Defend against keyloggers, hooks, rootkits etc.

Anti-Executable detects more than 80 different executable file types, like .exe, .ocx, .ax, .sys, .drv, .x32, .vxd, .scr, .tlb, ...
I couldn't find the complete list yet.
Sources :
http://www.faronics.com/html/AntiExec.asp
http://www.faronics.com/html/AntiExec.asp#Standard

And now I'm dead tired and need sleep. Goodnight.

 

No No, a bigger problem is that Boclean uses blacklists. It's no different from antiviruses, Ewido, A2 squared in that respect.

I'm surprised Erikalbert would consider it.

 

I guess it depends on what type of keyloggers you mean, the 'legimate' kinds or the not so legimate kinds

In any case, what would you recommend to stop the type of keyloggers you are talking about? Any generic methods?

 

In that case I'm not interested anymore in BOClean. I must stick to the basic principles of my security setup : rollback, whitelists and maybe something else, I'm still not aware of.

I read that Anti-Executable doesn't protect me against scripts, but Anti-Executable isn't my only protection.
I ignore and remove any unknown email without even opening them.
Firefox doesn't allow any scripts with the right settings and extensions.
I assume that scripts, if they succeed to install themselves, cause changes in my frozen snapshot, but those changes are removed during the next reboot. Maybe frozen snapshots don't remove everything, but that has to be PROVEN first. And even when that happens, I still can create a new snapshot via my original clean archived snapshot on my external harddisk and freeze it back.
I'm not saying I have the 100%-solution, I'm just trying to find out what is missing to make it better. After all, I'm not a security expert.
Nevertheless I'm already better protected, than an user, whose security is mainly based on blacklist security softwares.
HIPS is also very good, unfortunately not for my kind of users.
I didn't test Anti-Executable thoroughly yet due to lack of time, but I already noticed, that I can't install anything with AE enabled, not even legitimate softwares and all my whitelisted applications are running without problems.
I can't do it all at once, but I'm getting closer and closer every day.

 

So u think Anti-executable is not a HIPS?

 

No it isn't, because Anti-Executable (AE) is based on a whitelist of applications on your computer, anything else is not allowed to be installed or to run.
AE doesn't even ask questions, like yes or no. It simply says you are not allowed to do this or this software isn't allow to do this.
You can't get access to AE without a password.
AE is one of the most hidden softwares, I've ever seen.
You don't see it in Add/Remove Programs.
You don't see it in the programs menu.
You only see a folder in Windows Explorer, that can't be accessed and an icon in the system tray and even the icon can be hidden with a setting.

You can't click on the icon, you can't rightclick on the icon. It doesn't act like a normal icon. You can't uninstall AE in the usual way. You really have to read the welcome email or the manual to work with AE.
The first time I installed AE, I thought it didn't work or wasn't even installed. AE is a very unusual software.

 

I'm not sure I understand what your problem is with BOClean. Can you elaborate?

 

The only way is testing it yourself and that takes quite some time. I'm not planning to wait for a security expert to get a complete evaluation of my security setup.
Since I'm no expert, I can only test my security setup with the very best scanners. If they don't find anything after 6 or 12 months, I know at least, that I don't need them anymore, but that doesn't mean my computer is clean.
I also can go to dangerous websites to test my security setup, but the problem is, how will I know for sure my computer is still clean.

 

BOClean is mainly a Blacklist-type program.

Blacklist databases consist of signatures of bad guys. Blacklists raise a red flag if a process is in its bad guy database. Everything else is "okay."

Whitelist databases consist of hashes of okay guys. A process is okay ONLY if it is actually recorded in the okay database. Whitelists raise a red flag for EVERYTHING else.

