Application Whitelisting / Anti-Executable

Discussion in 'other anti-malware software' started by rm22, Feb 14, 2016.

  1. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    I've been hunting for info on Application Whitelisting and haven't found much yet. Anyone know of some good sources... or if you could comment on...

    - general vulnerabilities & protection for the majority of products in this class
    - benchmarking of products
    - pros & cons of local and cloud whitelists
    - rationale for doubling up - for example, i've seen a lot of AppGuard + NVT in signatures

    I'd also be interested to hear what you are using for your setup and if you can elaborate on why. I've used a few products for whitelisting - VoodooShield, Online Armor, and Avast(Hardened mode - Aggressive).

    Thanks
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    If you're looking for the most simple anti-exe app, then choose ERP. If I'm correct, VS and AG offer a couple of extra features, but especially AG is way too complex. I get a headache every time I read the AG help file. I do not have any info about how effective all these tools are against exploits though. In theory they should all be able to stop payloads/malware that's being executed by the exploited process.
     
  3. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Thanks Rasheed - the 3 i've tried are very easy to use as well - so lots of options. Isn't it odd how little information there is in the way of reviews/benchmarking considering how effective experts claim Application Whitelisting to be...
     
  4. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Also SecureAPlus has White listing..
     
  5. hjlbx

    hjlbx Guest

    None will block the exploit itself - but all will block the dropped file from an exploit.

    On the other hand, white-listing (anti-executable) softs can be bypassed through various techniques of abusing trusted\vulnerable processes.

    For maximum protection against bypass, NVT ERP should be bolstered by adding additional vulnerable objects to default vulnerable process list - such as certain NET Framework and SystemRoot executables.

    VS has a static vulnerable process list and cannot be modified by user.

    AppGuard is not a white-listing (anti-executable) soft, but rather a software restriction policy soft - and therefore - is not susceptible to the above bypass techniques.

    @Rasheed187 - AppGuard is not that difficult to master. I am knucklehead - if I can figure it out, then you most surely can do the same... LOL.
     
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    357
    Yes. One has to have patience to let it finish its initial scan, which can take a lot of time, to whitelist all known safe/not dangerous files in the PC.
     
  7. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Yes I agree, it can take some time for it to finish scanning.
     
  8. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Thanks for the info - I found a bit on these bypass techniques which is partly why i posted the questions...

    What other options are there to effectively block this - HIPs/BB, EMET? And is anyone bothering to write exploits to bypass - Application Whitelisting is far from mainstream.
     
  9. hjlbx

    hjlbx Guest

    White-listing is main-stream at Enterprise level; home use - very little.

    Some recommendations to supplement are HIPS, anti-exploit and software restriction policy - to add functionality not supplied by white-listing and also to add additional layer of protection.

    Yes. Malware authors continually try to bypass white-listing.

    For home use I combine AppGuard + NVT ERP + HMP.A - and they work very well together.
     
  10. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    right - so AppGuard has adequate hips functionality as well - yes?

    What about limiting execution in a sandbox like Sandboxie - I'd assume this would work like whitelisting, but at least contain a bypass to the sandbox.

    Any good alternatives to AppGuard that operate on SRP? I'm on 'Home' licenses so no Applocker - if that is even a good option.

    Would it be just as valid to rely on a (what i assume to be) a stronger BB like WSA or EAM instead of SRP to complement whitelisting
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,132
    Location:
    Cape Town, South Africa
    :) @hjlbx you certainly are no knucklehead! I also think it is fairly difficult to wrap one's head around AG, but I also use, and like, that combination.
     
  12. hjlbx

    hjlbx Guest

    AppGuard is not HIPS, it is Software Restriction Policy software; it does alert if there is a execution block event - if that is what you mean.

    Sandboxie can be configured to allow only a specific program to run inside the sandbox - for example - your browser. So in that regard the sandbox can be made a sort of anti-executable\white-list.

    Alternatives to AppGuard are Excubits Bouncer and NoVirusThanks Smart Object Blocker.

    However, Bouncer and SOB are all about user creating rules manually - whereas AppGuard is the most user-friendly SRP that I can find. For the most part, once configured, it is set-and-forget.

    Bouncer and SOB are both freeware. Premium Bouncer just allows creation of more rules and costs about $75 or so.

    EAM behavior blocker is alternative, but it can be bypassed. WSA not so good protection.

    AppGuard protection is the most robust that I could find; I ditched all AVs because of it... :D

    Completely forget AppLocker. On W10 it is available to only Enterprise and Education editions of Windows.
     
  13. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Great - Thanks again for all the info

    ok - I thought i'd read somewhere that AppGuard also had a HIPS component to it.

