Faronics Anti-Executable Version 4 is Released

Discussion in 'other anti-malware software' started by Rmus, Feb 17, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The most significant change from Version 3 is the inclusion of DLL protection. Upon installation, Anti-Executable (AE) creates a White List of the following executable file types by default:

    .scr, .jar, .bat, .com, .exe.

    There is the option to include .dll files.

    A word on executables:

    By strict definition, an executable file can be a binary file (EXE, DLL, etc) or an ASCII file, aka a script file (BAT, VBS). An executable file "executes" code, carries out instructions.

    By convenience, we use "executable" for binary files,and "script" for the ASCII or plain text files. AE has added a script file type, .bat, to the list of executables it monitors.

    Anti-Executable's sole purpose in life is to block these executables from running from disk if not on the White List.

    I've had a chance to run a few tests -- WinXP SP3.

    Remote Code Execution - Autoplay/Autorun from CD-ROM
    Not being on the White List, AE will alert if Autoplay/Autorun are enabled for the CD/DVD drive, and attempt to launch the executable:

    ae-CD-admin.gif

    Note the Alert message and compare with the following:

    ae-CD-user.gif

    The first is the Alert message that the AE Administrator and her/his trusted users see.
    The second is what all other users, called "external" users, see.
    It is completely Default-Deny so that these users cannot run any executable without your permission.

    This would also alert a user if certain music CDs happened to have certain types of (ahem, unwanted) software bundled...

    Remote Code Execution - Browser Exploit - IE8
    A quick search found this -- I think it is a Java exploit since my firewall alerted to an outbound connection:

    ae-ie2.gif

    Tests continued in next post

    Code:
    
    
     
    Last edited: Feb 17, 2011
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    AE4 Tests Continued

    Remote Code Execution -- LNK vulnerability - POC
    The DLL file is blocked from executing.

    ae-dll-POC.gif

    Note the program executing: rundll32.exe.
    By accident I discovered that IExplore.exe can also trigger the exploit, as I saw when uploading a file to virus total. As IE browses to the Desktop, the specially crafted LNK file is triggered. Note the program executing.

    ae-dll-ie2.gif

    NOTE: If you followed this exploit last year, you know that the LNK file has to point directly to the target. To see an actual exploit in the wild in action, you would need the particular USB drive with the specific files pointing to that particular drive by ID number. Hence, the POC requires putting the DLL on C: so that the LNK file can find it. It's the only way of demonstrating the vulnerability.

    Remote Code Execution - email attachment -- embedded executable, SCR file
    This SCR file is triggered by packager.exe, a trusted Windows file, which extracts the "package" -- in this case, an executable.

    ae-rtf.gif

    Remote Code Execution from USB -- Autorun.inf
    Autorun from USB has been fixed but I use it as an easy way to demonstrate the remote code execution type of exploit. It could be a PDF file or Flash object.

    I renamed a non-whitelisted executable to .tmp to show that AE doesn't just look at file extensions:

    Code:
    [autorun]
    open=xc4.tmp
    ae-autorun.gif


    Here, I have the autorun.inf file call a .bat file:

    Code:
    [autorun]
    open=1.bat
    The BAT file:

    Code:
    start xc4.tmp
    ae-bat.gif

    The AE4 Release notes indicate that certain file types bring up a Windows Alert rather than the AE alert.

    CONCLUSION:

    If you are looking for a stand-alone anti-execution program, AE4 is very robust and easy to set up. While aimed at organizations and institutions, I've used it for home systems for years because of its ease of use, and its Default-Deny.

    If you decide to download an evaluation copy, please be sure and read the User Manual FIRST -- especially the instructions on how to open to the configuration window, and how to uninstall the program!

    The User Manual comes with the installation file, and can also be downloaded separately.

    regards,

    -rich
     
  3. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Sounds like SRP :D
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Indeed!

    I complained for years that Microsoft did not include SRP in the Home editions. That is, until I saw the tutorials by Wilders Experts Tlu, Sully, Lucy.

    I don't think it would be that easy for the average home user to set up -- perhaps this is why MS did not include it for those editions.

    Also, I understand it's a bit cumbersome to set up with DLL protection.

    regards,

    -rich
     
  5. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    Thanks Rich! I'll test it on my Vista machine, besides the .dll files the last version was still buggy with Vista (it runs perfectly with XP).
     
  6. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Might have to try this out again!

    I ran Faronics Anti-Executable with their Deepfreeze,nothing got by that setup :D :thumb:
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,214
    Bad news installing AE V4 on my my Vista Ultimate: my boot time went from 45 seconds to 4 minutes, the white list was at times accessible at times grayed out, it blue screened while I was rebooting, and last but not least it took 5 minutes for the AE icon to appear on the tray. A real disaster. AE V3 works flawlessly on 2 XP notebooks, but I have never had any luck with Vista.
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    this program sounds very interesting:thumb:
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    I was looking for a data sheet on Faronics website for AE4, but i could not find one. I'm wanting to know what filetypes or extensions AE protects the user from executing malicious code.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    These are mentioned in the User Manual, which can be downloaded from the product Download page.

    I listed the filetypes in my first post.

    ----
    rich
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is similar to appguard protection
     
  12. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Would be great if Rmus has the time to put AppGuard through some similar tests.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    Great news regarding Faronics listening to you at long last ;) and once again including .DLL protection :thumb:

    Quite they removed it before ? Doesn't make much sense :(

    I detect that you're a happy chappy now :) and rightly so :thumb:

    I might even think about trying it :D
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, I don't think my complaints carried too much weight -- I'm not connected with Faronics in any way.

    Yes, I'm happy they have reinstated DLL monitoring, however, I discovered last evening that it doesn't block DLL with a spoofed file extension. I've notified Faronics about this.

    It does block with EXE when spoofed -- I posted one test earlier in the thread.

    Regarding AppGuard -- I did test it when it was originally released, and posted to the original thread. At that time it didn't block DLL, but I assume it does now. Yes, it is a very good, robust product.

    ----
    rich
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    indeed my friend;)
     
  16. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Hopefully, future AE releases/updates will cover that issue.
     
  17. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Just gave it a spin on Windows 7 64 bit and i seem to be having some issues. It seems to add a significant delay to system start up for some reason and then after a few reboots its decided to completely freeze my system on boot up. Had to do a system restore to fix it. Anyone else experiencing similar problems?
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It doesn,t still. :'(
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    How do you make the GUI visible? I have not tried AE in years. Clicking on the tray icon does nothing.
     
  20. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Try <Shift> double-click mouse.
     
  21. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Hold down the Shift Key then double-click on the tray icon.

    Remember to keep hold of the installer file or you will not be able to uninstall the program.
     
  22. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Version 3 was very buggy. I'm sure version 4 is the same. Not worth $45 plus maintenance IMO.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    Thanks guys that worked! :)
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Thankful,

    I used Verison 3, and currently using Version 4, on WinXP SP3 with no issues. Did you contact Faronics Support?

    regards,

    -rich

     
  25. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Yes, many times.
     
Loading...
Thread Status:
Not open for further replies.