Executable Lockdown 1.0 released

The test was about renaming an EXISTING object. Copy Protection = OFF doesn't prevent renaming "Firefox.exe". I tried it.
Downloading a NEW exe and rename it, is not the same situation.

 

What i was getting at was that if you change an execacutable name to the max char and then try to run it sometimes with certain programs it will allow it to execute (run) when it should have blocked it.

Thanks,

Chris

 

Yes, but AE doesn't allow any change when Delete Prevention = ON.
In my case Delete Prevention = OFF, otherwise FDISR is in trouble and that means that any executable can be renamed by me or something else (malware) or somebody else (hacker).
I still have to work on this problem, maybe it can be fixed, if I find the FDISR-executable that is responsible for this.

 

Erik, it's just a test on execution blocking, just to compare that one feature, not AE's overall solution.
No copy protection, download a new executable, rename it accordingly (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-to-the-end.exe) and execute.
It should not, will not execute. It's a "trust but verify" thing.

 

I guess no ones tried this yet?

Thanks,

Chris

 

I'll VM the experiment later Chris
I just don't feel like booting XP.

 

The reason why I didn't test it yet, is because I still don't understand the test.

What happens, when I want to test a new software, that is downloadable from the internet and keep in mind that I run AE on HIGH.

1. AE is turned OFF, otherwise I can't download the NEW executable of the new software. It's IMPOSSIBLE to download a NEW executable from the internet when AE = ON. So AE must be OFF to make that possible.

2. Once the NEW executable is downloaded, I can rename that executable in whatever I want, because AE = OFF.
I can also install the executable (renamed or not), because AE = OFF and must be OFF, otherwise I can't install it.
I often rename my executables for a good reason, which has nothing to do with security.

3. Once I turn AE back ON, the NEW executable (renamed or not) is whitelisted and that means I can NOT rename the executable anymore, unless "Delete Prevention" is disabled.

This is the only procedure I know.
So describe the test in step mode and I will run the test and tell me in each step, if AE is ON or OFF and "Delete Prevention" is enabled or disabled, because that makes a difference.

 

Here you go:

Download .exe - copy protection on, download fails:


_____________________________________________

Disable Copy Protection, file downloads, attempt to execute fails:


______________________________________________

Rename file, attempt to execute crashes Windows Explorer, execute fails:


______________________________________________

Can you explain what the purpose of this test is?

 

Rmus,
Thanks for the demo, your presentation is always excellent and a picture is alot more worth than 1000 words.

 

The purpose is some programs including well known ones have a problem with that many char in a filenmae. Not sure why but they have in the past and some new ones still have the same problem. It was just a test to see if AE had this problem or not. It doesn't so props to them. And thank you for trying it out.

Thanks,

Chris

 

Rich, that's it, nothing more i believe. It's just that Chris mentions some programs fail execution blocking if the executable has a long name. Surprising, but i don't doubt Chris.
Like i said, to me it's interesting just to "trust but verify".

It's a most basic test, but one that if some program fails, will illustrate how good (not) a program is, and how fast one should avoid it.
You have to agree if you find that a program that fails this, it's most revealing.
If it passes though, it's no big deal.

I agree with Erik, presentation A+ as always.

Cheers

 

The length of a filename should never be a problem in any software, only bad programming can cause this problem.
I don't know what the maximum length of a filename is in NTFS, probably about 255 characters, but that doesn't really matter, there is always a limit in filenames, also for non-NTFS.

 

True and trust me many programs have some bad programing that gets missed in beta and carries on to the final release. This was just a test. AE passed and congrats to them.

Thanks,

Chris

 

The fact that Windows Explorer crashed (Win2K, NTFS here) shows that something funny is going on behind the scene with a 255-character filename.

But back to the execution protection: why would this matter if a program didn't handle it? Under what circumstances could a file on your computer get renamed and then executed? Is this really a threat?