    Bouncer and SOB are definitely over my head - i've attempted to follow the threads without much success...

    Back to whitelisting... it seems most people on Wilders are using NVT ERP or VS for whitelisting which i believe both generate local whitelists (i haven't used ERP) do you know if there an advantage to this over cloud based whitelists like those used by Online Armor and Avast(Hardened mode - Aggressive) other than the cloud whitelists don't work when you're offline? I only get a few popups a year with OA and Avast.
     
  14. hjlbx

    hjlbx Guest

    User has much greater control over defining white-list with NVT ERP - especially vulnerable processes.

    VS has static vulnerable process list - but user can enable\disable as they wish.

    NVT ERP is one of the best security softs...
     
  15. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    and I assume OA and Avast would also use a static vulnerable process list...
     
  16. hjlbx

    hjlbx Guest

    Not sure since I have never used OA (since it was being phased-out\discontinued) nor Avast.

    The benefit to security soft vendor file reputation database (white-list\safe-list) is that typically it contains millions of files.

    However, the soft might not permit the user to define vulnerable processes - especially SystemRoot files.

    The ability to define vulnerable processes as the user sees fit is the great advantage of NVT ERP.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,132
    Location:
    Cape Town, South Africa
    +1
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi rm22

    My setup is EIS,SBIE,Appguard,ERP,and Heimdal Pro. I added ERP to the list after watching Wilders user RMUS, defeat all kinds of stuff using nothing but an old version of Faronics AE. NVT has way strengthened ERP with the advanced process tab, and also being able to whitelist commandline strings. That has reigned in stuff like rundll.

    And I agree it take a bit to wrap your mind around Appguard, but it is worth the effort.

    Pete
     
  19. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    530
    Can someone explain if there is an advantage in KDM(kernel mode driver) than hooking? I assume the question is correct but if not forgive me because i am novice on the subject.
     
  20. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Thanks guys - I'll definitely have a better look at AppGuard and your other suggestions :)

    @Peter2150 - are you not running an anti-exploit in your mix? If not, can you comment on this.
    @paulderdash - how does your Win 8.1 setup play with Sbie? I've stayed with EMET so far to avoid conflicts
    @hjlbx - do you mind sharing what else is in our setup - WFC 4 for outbound firewall? virtualization?
    @Rasheed187 - i was looking at an old thread of yours looking into options for trialing security apps with light virtualization instead of a VM... any luck? i was going to start playing around with Virtualbox last year, but have never gotten around to it.

    my current setup is all freeware - mostly because i've spent the last 2 years slowly trying to figure out what to spend $$ on. The end of OA in 6 weeks is motivating me now :)

    Win 7 SP1 64-bit , UAC Max , SUA , unused services disabled
    RT :: OA , EMET(Max) , Zemana AL , Avast(Hardened mode - Aggressive)
    Web :: Sbie :: Firefox :: uBlock O , NS(Global Allow All) , BetterPrivacy , HTTPS Everywhere
    Backup :: Syncbackfree(Mirror) , Windows native System Image tool
    OD :: EEK , MBAM , Eraser , SafeHouse Explorer
     
  21. hjlbx

    hjlbx Guest

    @rm22

    This is my config:
    • AppGuard - version Lifetime (paid - $39.95 & beta)
    • Sandboxie - Lifetime (paid - $50)
    • NoVirusThanks Exe Radar Pro - Lifetime (freeware)
    • HitmanPro.Alert - Subscription (Haven't released new price yet & beta)
    • Adguard - Lifetime (paid - $7 US by using $ to Roubles exchange rate & beta)
    • Windows Firewall Control - Lifetime + Unlimited Installs (paid - $10)
    For less than $150 you can get rock-solid security config that works well and 90 % Lifetime licenses - or $60 + beta licenses).
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Not exactly sure what you mean, but yes I run HitmanPro Alert
     
  23. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    You might encounter some frustration with ERP in SUA. I ended up ditching it because I had to run through settings and tick/untick relevant boxes in Settings after each loading of Windows. The Developer hasn't answered any request about including this feature in future releases. SpyShelter is in the same boat. Just a heads up because I noticed you wrote SUA in your post.

    If this doesn't irritate you, then ERP rules :)
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,132
    Location:
    Cape Town, South Africa
    I only use Sbie occasionally on demand, for browsing (Firefox) only, but have no problems with my config.
    Sbie is about containment, EMET functionality equivalents are HMPA and MBAE (anti-exploit) so not really comparable. I use HMPA on my main laptop.
     
  25. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    very good to know - thanks!
     
Loading...