Dumb question concerning Anti-Ex

Discussion in 'other anti-malware software' started by Acadia, Dec 6, 2007.

Thread Status:
Not open for further replies.
  1. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    My dumb question is this: what kind of a security program is Anti-Executable considered?

    For example, Nod is an Anti-virus.
    BoClean is an anti-Trojan.
    OnlineArmor is a Firewall/Hips.
    Returnil and PowerShadow are Sandbox/Virtualization.

    Is AE considered a HIPS, a zero-day, or in a class of its own, or what?

    Thanks,
    Acadia
     
    Last edited: Dec 6, 2007
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I'd consider it a hips. A specialised hips imo.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Call it what you will! I'm not trying to be facetious, rather, to say that labels aren't always indicative of a product's capabilities, and often are misleading.

    Take HIPS, for example. One reviewer remarked,

    Faronics tends to avoid a single word label. On their Anti-Executable page, AE is described:

    There is no single word description of the program.

    On their Deep Freeze page, DF is characterized:

    They do not use the acronym, ISR (Instant system recovery), although they state further down on the page,

    So, a description often is more useful than a single-word label.

    Further down the AE page, we read,

    Sometimes AE is referred to as an execution prevention program. So, we can compare AE with other programs that advertise execution prevention.

    For example, during some of the remote code execution exploits a year ago, people were advocating Windows Data Execution Prevention (DEP). However, from Microsoft and MVPS sites:

    HIPS is supposed to include execution protection. From a review of DefenseWall as HIPS:

    And:

    Here lies the difference between Anti-Executable and most classical HIPS: as a white list program, Anti-Executable blocks any unknown executable file not on the White List : No chance to run, no possibility of infection. There are no prompts, no decisions to make.

    This is sometimes referred to as Default-Deny. By not allowing the user to give permission to run, the administrator/owner can completely control what is installed on the computer.

    Another difference is that AE does not monitor what an executable does when running. So, it in no way can be called a HIPS program, as that term is currently being used.

    AE does not distinguish between a safe and malicious executable, so it is not an Anti-Virus program.

    Each type of program provides different functions and levels of control.

    So, what to call it? Maybe you can coin a term!

    Meanwhile, I find this characterization useful:

    A Default-Deny execution-prevention program using White List technology.


    ----
    rich
     
    Last edited: Dec 6, 2007
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Ok, hear ye, hear ye, one and all, I now hereby officially christen Anti-Executable as a ZEEPP: Zero-day Evergreen Execution Prevention Program! o_O

    Acadia
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I love it!

    (can you explain what "evergreen" refers to??)


    ----
    rich
     
  6. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Yeah, that is a term that Erik coined meaning that it never needs to be updated with signatures, it is always up-to-date.

    Acadia
     
  7. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    And it never expires, you can use for as long as you choose to.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I am speechless.o_O :mad: :rolleyes: :eek: :D :cool: :D :D
     
  9. herbalist

    herbalist Guest

    An anti-executable could be considered enforcement software for whitelisted executables or an application firewall. Conventional or classic HIPS also perform this functionin addition to several others. I don't know who comes up with the names and acronyms used to describe security-ware, but they're not doing users any good. A better way to describe conventional HIPS would be anti-change software as that's what it does, prevents unwanted changes to your system.

    As for an official definition, don't hold your breath. The privacy/security community and the industry as a whole doesn't even have universally accepted definitions for the common types of malicious code like virus, worm, trojan, rootkit, etc. If you visit 6 unrelated security sites, you'll see 6 different descriptions, all slightly different, enough so that it can change how a given piece of malware is classified. With marketing interests having a lot of influence over how things are named or described, don't expect names that describe function. Those are rare. If you knew absolutely nothing about computer security, what would the term "firewall" mean to you?

    Rick
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I use "anti-change" also, my freeze storage is an "Anti-Change Scanner" and removes any change on my system partition and does a much faster and better job, than all AV/AS/AT/AK/AR/... scanners together.

    If the security industry doesn't use a standard nomenclature, I create them myself at free will, words are just words.
    Calling security software "intelligent" and "intuitive" is alot worse, than call it an evergreen, because there is no such thing as intelligent and intuitive software, unless you watch too many SF-movies.
    Computers can't think, they just compare.
     