Prevx is an example of a Whitelist-type program. There are several other such programs including but not limited to System Safety Monitor & Online Armor -- but each program has its own approaches & peculiarities for using the whitelist concept.
~~~~~~~
Assume ProcessX is a nasty.

If Blacklist doesn't see ProcessX on its *bad list* it lets it enter.

If Whitelist doesn't see ProcessX on its *okay list* it raises a red flag.

Ergo, Blacklist is more likely to allow a nasty than Whitelist. Whitelist is more likely to raise a red flag about a new or unknown but okay program, but is MUCH more likely to raise a red flag about a hitherto unknown nasty or zero day nasty.

 

Attention

BOClean does actually also have heuristics built as well as it's defs database, which obviously isn't as well known as it should be !

Therefore calling it a just a Blacklister is incorrect, and potentially damaging to it's solid reputation too.

Also calling any product that has defs in it does in fact completely differentiate it from strictly Black/White listing type Apps. These can be very good, i use one myself, but are Not the same as ones with defs in, nor do they operate/interact etc with malware in the same way either. A lot more goes on under the hood with defs based products, and even more if they include heuristics.


StevieO

 

Assuming you don't let a rootkit installer run, there are ways to see if anything else gets changed. Using a utility like Inctrl5, take a snapshot of your system before browsing, then take another afterwards. Inctrl5 will let you know about every new or changed file, folder, or registry entry. I used it heavily while testing SSM on my 98 box, and other than files sitting in the browser cache and temp folders, it confirmed that SSM didn't allow anything on my system to be changed. As for rootkits, Inctrl5 probably won't show them once they're installed.
Rick

 

Thanks for that utility !!! I will look into this, when I'm ready to test my frozen snapshot.

 

With a whitelist, like in Anti-Executable, I know exactly what it does. Anything what isn't whitelisted is bad, only your whitelisted application are allowed to run and I know exactly which softwares I installed, because I did it myself.
That's is a very CLEAR picture.

With a blacklist I don't know anything.
Against which malwares am I protected with this scanner ? Beats me.
Against which malwares am I protected by heuristics with this scanner ? Beats me.
Against which malwares am I NOT protected with this scanner ? Beats me.
Which additional scanner(s) do I need to remove the rest ? Beats me.
How many scanners do I have to run ? 1, 2, 8, 10 or more ? Beats me.
Which scanners is better than the other ? Beats me.

Can I verify all that ? Most probably yes. Nice job for me to check hundreds of thousands signatures and compare them with another list of hundreds of thousands signatures to see the differences.
Of course nobody is going to do this, so we start GUESSING to give an answer on all these questions. Very scientific !!!

Wilders is FULL of questions about blacklist security softwares and the reason is obvious : there is no CLEAR picture anymore and the quantity is too huge and increasing constantly.
This is food of course for endless discussions, numerous combinations/opinions and everybody claims to have the right answers.
One big uncontrollable mess, that's what blacklists are.

Each time a scanner tells me "No threats found", I think "What about the rest you didn't find ?"
What a reassurance. Pffft.

 

Here's a free product you could try (KeyScrambler):

http://www.qfxsoftware.com/products.htm


Someone posted about it over at DSLReports.


Cheers.

 

I believe SSM with user interface disconnected will give u much more protection than this. Also no body can unisnatll it or open it as it can be password protected.

 

I wrote that BOClean is *mainly* a blacklister. I did NOT say that it is *just* a blacklister. It's unsanitary to put words in my mouth.

Further, a heuristic is, in essence, simply another form of blacklist. Namely, a heuristic is mainly based upon a list of behaviors which are *typical* of malware. Thus, malware writers can readily test their programs again & again against a given heuristic until they finally find a way to circumvent its current list of *bad behaviors*. Once they do so, they are up & running again.

On the other hand, in order for a malware to get past a whitelist, its programmers must either (a) find a way to get onto the whitelist itself or (b) find a way to get past the whitelist's checksums.

With respect to a program such as System Safety Monitor, the easier route is usually (a) -- finding a way to get onto the whitelist itself. Why? Because SSM largely depends on decisions of the individual user as to what does & does not get whitelisted. If individual users are careless or lazy or misinformed or deceived, the fat is in the fire.

A major distinguishing facet of Prevx1 is the fact that it bases its whitelisting decisions upon a *community* of users plus actual testing done by a team of home-office experts.

To oversimplify:
>Smart malware writers can screw around until they wriggle their way through any blacklist, by tactics such as morphing or zero-day etc.
>Careless or lazy or misinformed or deceived users can screw-up any whitelister that heavily depends upon individual user decisions
>Delay time & system load for updating whitelists are the potential weaknesses of Prevx. Other than that, I see no intrinsic *loose screws* in that sort of whitelist... YET.

 

how we know there not stealing out info 2..lol the ppl that make it. what's the free offer over pro??

 

So far, some respondents simply use generic security products to block all sorts of malware. Others may use specific security products to block particular kinds of malware (eg Snoopfree against keyloggers).

I would like to know why you select such combination, but not the other way round. So why?

 

Me neither.
The reason is just the same as you. It depends on mainly blacklisting technnique to detect malware.

How about if the malware corrupt/infect your snapshot, or infect your personal data or the area where you don't snapshot?

Have you considered Process Guard?
