Faronics Anti-Executable v3 Beta

Discussion in 'other anti-malware software' started by trjam, May 22, 2008.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    How often do you use scripts on your system?

    It seems to me that your XP-antispy is a workable solution. Just keep a shortcut to it handy
    to re-enable WSH when you want to use a local script.


    --
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,071
    Location:
    U.S.A. (South)
    OK, i see what your chief concern is, the proverbial REMOTE script attack thru the browser. A very valid concern more so for IE users i think then others, but then FF is beginning to feel the heat now since so many users ran like a rabbit over to it for security some time ago, and yet they still seem extremely cautious of it. Well, unfortunately or not, thats the nature of the internet's windows way and is the open avenue for introducing all sorts of REMOTE entry where they are discovered then implimented to create maximum disruption.

    EASTER
     
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    You can control the executions of scripts by using SRP and then only allow the "good" scripts by creating a certificate rule so that you can only execute scripts signed with a particular certificate. Another way is forcing wscript.exe and cscript.exe to run sandboxed in Sandboxie.

    /C.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    No, only non-browser scripts here. Such as the USB exploits I've mentioned.

    How else is a user susceptible to script files -- like the finjan.vbs file -- from being executed remotely.

    If the threat is minimal to non-existent, is there any need for a script blocking program?

    For example, USB exploits are easily blocked by disabling AutoRun for the drive. No need for a separate program to block the script if the Autorun.inf file can't execute its commands.

    Thanks for the alternative suggestions.


    ---
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Correct :)
    You can whitelist your good scripts using a digital certificate or their cryptographic hash and deny the rest.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,071
    Location:
    U.S.A. (South)
    Ok then, we're focusing on either physical access to your machine or a rogue placement on a user's USB they take home and plug into their unit. Then yes, that particular exploit needs be prevented in advance of course.

    Funny, you should mention Finjan.vbs test, that poor thing doesn't stand a chance against the HIPS (EQS) when all the parameters are set to BLOCK such as Desktop and/or My Documents plus wherever it tries to copy from. But i know we're not talking HIPS here as formidable as this one really is, but more on Faronic's Anti-Executable in keeping with this topic.

    Similar in a way as those running just LUA, that's fine and dandy against dll injections or some Low-Level Disk Access and drivers, but doesn't stop all userland executables from firing. Now a combo of LUA w/ AE mgiht be ideal basic coverage should a user expect the worse from their travels.

    EASTER
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I suggest we eliminate the physical access one for this discussion.

    That leaves the USB one, which is easily prevented by other means already discussed.

    Since you haven't come up with other means of exploitation (I also can't find any current ones), in the interest of running with as few security programs as necessary, I propose that there is no need for a separate script blocking program. Certainly not those that have been mentioned here, which are of no use to the USB type of attack.

    But I'm open to a change of mind in the event that other types of attacks seem probable.

    The past loveletter types of attacks via .vbs email attachment certainly need no comment in a forum like this.

    For browser scripts, there are ways to disable those within the browser.

    After perusing the other LUA thread about needing something more, I think this is an ideal combination.

    I'm waiting to hear back from tlu about a couple of matters regarding LUA.

    ---
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,763
    Location:
    New York City
    Has anyone heard when a new version correcting the Firefox 3 problem will be released?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.