.EXE Slips through AntiExe !

Discussion in 'other anti-malware software' started by CloneRanger, Mar 19, 2013.

Thread Status:
Not open for further replies.
  1. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    This is nothing new. Sandboxie was once affected until Tzuk dealt with the problem.

    If you are concerned, the easiest method is to disable 16-bit compatibility if you are on 32-bit (as mentioned by moonblood). If you really need to run 16-bit program, then perhaps consider DOSBox emulator as mentioned here?

    http://www.sandboxie.com/phpbb/viewtopic.php?t=8901
    http://www.sandboxie.com/phpbb/viewtopic.php?t=7152
    http://www.sandboxie.com/phpbb/viewtopic.php?t=6307

    I doubt so..probably legacy apps or games mostly.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Be careful how you test in appguard, as appguard isn't really an anti executable program. How it reacts depends on where the exe is located and the protection setting. A better test would be with NVT's ERP. THere you could take nvdm.exe off the whitelist and that way you could monitor it by command line. Much better test.

    Pete
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,923
    Location:
    Canada
    exactly
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,608
    Not a peep from Faronics AE v5.
    DefenseWall successfully contains the exe as untrusted which is easily killed within DW's GUI.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ aigle

    Thanks for the extensive test :thumb:

    I've always put cmd.exe on Prompt in PG & now i've added ntvdm.exe ;)

    I can't remember if PG alerts to .bat & .vbs ? but AnalogX\Script Defender takes care of them & others ;) See below

    @ PrevxHelp

    Hi, good to see that WRSA intercepted the .PIF file ;) That ZIP-IT "seems" to work in a very convoluted way :D

    I tried to run eicar.com

    e.png

    ntv.png

    Allowed both those &

    16.png

    I did see that MSDOS alert when ran the original .EXE etc, but chose ignore !

    @ Brummelchen

    Thanks for the link :thumb:

    @ Cutting_Edgetech

    PM'd ;)

    @ moonblood

    Good tip, though some of us like to run old stuff, now & then :D

    @ safeguy

    Good tips :thumb:

    @ LoneWolf

    Thanks for testing :thumb:
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,221
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  8. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,608
    Faronics AE v2 successfully blocks. :thumb:

    ae2-1.png

    If I disable the copy prevention option within AE, I still get this.....

    2.png
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,221
    no, is concerning #1 "normal exe" - normal exe always start with MZ or ZM, rest als linked.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Yes, Copy protection prevents the file from being extracted to disk:


    winspkse.jpg

    Newer versions of AE don't have Copy protection. I found this really useful in home environments,
    where kids couldn't even extract or download any EXE to disk w/o parent's permission.


    ----
    rich
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I gave it a little test, using the Group Policy that I previously mentioned (the one that allows to prevent execution of 16-bit processes), and as expected the process fails to run.

    I also have AppLocker enabled, and to my surprise the group policy is what stopped it first, so I wonder if group policies preceed AppLocker, or if AppLocker would simply fail? :doubt: I still haven't tried with only AppLocker.
     

    Attached Files:

    • test.jpg
      test.jpg
      File size:
      27.3 KB
      Views:
      336
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,923
    Location:
    Canada
    nice one blood:thumb:
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It does bypass AppLocker! :eek:

    So, the group policy should be kept enabled, unless one really needs to use 16-bit apps.
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,923
    Location:
    Canada
    :thumb:good testing
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    Tested on Win7x64 and as someone else discovered it won't even run, regardless of the Group Policy setting, which I have disabled in the screenshot, because of the version of Windows, so neither it nor AppLocker factor in to the equation.

    On Win XP with SRP enabled, it is successfully blocked by SRP :)

    With SRP disabled, I'm able to view the zipped files but Jetico fw's Process Attack filter intercepts the attempted actions of ntvdm.exe.

    Some screen shots....
     

    Attached Files:

  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ LoneWolf/Rmus/m00nbl00d/wat0114

    Thanks for testing :thumb:
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    You're welcome, CloneRanger! Thanks again for the file.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I've been wanting to try out the latest version of Faronics AE. I hope I can get my test machines back soon.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Would you (if possible) or someone else give it a run against SRP on Windows 7 x86? I'm wondering if SRP would stop it there? I find it odd that SRP, considered to be inferior to AppLocker, is able to stop it and AppLocker gets bypassed. Maybe Microsoft believes it not to be a problem, which is why AppLocker (SRP v2, so to speak) ignores it? o_O SRP in Windows 7 is pretty much a leftover.
     
  20. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    How about alerting PG for wscript.exe and cscript.exe aside from cmd.exe for that .bat & .vbs?

    Aside from ntvdm.exe, include debug.exe as well. I recall a zero day windows vulnerability before wherein a malware attacks windows virtual dos machine subsystem and bypass various security layers.

    SSJ100 recommends these for SRP but you can probably adopt those with PG:
    source: -http://ssj100.fullsubject.com/t4-ssj100-s-security-setup#16-
     
    Last edited by a moderator: Mar 25, 2013
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    Sorry I've only got x64 installed, and it's just too much time and effort to install x86 to test this :(
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ trismegistos

    Hi, i have had wscript.exe & cscript.exe disabled by renaming them, since 98SE days ;)

    .bat & .vbs along with others are covered by ScriptDefender, also since then.

    Re - debug.exe & command.com

    com.png

    Which PG then alerts

    nvt.png

    PG also gives the same alert when trying run debug.exe

    I'll look into scrobj.dll Thanks :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.