It can do what you want (block executable files) plus much more.

How do you solve these problems which has been outlined here:
https://www.wilderssecurity.com/showthread.php?p=843848#post843848

If you haven't thought of about these problems, it is worth taking a look.

 

Some other (possible) weaknesses:
- wrong report of a malicious application by users (it requires some time to fix that)
- wrong report of a genuine application by users (I have seen reports about this in its support forum)
- grey area: some users may regard this behavoiur as acceptable; others would like to block it. The final decision made by the system may not be desirable to you

I hope Prevx1 will let me make decisions on the actions/behaviours of not only the genuine applications, but also supposingly malicious application.

 

Notok is probably going to popup and tell you Prevx1 does blacklisting too. and heuristics and everything under the sun.

 

Well if you are not looking for 100% solutions you might as well stick to blacklists.

You are too modest.

I guess it depends. I could never survive using your system. It's also pretty complicated, I can't imagine any less knowledgable user learning how to setup your system (paritions and moving profile folders ). To be honest I tried to understand your system , but I only got some vague impression on how it works. Basically snaphots and backups some on a external hard disk and then you rollback every night or something right?

So your system never changes except for some personal info and settings.
Or is it you only backup your system parition ? as i said i don't quite get what you are doing.

Sounds good assuming you can handle the malware in between snapshots except it's too restrictive for me, I would feel like I'm using a library/internet cafe computer and not my own computer. I want to install and keep software. Refreshing snapshots over and over again would fustrate me, it's like you never did anything at all.

I use snapshots and image backups too , but only as a last resort or for testing. But then again I'm not looking for 100% certainity, so I'm happy with scanners, HIPs and some amounts of backup and virtualization.

 

I'm used to these remarks, so that doesn't bother me.
Each time I try something different at work, I get these remarks : it's not possible, it has never been done before, don't do it, what if it goes wrong, what are you trying to do, are you crazy, etc. etc. etc.
And when I've done it successfully, I don't hear anything anymore and this repeats itself over and over again.
I also get alot of bad advices from people, who try to tell me what to do and if I listen to these people and it goes wrong, they all disappear and I get all the blame.
My experience is that each time when I try something different, I'm ALONE, so I'm used to take care of myself.

Right now, I'm moving folders and that is indeed "complicated", but I'm working on that problem. What is a problem NOW, doesn't mean it remains a problem forever. Never heard of FIXING problems ? I do it all the time at work.
At home, everything goes slower of course, because I have to do this in my freetime and at work, I don't do that kind of job
You don't have to understand it either and you don't have to do what I'm doing, because that is alot of work.
Who cares anyway, it's my computer.

 

For now, I assume that Anti-Executable will stop the execution of any not-whitelisted application, including malwares.
I said "assume", because I don't really know for sure.
But I have to start somewhere and my very first approach is to trust the software completely, based on what I have read.
After I configured my system partition completely, my second approach is trying to destroy what I have build in every possible way, I can think of.
At Wilders they call it often "torture tests", but I don't use that expression.
Unfortunately, I'm neither a malware expert, nor an internet expert and that is a big disadvantage to do these torture tests. I just don't know how to do these tests and above all how to CONTROL them.
Once I'm ready, I most probably will ask Wilders how to this, but I'm not that far yet.
As I said before, I can't do it all at once and first things first.

Most recent applications have a default folder setting, that allow you to save your personal files anywhere.
Typical examples are MS Word, MS Excel. So these applications are not a problem.

Some applications don't have a default folder setting, but still allow you to save your personal files anywhere you want.
Typical examples are Adobe Reader and Notepad. So these applications aren't a problem either.

Some applications store your personal files in the same folder, where the application itself is installed.
In other words under the folder "Program Files" like you already mentioned and that is indeed a problem.
I'm aware of this and it can't be solved to my knowledge at first sight and these application do exist indeed
Such applications have a very bad folder structure, because you never put software objects and personal data objects in the same folder even when you use subfolders in the software folder. You just don't do this in the computer world, this is a capital sin and very stupid too.
Such applications are probably OLD or the programmer wasn't smart enough.
Such applications have often an alternative solution WITH a default folder setting and in that case, I would choose that one.
Since I separated my system files from my personal files, I pay attention to this and I don't have such applications on my system partition and I will avoid them in the future.

 

Truth is that I wouldn't get it either. Looks like the free version is way too basic. Here:


Q: What are differences between the Personal version and the Professional version of KeyScrambler?

A: The major difference is in the level of input protection. Whereas KeyScrambler Personal encrypts keystrokes of your username(s) and password(s), KeyScrambler Professional encrypts keystrokes of all your input, be it a credit card number or a whole page of email you type out on the Internet. We recommend the pro version to individuals and companies whose communications contain sensitive information they wish to safeguard against keyloggers. (http://www.qfxsoftware.com/KeyScrambler/KeyScrambler_FAQ.htm)