----
rich

 

Not IMO, it might cause problems in opening the program or via other programs, but I fix that too. ~removed un-necessary dribble....Bubba~

 

If it's a threat, depends. Simply the fact that a program doesn't work with long filenames is flagrant imo.
If you're securing a computer used by many, it's a threat if the users are not dependable (public PCs etc.). All the user has to do is change the name to bypass this.
And how Windows presents the file to the user. I remember that situation (don't know if it's still there) where the file has a double extension, Windows would show only the first. I don't know what else, but i really shouldn't care, if i use something like AE. That's what it's there for too.

But perhaps most importantly, it's about how well the program was coded. If it can't handle this, i really can't depend on it. Like with Executable Lockdown, if it can't handle procexp.bat, forget it.

But that's just me

 

I don't see any reason to switch from Anti-Executable to Executable Lockdown.
Besides Faronics has probably alot more experience in that kind of protection than HDS.
After all EL is new without reputation and has still to prove itself and I'm not a lab rat of HDS.

 

Just out of curiosity I tried it with CFP. The file did not run, no pop up from CFP and explorere crashed.

Decreasing file name by just one alpahbet less- no crash and pop up from CFP.

 

Thanks, aigle for the test and screen shots.

So, this is a buffer overflow mishap. Very interesting. I thought that Windows could take a 255-character filename; evidently not. I'd like to check some references on this.

Thanks to both of you - it's always informative to do tests!

I don't follow what you are getting at -- that a user could download a malicious file and then change the name? Why rename the file? If you can successfully download the file, you in essence can take control of the computer.

For Public PCs, you may not be aware that AE has an Enterprise (Institutional) version as does Deep Freeze, where the program can be installed/monitored/maintained on individual workstations from an administrator console. The Faronics web site has a nice diagram of a network, showing how it works.

Yes, AE will take care of that.

Do you remember the Netsky worm and the double extension/double icon spoof a couple of years ago? I found out about an interesting but unfortunate mishap from a friend, and did a write-up here:

http://www.urs2.net/rsj/computing/tests/netsky/

Netsky remained in the Avira Threats Statistics List for more than a year. It's gone away for the most part, since people are learning not to click on email attachments.

Now, they click on malicious media files!


----
rich

 

Thanks guys for taking these comparisons to task with Anti-EXE apps and Rmus, your screenshots are really helpful, like is already been hinted at, pictures say what words miss sometimes.

This thread is now sparked my interest in attempting to forge my HIPS (EQS), to carry out similar duties as AE

 

so whois the winner? AE or EL ?

faronic is well known company when HDS is new in this filed... welp gona test the new EL , coz for me speed countwhen u have over 100 gigs stuff

cheers


after 10 minuts

took me 20 sec install it!!! thata fasttttt compare to AE which took on my system more than 10 minuts!! just checking it and it seems same job doing (i read your remark erik about the AE check its protected files)

btw: does ExeLockdown.v5.01 belong to HDS also? cant locate it on there web site.

 

5.01 that your asking about is a previous build that has been discontinued. It used more of the whitelist approach like AE does and took forever to scan the pc again like AE does. At the moment I have to say of course AE is better. They have had plenty of time to fix their bugs. I would think the first build of the first version would have not been to hard to get around with some time to try some things. just like we found with executable lockdown. Its the first version first build besides beta. I mean again look at microsoft they still have bugs and have been around for years. It's inevetible. Give executable lockdown a little while and it'll be rock solid as is AE.

Thanks,

Chris

P.S. I should add when I say better I mean probably less bugs, less security vulnerabilities and the like. I mean executable lockdown is waayy faster so AE is definately not better there. Well see in time. Right now EL is on my PC I'll grow with it and hopefully it will grow with me.

 

So you see XXX has some bad programming to as seen above. This is what I'm getting at there will always be bugs. But some people act like their their programs have no bugs and they will run perfect all the time. This is just not true.

Thanks,

Chris

 

10x Chris , we will look forward and see what will be with EL
as far as i notice HDS make a fast products like RB ...

cheers

 

Yes they try to make fast products and also good products but sometimes it takes more work to make both happen. I think this is why sometimes there are more bugs at first but eventually they'll get both fast and good with very little bugs. Rollback is near perfect for me now so the bugs are getting fewer already.

Thanks,

Chris