Faronics Anti-Executable?

It's kind of nice if you could lock in programs so they have read/write/access only to certain areas and nothing else. But most people myself included wouldn't know how to do it, i guess.

Right now I have software prompting me for changes in selected registry regions, process starting, process doing stuff to other processes, and even some limited warning of changes in certain files (win.ini for example) etc on topic of the normal signature stuff.

I can imagine the fun it will bring, if I added Coreforce on top of it, so that even file accesses (beyond the normal permissions) are queried.

Strange choice, SpywareGuard. We talking about Javacool's?


COREFORCE + PG + Deepfreeze (this includes AE or does PG make this pointless?) + snoopfree?

File/registry control, process control, backup.

It looks solid in theory, but do you really run all this together? Or are you using Sandboxie? I presume CF has no problems with Deepfreeze?

Well, just select "Block changed and new application" And PG works pretty much as you want. No prompts just blocking unknown. Basically all the HIPS can work like that, it learns what is normal, afterwards it blocks everything new.

It's fun to see how Erikalbert's inital conception of only Shadowuser (because user's need simplicity) has evolved to one that is fairly complicated

Shadowuser+ Antiexecutable + Truecrypt.

That's actually pretty much similar to some people around here, such as Rmus's setup. except he may use a firewall.

It's a fairly 'layered' setup, and *might* work assuming the user is disciplined. and doesn't decide to commit any changes if the tested software looks good, or decide to work on stuff before reboots.

As always the question is one about user discipline, Erik albert's to be exact. Can a "less knowledgable user" be so disciplined? I can't wait to find out in oh.... 2008ish?

 

Complicated ? At home yes, at work no. At work this requires only a one-time setup and that's it.
Our users at work, work always with the same applications and don't need to install anything.

If I would work with these 3 softwares, I know at least against what I'm protected and I admit, I don't know what is still missing. Maybe you can answer that in stead of making fun of me.
I can't tell the same about blacklist scanners. What do they detect and remove exactly ?
That's impossible to know, because the number of threats is too huge.
Do they remove everything ? No they don't. So what is so safe about scanners if you can't answer these questions ?
It's not my fault, that all these security softwares are incomplete in what they do.
And of course I change my mind constantly, because I don't find what I want.
Did you never change your security setup ?

 

An antivirus also needs only a one time setup, with automatic scanning in realtime plus update.

So no encryption? Obviously though if you don't install anything, half the battle is won, AV or no AV.

I already gave my answer above. It's not foolproof (nothing is), and relies a lot on your discipline, but you already knew that. You can't test that without trying....

Bad things

Can you answer the following questions about SU?

1) How does SU work?
2) Can it remove all changes?
3) What if the machine crashes halfway?
4) can it be disabled by malware?

What is so safe about SU if you can't answer all these questions? Particularly no 2?

Nobody here understands how exactly Shadowuser works, and more importantly does it really get rid of everything? I seem to recall a post somewhere where some guy claims SU didn't remove everything from a prior session.....Under What conditions will it fail? It *seems* to work, just like AVs seem to work but who knows?

You have faith it will of course, just like some people have faith that KAV will catch 99% of malware. That's the fate of a less knowledgable user Erik (that includes almost everyone), , but the difference is KAV users at least have some evidence in tests that AVs work at a certain level....

All security software is incomplete in what they do, the more familar you get with them, the more flaws you realise. Your love affair with Shadowuser and the other people's love affair with HIPs, might be borne partly out of ignorance. You know *nothing* about how SU works, so you ASSUME it is perfect. The more you know about SU assuming you can grasp the technical details, the more you will realise it can be beaten probably.

AVs are easy to dump on because their weakness is easy to explain to none-technies. The irony is this might actually be a good thing, making users of AV cautious.

I admit not knowing even close to 1% of how SU works compared to AVs. So obviously, it looks perfect to me.

But undertsanding SU's possible weaknesses is perhaps impossible to explain to 'less knowledgable user', which is good for SU, because everyone thinks it's perfect.

Similarly imagine if you didn't know a thing about AVs and like many people, you might think AVs can detect ALL malware regardless of signatures. Lots of people believe that actually to my surprise. Wouldn't you just think AVs was perfect? Even if it was only 99% good?

