Faronics Anti-Executable?

Discussion in 'other security issues & news' started by ErikAlbert, Mar 11, 2006.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Correct me if I wrong, I'm just trying to catch the philosophy behind this software.

    From my understanding, this software scans your computer first for executable objects and Anti-Executable (AE) recognizes more than 80 different executable object types and that results in a whitelist of all the executable objects installed on your computer at that time.

    I assume that you better install AE, when you are absolutely sure that your computer is CLEAN, otherwise malicious executable objects will be also included in the whitelist.

    Once the whitelist is created, NO other executable objects (GOOD or BAD) can be installed on your computer, unless you install them yourself, while AI is turned OFF.

    So AE is a kind of a pain, if you install/uninstall software on a regular base.
    I also assume that you can't even install and try new software for a short period as long AI is turned ON, not even a screensaver (.scr)

    So I still need an Anti-Virus Software.
    Will DeepFreeze remove macro viruses and malicious scripts during the next reboot ?

    Am I right about this ?
    DeepFreeze will allow to run any bad executable/non-executable object between two reboots, but will remove all of them during the next reboot.
    Anti-Executable will prevent installing and running any bad executable object, which is not on the whitelist, while bad non-executable objects can do their job, until they are removed by an Anti-Virus software.
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    That is correct.

    Wrong. Executables can be "installed", but they can't be executed. You can place an executable, say, in your Windows directory, but you will not be able to launch it. Notice also, a malware that uses and exploit to make an executable behave in a way it was not intended o behave can still do damage to your system; if there is a vulnerability in, say, IE :)dry:) that can make it delete any files at will, it will be able to trash a system even if anti-executable is on the computer.

    Yes. You can turn anti-executable off, though.

    Yes... but 'bad non-executable' objects are not many.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    TNT,
    Thanks for your reply. For now, it's enough for me to understand the basics.
    I'm trying to understand this.
    Are you trying to tell me, that a good executable file can be abused by another malicious object and let it do bad things ?
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes. That's the basic concept of an exploit: you "give" the executable data that makes it behave in a (harmful) way it was not intended to behave. Of course, the 'good' executable must be vulnerable.

    That's why AE can protect you from malicious executables, but not from exploits.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks that seems to be a very nasty one.
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What does? o_O
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't understand what you do mean by this question.
    When malicious objects are abusing good executable files and can harm your system or delete even your personal files, I find that very nasty.
    How can you remove these exploits ?
     
  8. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Exploits.

    I suspect it's darn hard to make any good piece of software do exactly what the attacker wants, exploit or no exploit, particularly if it is something sneaky that the original program isn't designed to do.

    Or so it seems to me, since most exploits we make a big deal about are used to download and execute another foreign exe planted by the attacker...... So Anti-executable and it's cousins do help indirectly. Or maybe it's because these guys are weak?

    To prevent the trash your computer scenario, i guess you need some kind of file permissions thingie so even the good programs cannot be tricked into deleting too much.
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Oh, ok. Yeah, exploits are nasty but I thought that was a given. :D As for your question, you can't do MUCH apart from setting an extra layer of defense "outside" the vulnerable program, so that there's a non-exploitable "layer" that prevents the vunlerable program to do the damage. :)

    Of course (as I said) exploits work only if the 'good' application has a vulnerability, and I'd say the vast majority of these are because the programmers did not bother to 'filter' the data that's passed to the application:

    http://www-128.ibm.com/developerworks/linux/library/l-sp2.html
    http://www.owasp.org/documentation/topten.html
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well I can't delete any file on my computer, without confirming it.
    Are these malicious programs able to overwrite this confirmation, when they delete a file ?
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, it's not that hard, actually, especially because any skilled attacker knows exactly where and how the most common mistakes are.
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    That was a "theoretical" exploit scenario, but yes. :D
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    So I guess a "format C:" or "format D:" is also easy to do for these malware programs.
    I guess only a regular backup can save me from malicious deleting of objects and formatting one or more harddisks. Pffft.
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm... let's not mix up exploits with 'malware'; and more, the question here is, why would one want to create a malware that only has that kind of destructive behavior anyway?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Faronic's AE works as has been described above and as stated if Program.exe is allowed to run, it can be abused.

    But there are other programs available that can prevent that. For example if you start program.exe by clicking on it on your desktop, then Explorer.exe is actually starting program.exe. With AE Badprogram.exe could also possibly start program.exe, but some other protection programs don't just permission program.exe to run, but it only has permission to run when started by explorer.exe, so badprogram.exe couldn't start it.

    So as not to hijack this thread I am not mentioning names of of the other programs, but they are discussed in these forums.

    Pete
     
  16. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I've only got limited experience of AE so I'm just wondering about some of the things that have been stated. Can the exe's on the white list really be abused? In the AE manual it states
    Presumably, an exe on the white list but not on the trusted list can't open and modify other executables. Doesn't this mean that exe's on the list can't just do whatever they want. For example, on the machine I saw it installed on, you couldn't run a disc defrag until the defrag exe had been put on the trusted list.

    Also, AVG couldn't update until a specific folder had been added to the exempted folder list.
    I guess you can create a special folder and exempt it so you can test out software by installing it to and running it from your special exempted folder.

    Also:
    I guess that this means that IE for example can't just delete all your files and trash your system.

    I don't know the answers, I'm just guessing but that's the way it looks to me.
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    As I said, AE will NOT stop exploits. An exploit is a way to abuse a "good" executable; AE or Process Guard won't stop the exploits, they will just stop a malware if it gets on your system through the exploit. If there is an exploit on a whitelisted executable, there's nothing that AE can do to prevent it. If one can instruct IE (or any whitelisted executable) to delete files, AE will not prevent this.
     
