Executable Lockdown 1.0 released

Discussion in 'other anti-malware software' started by Diprivan, May 3, 2008.

Thread Status:
Not open for further replies.
  1. Diprivan

    Diprivan Registered Member

    Joined:
    Mar 25, 2006
    Posts:
    66
  2. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
  3. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Stay with Anti-Executable. I've never had any problems with it.
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Why does Executable Lockdown have a Blacklist ?
    The basic principle of a whitelist is that EVERYTHING, what is not whitelisted, is blacklisted.
    So why wasting space and time on a Blacklist ? The Blacklist is already there.
    I don't understand the philosophy behind EL.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I would agree with the above folks who both caution on this and suggest staying with Faronic's AE which is an absolutely superb program just like it's mother ship app Deep Freeze which i use both myself.

    The Whitelist approach locks in only designated (Deemed Safe) executables and anything else is toast is a welcome preventative measure and one that also drives my own security approach.
     
  6. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Its one alternative, however unless they've made huge improvements from the freeware version its protection isn't quite as comprehensive as Faronics AE. AE is slightly cheaper too.
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    The philosophy is the same imo. What changes is flexibility. Different users have different needs.

    Setting aside for a moment that it doesn't seem to work, i would prefer something a bit more flexible than AE, or a bit more visibility :
    -see the whitelist,
    -see what is added when we turn on/off, or have an alternative to turning it off (i don't know)
    -and yes a blacklist to forbid Internet Explorer, perhaps ask a password for others like cmd etc.
    In other words, a program i'll probably never see.

    I liked what i saw in Abtrusion Protector for instance, bugs aside. Not everything, but most of it.
     
  8. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Can i ask why you would agree with the others and choose AE over exe lockdown? I'm curious. What features in AE you like over exe lockdown if you dont mind.

    Thanks,

    Chris
     
  9. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Because it works in a different way than AE does. It is much, much faster as well.

    Thanks,

    Chris
     
    Last edited by a moderator: May 29, 2008
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Chris,
    I don't need blacklists, I avoid them as much as possible.
    Speed is not a function, I can't do anything with speed. My computer is fast enough.

    Anti-Executable v2 has a quintuple verification for each whitelisted executable :
    1. File Size
    2. File Type
    3. File Location
    4. Creation Date
    5. Code Sample
    http://www.faronics.com/html/AntiExec.asp

    What about Executable Lockdown, the same or better or less or nothing ?

    Anti-Executable v2 on HIGH :
    1. Blocks unauthorized 16-bit executables
    2. Blocks unauthorized 32-bit executables
    3. Blocks unauthorized drivers and .dll files
    4. Protects Anti-Executable Standard directory from access and tampering
    5. Has optional Copy and Delete Prevention

    What about Executable Lockdown, the same or better or less or nothing ?
    Thanks :)

    PS. : Anti-Executable v3 is on its way.
     
    Last edited: May 29, 2008
  12. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Does it matter if it has 30 verification schemes as long as it blocks what you throw at it? All I know is I couldnt get anything to get by it. Anyone else bypasss it?? It does not offer copy and delete prevention. I guess the copy protection AE has is similar to a zipped virus. It's harmless.

    Thanks,

    Chris
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    In other words, you don't really know, if AE is better than EL or vice versa.
    So I have no reason to change anything. :)
     
  14. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Its like anything if you dont try it youll never know if its better for you or not. All i know is on install all files on system drive are whitelisted anything new will not run unless you allow it. Time to install on my system about 20 seconds from the time i double clicked the installer till the time i was protected. I doubt AE is that fast so better speed wise for sure. Better protection who knows neither of us has tried every method possible to bypass either of them. OK try this with AE see what happens. rename a file keep the exe extension but for the filename just hold down a key until it can not be any longer. it should be about 255 characters. then try to run the renamed file. hopefully it stops it but on some other programs this will bypass the protection.

    Thanks,

    Chris
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Chris,
    I will run your torture test somewhere during the day, not only to test AE, but also my boot-to-restore. I'm prepared to do anything to break my security/recovery solution, especially my boot-to-restore, because I don't trust my security softwares.
    Be patient, I come back for sure. :)
     
  16. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    np its not really a torture test just a simple thing that has bypassed some other software before not just security software but also messes with other software. I'm sure it will pass with ease but I'm curious.

    Thanks,

    Chris
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That's interesting :)
    Got to remember that one.
    Which programs failed in that situation Chris?
     
  18. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Id rather not say since i dont know if they have been fixed yet and people may try to take advantage of the weakness.

    Thanks,

    Chris
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    With AE's Delete protection ON, you cannot rename a file:

    rename1.gif
    _________________________________________________

    Copy Protection prevents an executable from downloading (copying) from the internet or any external media.
    The file, of course, still cannot execute.

    You can try this with Executable Lockdown (I'll PM you the URL)

    1. With Copy protection enabled, this remote code execution exploit on a web site fails to download the malware
    (Note the Reason=Copy in the AE Alert message; and the Program=IExplore.exe):

    exlock_block1.gif
    ___________________________________________________

    The file has not downloaded:

    exlock_cache1.gif
    ___________________________________________________

    Loading the site again, with Copy Protection OFF, the file is permitted to download

    exlock_cache2.gif
    ___________________________________________________

    At which point the file copies itself as cn911.exe and installs in temp
    along with a vbs file which then attempts to use wscript.exe to run the executable.

    At this point, AE blocks the execution.
    Note the Reason=Open (Run); and the Program=Wscript.exe in the alert:

    exlock_block2.gif
    _________________________________________________

    It will be interesting to see at which point your program jumps in to stop the attack.


    ----
    rich
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Chris,
    I tried your torture test :
    1. Renamed "Firefox.exe" into "Firefoxaaaaaaaaaaaaaaaaaa.exe", holding the key "a" as long as possible.
    2. Pressed "Enter"

    AE gave me immediately a warning and blocked my renaming attempt.

    However if the "Delete Prevention" is unmarked in AE, your test is valid and the file will be renamed.
    <snipped another off topic remark>
     
    Last edited by a moderator: May 29, 2008
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Erik, i believe the test you're trying -just execution blocking- would be:
    1-AE on, copy protection off.
    2-Download a new exe, rename it according to the test.
    3-Execute.

    It shouldn't execute.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, eaxtly like this.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, I will like to see same tests with Exe Lockdown. Interseting!
     
  24. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    exe lockdown will not stop the exe from getting on your pc. After thinking on this it seems like a mute point almost. I mean thats again like saying hey my av protects against zipped virus'. It cant run anyway so there is not really anyharm. Am i missing something here? Maybe something else that copy protection does besides that?

    Thanks,

    Chris
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are correct, there is no harm.

    Using the example I gave, Copy Protection saves having to clean up the files created in the temp folder when the initial file is cached.

    For the those knowledgeable about how exploits work, cleaning up in a case like this is not such a big deal.

    My initial use for AE was for families where all use one computer, and the parents can control what gets downloaded/installed. AE saves having to do extra "housecleaning," and I find it a nice feature.


    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.