For all we know there is a trival way to beat SU that could not be guarded against, but it would be impossible to explain how to a none-technie. And maybe this method can be used trivally over and over again, regardless of how SU is modifieds, just like how AVs can't detect stuff without signatures....

Probably not, but do you understand enough about SU to rule this one out?

I would rather know the limitations of what i was using, as compared to using something with weakness that I thought didn't exist simply because I don't understand SU well enough to see where it might be weak.

SU might look good BECAUSE you know nothing about it compared to AVs....

Can't find what you want?

Strange, it seems you were yelling about how you only need SU for years, certainly you know what you 'wanted.' So what put your off? Don't tell me you can't find the website of Shadowuser? Try google.com if so.

Frankly I change my setup perhaps too much. But I'm under no illusion that I can get close to 100% security like you do.

 

DA, for the most part you seem to feign ignorance and then cleverly attack what others say. Granted you're smart and know more then I could ever hope too, but the constant mantra of being a newbie is comical in other threads.

Having said that and without any desire to cross swords with you (I know, too late), I do somewhat enjoy reading your posts (for my amusement) and the message you send is valid, though your style is confrontational and I just don't get the adversarial approach.

Getting on to your latest post here, excellent. You've “confronted” Erik with some tough questions that should make anybody think about this or other types of security software.

I find Erik to be a good guy and he thinks he found the “perfect” app for himself, but these are perfectly valid questions that should be asked and answered by anyone about any software. The more knowledge a person has about -- Theory of Operation -- the better prepared that person is in dealing with outcomes that don't follow the perceived course. Just like troubleshooting a hardware problem, if you don't know how it works, the fix will not be easy. Of course, someone can luck into a fix, a not to uncommon occurrence in the automotive repair industry, but at what price.

It's one thing to desire a minimal approach to security software and quite another to implement same without feeling uneasy with your choices. It's all to commonly seen here, I'll only use this, and later ... but I still have to use this ... this ... and this. In the end, it may come to pass that these types of software are adjuncts to the security software commonly used by most people and therefore no long fit in with what they desired in the first place.

Then again, what do I know, IE is my browser of choice.

 

Yes. Nothing wrong with it. Doesn't slow down the system, and it does give some extra protection.

Yes. I occasionally turn off PG (when I have to run cygwin shell scripts, honestly, PG slows them down too much). But for regular operation, they are all running.

I normally don't use Sandboxie for regular operations. I use it only when testing malware or sites known to have exploits. PG is not pointless, as Core Force doesn't feature some stuff that PG does (like termination/reading protection, physical memory protection), plus it has more process-related stuff that Core Force doesn't have (or has, but it takes longer to set up).

None. They run both fine.

 

currently, I'm online from an internet cafe..

Is there, by the way, any chance to shut down the faronics AEmanager service even we don't know the AE password but we managed to break through window admin?

I found the faronics Anti Executable was very annoying here as I couldn't download any executable files at all!

CMIIW

 

First of all, welcome to Wilders.

Please note, defeating legitimate system protection is not something you'll get help on here. Go elsewhere if that's your goal.

Blue

 

Whoopsie....
Sorry Pal, I didn't notice that before so, I thinks I have been forgiven already

So, I got some question,
In Faronics AE, there's an option that not allowing user to copy, delete, or rename *.exe file.. but when I tried to copy some *.exe file from neighbour workstation, it was copied even the pop-up that saying the action is blocked is showing.. but so on, the *.exe file can't be run, neither be deleted
is it general bug? or maybe the AE client here? because I notice now that AE client used here is still trial & evaluation version

CMIIW, I'm not so good in English

 

darkjoker,

Your English is fine.

Since I don't use AE, we'll have to wait for one of the regular users to drop by for a comment. As far as the documentation is concerned, Faronics does note the following:

I do recall a few things I encountered which seemed a little strange at the time, but made perfect sense after a while. Sounds like copy protection may not be enabled, but delete protection is likely active.

Blue

 

Anti-Executable was not designed to prevent copying across a network. I've confirmed this in tests. But Anti-Executable blocks the executable from running on the workstation.

Why would you expect to be able to? It's not your computer.

 

Well said Rmus.