  18. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Doesn't this just mean that IE could be instructed to delete files. However, IE can't delete the files because the file deletion option within AE is enabled? Just curious.

    Edit: OK I'm, with you TNT. The deletion prevention only stops deletion of executables, so it could delete your documents.

     
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What's the file deletion option in AE? o_O As far as I remember from it, what AE does is just block the execution of executables that are not whitelisted (or that have been changed since the whitelisting).
     
  20. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I don't know about earlier versions. The latest version which includes deletion prevention is explained in this link: http://www.faronics.com/doc/FAEStd_Manual.pdf
     
    Last edited: Mar 12, 2006
  21. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I don't remember seeing that option when I tried it. Though I might have missed it: AE didn't install properly on the computer I tried it and it actually created quite a mess (I couldn't even uninstall it... it wouldn't accept any password). Luckily, it was not a production environment; there was definitely a conflict with something.

    The concept behind AE is interesting, but for a home user it seems to me that Process Guard does more and more useful things (other than doing many things that AE does). AE seems more right (combined with Deep Freeze) for Internet cafes or similar.
     
    Last edited: Mar 12, 2006
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I can't answer that question.
    I never used AE in practice and my new computer isn't finished yet.

    I'm trying to solve the dangers of having an internet-connection, but without blacklist scanners.

    1. DeepFreeze (and ShadowUser) don't protect you during two reboots, but they remove all malwares
    during the next reboot and that is a much better job, than AV/AS/AT/AK-scanners do.
    So I have to find a solution to stop malware, doing their evil job during two reboots.

    2. Anti-Executable is able to stop EXECUTABLE bad objects, but not the NON-EXECUTABLE bad objects,
    but most of them are executables.
    AE however doesn't protect me against exploits, macro viruses and scripts, but DeepFreeze will
    remove these during the next reboot.
    So AE + DF is a pretty good protection.

    3. To protect my privacy completely, I need "TrueCrypt" and whatever goes out
    between two reboots, it will be worthless for the receiver, because he can't read it.

    So the chance of getting infected is already pretty small and threats have to be very fast to do anything
    in 4-8 hours.
     
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    ErikAlbert, you might want to try a setup like this (mine is very similar):

    - To removes any malware that might have slipped through on the PC, Deep Freeze

    - To block any malware from going kernel-level (and possibly try to subvert Deep Freeze or any other low-level process), Process Guard full with all the global protections options checked

    - To block executables from reading in folders they have nothing to read from, and to block them from writing on folders they shouldn't write to, and to block them from communicating with the Internet without your knowledge, or to modify the registry in area they shouldn't, Core Force

    - To block processes from reading in windows they don't own, SnoopFree

    - To prevent any of these from being messed with by malware, Process Guard has protection from termination and modification on most security-related softwares

    - Also useful: SpywareGuard, and a packet sniffer (Ethereal is great) for checking what suspect connections are actually doing.

    I also optionally use Sandboxie for fast checking "possible" (or probable) malware without setting up a Core Force profile for this; I do use virus scanners and spyware scanners, but they never found a thing and I doubt they ever will.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Erik

    You still will always have one weakness this way. You will never be able to safely commit anything from the shadowmode so you won't be able to save anything when you reboot. The reason being is you won't know if you picked up malware.

    Whenever I do what I would call at risk on line stuff, I always setup to use Rollback to get rid of the surfing snapshot. Just the other day, KAV's Web antivirus hit on something so I bailed from the page blocking whatever it was from downloading. But I at least know something suspicious had taken place, and acted accordingly, and kept it off my machine.

    Pete
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    There seems to be a misunderstanding IMHO.

    1. Legitimate softwares, I really need will be installed permanently on my harddisk without internet connection
    and once the settings are done, I will take an image backup or a snapshot.
    Will these softwares infect my computer ? NO. Case closed.

    2. All the rest will be installed when I'm protected by DeepFreeze, ShadowUser, ... which means that these untrusted softwares will be removed completely after the next reboot.
    Why do I need to know how or with what I was infected during two reboots. Everything is gone after reboot.
    I just want to see and try these untrusted softwares without getting infected and without installing them permanently.
    If DeepFreeze, ShadowUser, VMware, ... are not able to do this, I'm finished with these products and I will go back to the classical solutions.

    OK. KAV detected an infection on your computer THIS time, maybe it won't find an infection the NEXT time.
    So KAV can't be trusted either, but after reboot I'm sure I'm clean and you are sure after rebooting with a clean snapshot.
    It's the same, the only difference is that you know there was an infection, reported by KAV, but that's because you were lucky KAV detected it.
    I don't know if I was infected and frankly, I don't care because it's gone.
    If I was infected, I probably wouldn't even notice it, because my experience with malware is very poor.

    I know you don't trust ShadowUser as I will, but there is no proof of this. SU never failed until now.
    VMware however failed once and SU will fail too in the future, but EVERY software will fail one day.
    I have the same trouble with KAV, I don't trust KAV and any other blacklist scanner and this has been proven in the past and I'm not even talking about false positives.

    ProcessGuard is probably very safe, IF the user knows the right answers : YES or NO.
    I would be worried all the time with PG. Was I right ? Was I wrong ? I don't want that insecurity.

    I'm not saying that my security setup is ready : Firewall + DeepFreeze/ShadowUser + Anti-Executable + TrueCrypt.
    I'm still missing something.

    Isn't this just a matter of opinion and Wilders is FULL of different and even contradictional opinions, which is of course very annoying for me, because I don't get any straight answers and security is a big mess IMO and all these security softwares are incomplete, overlapping, redundant, even unsafe, ...
     
Loading...
Thread Status:
Not open for further replies.