it against both 3.41 & 4.0 beta to see if both returns are similar or different results.

    Regards EASTER
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    What is this AE about ? Does it do more than any popular HIPS ?
     
  15. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    The new program is called Executable Lockdown and is completely different from
    Exe Lockdown. There will be no freeware version.
     
  16. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Regard it as a limited HIPS whos purpose is simply default-deny. It allows users to run whitelisted applications, while preventing the execution of the non-whitelisted executables.

    /C.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Aha, thanks. Does it control execution in kernel or in userland ? What about autoruns ?
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'm sure it has a kernel driver to enforce the policy. It doesn't cover autoruns because it doesn't need to do so.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Anti-Executable has a Quintuple Verification
    Whitelist verifies.
    * File Size
    * File Type
    * File Location
    * Creation Date
    * Code Sample

    http://www.faronics.com/html/AntiExec.asp
    You better trial AE, because this is a very strict software, you might not like it in the end.
    Very unusual software too, so read the welcome email or help, otherwise you get lost. It hides itself very well, icon doesn't work like others, special uninstalling procedure, no access to its folder, password protected.
     
    Last edited: Apr 17, 2008
  20. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Renamed Process Explorer procexp.bat and executed just fine, no alert. heh
    I just noticed it's more expensive than AE, i mean, $49..
     
  22. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    I am quite happy with AE.
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    A pure system partition has only Windows and Applications and no data.
    Do you have so many applications, that it takes AE hours to re-scan your system partition ? Do you use all these applications or are you just a collector of applications without using them ?
    The very first scan took some time, but after that any new application was a matter of seconds to adjust the whitelist.
     
  24. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    So you took a whitelisted program and renamed it and it ran...why is this a bad thing? Try taking a blacklisted program and renaming it to a whitelisted program and if it runs thats a bad thing. But I can assure you it will not :)

    Also it's 39 dollars now.

    Thanks,

    Chris
     
    Last edited: May 29, 2008
  25. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    as I know, the Returnil new beta has a plugin, I hope I can call it another AE.

    [​IMG]
     

    Attached Files:

    • AE.jpg
      AE.jpg
      File size:
      71.4 KB
      Views:
      1,412
Loading...
Thread Status:
Not open for further replies.