    Last edited: Dec 6, 2007
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thank You, Thank You, and Thank You Again.

    Now even i finally know why the term Evergreen is been so very highly favored and used in the same sentence as Anti-Executable WHICH I AM VERY HIGH ON myself.

    I just wish i had the layout map myself, and i'm sure i could draw one up with so many resources on the net, just "EXACTLY" where & how these special drivers position themselves in the SSDT table that make some like AE so very fast-on-the-draw the very instant the magnetic mouse clicks on an Unauthorized Executable.

    Yeah, AE is another one of those single IMPORTANT (Whitelist) apps that "ADD" a good degree to better confidence & security.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Guys, just remember AE does have one big weakness. Think back on the test series I ran for Erik with his approach. Remember the assumption was we had a trusted program, and it was bad. AE would have been useless. Your only option is to disable it to do an install. No clue given as to what the install is doing, and then when you enable it, it whitelists what you installed, in this case the virus.

    Ues we cam rollback out of it with our various recovery programs, but as we saw in that test, not every approach protects other drives. Again something to think about.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    No dumb question at all or else how will we learn how these apps work best as well as their limitations as Peter2150 points out. :)

    This is the perfect topic though regarding AE because although i'm not there yet, i'm trying to insert Anti-Executable into the same mix as EQSecure 3.41 + SandboxIE, although i really don't think it's needed. But, i like the ferocity of AE against plain executables and am a believer in layered security by not going too far overboard but striking just the right balance between all these apps together.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Every software has that weakness : the weakness of the user, who decides to run the program. If I recover a so called "trusted" program from the sandbox in order to keep and run it, then I'm also infected, in spite of all my security softwares.
     
    Last edited: Dec 7, 2007
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I much rather prefer to interact with any security softwares to avoid any possibility of tipping off-balance and thus unlocking some channel for intrusion or worse.
    Anti-Executable is a wonderful yet simple deterrent. It puts YOU the user in control and not some auto-software. I refuse those types of security programs like AV's that claim to do everything themselves when in reality it's out of the question because they are mostly signature-based. So is AE, but YOU the user establishes that database and anything (exe) not listed is stopped dead in it's tracks. I like that extra approach. Even though my HIPS appears strong enough, just like Eric says, every software can have a weakness and if if theres nothing to relieve duty for that program then we can be in for an image restore.
    I myself favor the concept of Evergreen programs which don't depend on an out-sourced database, but there are rare occasions IMO where programs like SUPERAntiSpyware not only buck the trend in definitions but removals.
    I'll might expect an arguement from Eric on that because it's a scanner and at least one ISR in the form of FD-ISR frozen snapshot can do that job faster than the time it takes to scan & remove plus i have it on good authority that depending on the severity of an infection, the registry can accummalate quite a list of wasted entries leftover where a refreshed FROZEN snapshot CAN'T MISS A SINGLE ONE! ;)
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is not a weakness; rather, lack of a feature that AE does not purport to provide.

    A program is "weak" if it fails to do something that it claims to do. AE claims nothing more than to Deny-by-Default the unauthorized installation of any executable not on the White List.

    When you authorize an install, you take AE out of the picture. That is not a weakness, but a fact.

    As such, your scenario is an inappropriate example of a "weakness" of AE.

    If a user is concerned about installing a bad program, she/he needs security measures other than AE.

    ----
    rich
     
    Last edited: Dec 7, 2007
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    One week in the trial of AE and I just like the darn thing, there is power in simplicity. :cool: I have created macros to enable and disable it whenever I am doing anti-virus or FirstDefense stuff, so it only takes me a second to enable or disable with only one key stroke. Even created a macro which disables AE and then brings up FD, now I can't forget to turn AE off whenever I do a FD function.

    Acadia
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi rich

    Point well taken. The "weakness" may lie with the assumptions users make in using it, not the software itself.

    Pete
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I agree, Pete.

    Others in this thread have pointed out that a label can be misleading. This can lead to wrong assumptions on the part of the user.

    A perusal of other forums shows that people want their security products to do more than they offer. But not looking closely at what a product protects against can result in unfortunate mishaps.

    A good example was DEP which I mentioned in an above post. I first heard about this in another forum and was misled in thinking that it prevented unauthorized executables from installing -- which it does not, I learned later.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.