Dumb question concerning Anti-Ex

My dumb question is this: what kind of a security program is Anti-Executable considered?

For example, Nod is an Anti-virus.
BoClean is an anti-Trojan.
OnlineArmor is a Firewall/Hips.
Returnil and PowerShadow are Sandbox/Virtualization.

Is AE considered a HIPS, a zero-day, or in a class of its own, or what?

Thanks,
Acadia

 

I'd consider it a hips. A specialised hips imo.

 

Call it what you will! I'm not trying to be facetious, rather, to say that labels aren't always indicative of a product's capabilities, and often are misleading.

Take HIPS, for example. One reviewer remarked,

Faronics tends to avoid a single word label. On their Anti-Executable page, AE is described:

There is no single word description of the program.

On their Deep Freeze page, DF is characterized:

They do not use the acronym, ISR (Instant system recovery), although they state further down on the page,

So, a description often is more useful than a single-word label.

Further down the AE page, we read,

Sometimes AE is referred to as an execution prevention program. So, we can compare AE with other programs that advertise execution prevention.

For example, during some of the remote code execution exploits a year ago, people were advocating Windows Data Execution Prevention (DEP). However, from Microsoft and MVPS sites:

HIPS is supposed to include execution protection. From a review of DefenseWall as HIPS:

And:

Here lies the difference between Anti-Executable and most classical HIPS: as a white list program, Anti-Executable blocks any unknown executable file not on the White List : No chance to run, no possibility of infection. There are no prompts, no decisions to make.

This is sometimes referred to as Default-Deny. By not allowing the user to give permission to run, the administrator/owner can completely control what is installed on the computer.

Another difference is that AE does not monitor what an executable does when running. So, it in no way can be called a HIPS program, as that term is currently being used.

AE does not distinguish between a safe and malicious executable, so it is not an Anti-Virus program.

Each type of program provides different functions and levels of control.

So, what to call it? Maybe you can coin a term!

Meanwhile, I find this characterization useful:

A Default-Deny execution-prevention program using White List technology.


----
rich

 

Ok, hear ye, hear ye, one and all, I now hereby officially christen Anti-Executable as a ZEEPP: Zero-day Evergreen Execution Prevention Program!

Acadia

 

I love it!

(can you explain what "evergreen" refers to??)


----
rich

 

Yeah, that is a term that Erik coined meaning that it never needs to be updated with signatures, it is always up-to-date.

Acadia

 

And it never expires, you can use for as long as you choose to.

 

An anti-executable could be considered enforcement software for whitelisted executables or an application firewall. Conventional or classic HIPS also perform this functionin addition to several others. I don't know who comes up with the names and acronyms used to describe security-ware, but they're not doing users any good. A better way to describe conventional HIPS would be anti-change software as that's what it does, prevents unwanted changes to your system.

As for an official definition, don't hold your breath. The privacy/security community and the industry as a whole doesn't even have universally accepted definitions for the common types of malicious code like virus, worm, trojan, rootkit, etc. If you visit 6 unrelated security sites, you'll see 6 different descriptions, all slightly different, enough so that it can change how a given piece of malware is classified. With marketing interests having a lot of influence over how things are named or described, don't expect names that describe function. Those are rare. If you knew absolutely nothing about computer security, what would the term "firewall" mean to you?

Rick

 

I use "anti-change" also, my freeze storage is an "Anti-Change Scanner" and removes any change on my system partition and does a much faster and better job, than all AV/AS/AT/AK/AR/... scanners together.

If the security industry doesn't use a standard nomenclature, I create them myself at free will, words are just words.
Calling security software "intelligent" and "intuitive" is alot worse, than call it an evergreen, because there is no such thing as intelligent and intuitive software, unless you watch too many SF-movies.
Computers can't think, they just compare.

 

Thank You, Thank You, and Thank You Again.

Now even i finally know why the term Evergreen is been so very highly favored and used in the same sentence as Anti-Executable WHICH I AM VERY HIGH ON myself.

I just wish i had the layout map myself, and i'm sure i could draw one up with so many resources on the net, just "EXACTLY" where & how these special drivers position themselves in the SSDT table that make some like AE so very fast-on-the-draw the very instant the magnetic mouse clicks on an Unauthorized Executable.

Yeah, AE is another one of those single IMPORTANT (Whitelist) apps that "ADD" a good degree to better confidence & security.

 

No dumb question at all or else how will we learn how these apps work best as well as their limitations as Peter2150 points out.

This is the perfect topic though regarding AE because although i'm not there yet, i'm trying to insert Anti-Executable into the same mix as EQSecure 3.41 + SandboxIE, although i really don't think it's needed. But, i like the ferocity of AE against plain executables and am a believer in layered security by not going too far overboard but striking just the right balance between all these apps together.

 

Every software has that weakness : the weakness of the user, who decides to run the program. If I recover a so called "trusted" program from the sandbox in order to keep and run it, then I'm also infected, in spite of all my security softwares.

 

I much rather prefer to interact with any security softwares to avoid any possibility of tipping off-balance and thus unlocking some channel for intrusion or worse.
Anti-Executable is a wonderful yet simple deterrent. It puts YOU the user in control and not some auto-software. I refuse those types of security programs like AV's that claim to do everything themselves when in reality it's out of the question because they are mostly signature-based. So is AE, but YOU the user establishes that database and anything (exe) not listed is stopped dead in it's tracks. I like that extra approach. Even though my HIPS appears strong enough, just like Eric says, every software can have a weakness and if if theres nothing to relieve duty for that program then we can be in for an image restore.
I myself favor the concept of Evergreen programs which don't depend on an out-sourced database, but there are rare occasions IMO where programs like SUPERAntiSpyware not only buck the trend in definitions but removals.
I'll might expect an arguement from Eric on that because it's a scanner and at least one ISR in the form of FD-ISR frozen snapshot can do that job faster than the time it takes to scan & remove plus i have it on good authority that depending on the severity of an infection, the registry can accummalate quite a list of wasted entries leftover where a refreshed FROZEN snapshot CAN'T MISS A SINGLE ONE!

 

This is not a weakness; rather, lack of a feature that AE does not purport to provide.

A program is "weak" if it fails to do something that it claims to do. AE claims nothing more than to Deny-by-Default the unauthorized installation of any executable not on the White List.

When you authorize an install, you take AE out of the picture. That is not a weakness, but a fact.

As such, your scenario is an inappropriate example of a "weakness" of AE.

If a user is concerned about installing a bad program, she/he needs security measures other than AE.

----
rich

 

One week in the trial of AE and I just like the darn thing, there is power in simplicity. I have created macros to enable and disable it whenever I am doing anti-virus or FirstDefense stuff, so it only takes me a second to enable or disable with only one key stroke. Even created a macro which disables AE and then brings up FD, now I can't forget to turn AE off whenever I do a FD function.

Acadia

 

I agree, Pete.

Others in this thread have pointed out that a label can be misleading. This can lead to wrong assumptions on the part of the user.

A perusal of other forums shows that people want their security products to do more than they offer. But not looking closely at what a product protects against can result in unfortunate mishaps.

A good example was DEP which I mentioned in an above post. I first heard about this in another forum and was misled in thinking that it prevented unauthorized executables from installing -- which it does not, I learned later.

----
rich