Faronics Anti-Executable instead of a HIPS?

Discussion in 'other anti-malware software' started by [suave], Dec 10, 2006.

Thread Status:
Not open for further replies.
  1. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    I've been wanting to ask this for a while now.

    Are there any Faronics Anti-Executable users here?

    Why would one choose AE over a HIPS like PG/SSM/PS.

    Lets forget about all the extra things you would get with a HIPS and just focus only on the "Execution Control". If you take a HIPS and set up your whitelist of allowed applications and then block all Changed/New applications... wouldn't that do exactly what AE does?

    From what I can tell, the HIPS would even be more secure. Here is a screenshot from the AE Demonstration Video which confuses me:

    http://img136.imageshack.us/img136/1095/aehipslm0.th.png

    Notice how the setup file was actually allowed to execute, and then got shutdown by AE after it already loaded up (blocking the installation). A HIPS like PG/SSM would have stopped the setup file dead in its tracks (really blocking the actual execution, not just the installation).

    Isn't that a security risk in AE? o_O

    I really need to hear from some AE users. Why would you choose AE over the traditional HIPS? What can AE do that a HIPS can't? What are the main differences between the two? o_O

    Am I right by thinking AE is used to control the execution of untrusted applications? Because it seems to me that a HIPS handles execution control more securely, more efficiently and more logically. Which makes me wonder if there is something I am not seeing here... :blink:
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Suave,

    I've used AE since its inception because

    1) I wanted a simple anti-execution program that would deny by default and

    2) a program that I knew would be compatible with Deep Freeze (also by Faronics). Many programs today wander about deep at the Kernel level, and there are known conflicts between programs.

    I haven't kept up with the latest HIPS stuff, but my understanding of earlier such programs is that yes, execution control is one of their functions.

    My understanding of that demo is that the file was cached and blocked from running at the point that it is clicked. The message box shows the attempted extraction of the .dll file. Here is a similar occurence:

    http://www.urs2.net/rsj/computing/tests/netsky/dll.gif

    But you might correspond with Faronics Support for a clarification of that.

    As indicated above, I like AE because it is simple, and default denies everything unauthorized. I don't think AE does anything that a HIPS can't, but for me, the HIPS programs are too complicated and bothersome to fiddle with. With AE and Deep Freeze I just go about my daily work without worries or interruptions.

    During my trial period with AE I ran my own tests and concluded that AE does its job as it is supposed to. I later added other malware tests. Here are some of them:

    AE tests


    regards,

    -rich
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I have had it running on one system at home for a few months now.

    When I initially tried it over a year ago, that system was in a state of flux with appplications being installed/tested frequently and it was an exercise in frustration disabling/enabling it. That system is now fairly static, so I decided to give it another try, and it runs quite fine.

    There are no on-the-fly decisions to be made, it is default deny with no options to allow execution dynamically. The only notifications received are that "X has been denied" or whatever has been customized.

    Basically yes. The main difference is that AE creates a comprehensive white list at installation and augments it with any program installed or placed on the machine when it is disabled.

    Not really. It is similar to a situation I run into if I'm in a hurry and forget to disable AE - I have a separate downloads drive. All of those executables were online when AE was installed. Depending upon how they are put together, if they run as a single standalone exe, they will run (they're on the whitelist after all). However, recall where event trapping typically occurs - it's at the file open state. Opening a non-whitelisted executable will be trapped and basically terminate the whole operation. If the download is a pure standalone application, it will run fine.

    Why? Usage is simple, straightforward, and clean. It's not that AE can do more than a HIPS, it can't. That, in fact, is its power. You don't have all those options that are possible with HIPS; those options which, when you get down to it, are sometimes not understandable. It's simple - an application is either on the whitelist or not, and that is established at installation time by a comprehensive system scan. If it is, it runs; if it's not, you can't open the file.

    AE doesn't control execution of untrusted applications, it simply disallows opening of any non-whitelisted application. No decision to be made, default deny. No dynamic decisions to be made, you must disable AE to open that application. If AE is setup with password protection, and you don't know that password, execution will not be happening - fairly simple.

    It is a very straightforward solution as long as the installed application base of the machine is reasonably static.

    Blue
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The thread below has some user comments concerning this program.

    This thread---> Faronics Anti-Executable

    Bubba
     
  5. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Good links guys thanks. :thumb:

    I see now that AE allows execution for everything on the system (at the time of its installation) without the option to change this.

    So it will allow a program like internet explorer even if you want the user to only be allowed to use firefox.

    Is that right?

    So it's basically like this:

    1) Insall AE (Everything on the computer is whitelisted)
    2) No new executables will be allowed to run (while the protection is active)
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Basically yes. You can exempt designated folders and a few things like that, but (1) and (2) capture the essential flavor.

    Blue
     
Loading...
Thread Status:
Not open for further replies.