Faronics anti-Executable

Discussion in 'other software & services' started by maggie83, Jul 28, 2005.

Thread Status:
Not open for further replies.
  1. maggie83

    maggie83 Guest

  2. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I use Anti-Executable. What questions do you have?

    There is more info in the Users Manual:

    http://www.faronics.com/doc/FAEStd_Manual.pdf

    That thread is about Deep Freeze

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I too would be interested in comments regarding Anti-Executable.

    It's protection seems to me to be more "absolute" in that all new updates to the system are blocked - unless you "thaw" the Anti-Executable" module. However, this absolute protection, I feel, may interfere with my day-to-day work-flow, if I have to keep bringing the system in and out of "thaw" conditions. Therefore, I would be very interested in hearing real-life accounts of how Anti-Executable behaves and assimilates into real-life environments. Thanks for any info.

    Rich
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Rich,

    "Turn off" is a better term, since "thawed" refers to one of the 2 states of Deep Freeze (Frozen, Thawed).

    Regarding virus updates - From p. 18 of the User Guide:
    -------------------
    Anti-Executable has been tested with many major third-party antivirus applications. When Anti- Executable is installed, it automatically detects certain antivirus applications and configures itself as required. To ensure proper operation and updating of antivirus applications, the following Anti-Executable configuration settings are recommended.
    -------------------

    It goes on to list the the various programs and configuration settings and how AE automatically puts the update files into its Trusted folder.

    For updates to other programs, Turning off AE may be required if it involves executables. You'll know if AE brings up its alert box.

    Turning On/Off is done with the AE icon which resides in the SysTray, and does not require a reboot. When you turn AE back on, it auto-updates its white list to include the new program.

    It's true, you have to "turn off" AE when installing something new. I often download various tests to run, and it's about three mouse-clicks to turn off AE, then turn back on after installing.

    By the way, "absolute" is a good word, because if an executable attempts to install and AE brings up the alert box, you cannot give it permission to install. You have to cancel the install, turn off AE, then install.

    Being designed with schools and public places in mind, you can see why an adminstrator wouldn't want a user to have the option to continue with a download or installation. Access to the AE icon can be password protected to prevent a user from turning AE off.

    So, that is a bit tight for home use, perhaps, but Faronics did not compromise the program's security in its home (Standard) edition. But great protection in a home where all the family use one computer, and Mom or Dad give permission for any installation or download of a program, or clicking on email attachments.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  6. maggie83

    maggie83 Guest



    After reading the user Manual for anti-Executable this

    might be a must have.


    If you use anti-Executable. Are there any problems ?

    Is it easy to use and for a home PC ?

    Maggie
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I haven't found any.

    Very easy. You install it, the White List is created, and you forget about it.

    Like any program, users should evaluate how they think such a program will help/add to their security before installing.

    EDIT: Since a "White List" is basically a permission list for any already installed executable to run, one needs to be sure that the computer is clean before installing such a program.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Jul 28, 2005
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rich,

    Very interesting and straight-foward program. These type of programs usually appeals to me, because they are usually very consistent and predictable. If there are other users of this program (I have not read too much about it on this or other forums), I would be very interested in hearing if it disrupts normal workflow to any major extent. Clearly 3 clicks for a highly secured environment is easy to accommodate. In another instance, I chose Image for DOS as my image copy software for the same reasons - predictability and reliability. Thanks for bringing this software to my attention Rich. I am looking forward to hearing more user comments.

    Rich
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Ooops... major miscalculation: it's 4 clicks :oops:

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  10. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    May have to reconsider. ;)

    Rich
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rich,

    After reading another post on this forum, I was reminded by the ProcessGuard's "Block New and changed applications". This is even more strict than Anti-Executable, which is why I do not use it. It seems like Anti-Executable lives somewhere between PG's normal "Execution Protection" mode and "Block New and changed application" mode, since it will allow updates for popular AV databases.

    Rich
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Anti-Executable has similar protection: no executable on the White List can be moved, deleted, renamed, or modified.

    How this is different from PG, I'm not sure.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is because the AV files are put in a "Trusted" folder which AE synchronizes somehow with the AV program.

    But AE will block any other executable from being changed, which I assume PG is also doing. So in that sense, AE may be just as strict as PG.

    Since you have PG, why don't you run a comparison test??!

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  14. db12

    db12 Guest

    Hi,

    I work for Faronics, and I saw these posts. I've been using Anti-Executable 2.0 from the beta in May onwards. I'm biased, so consider that, but I think I can give some insight here:

    The whitelist is automatically maintained when you "turn off" Anti-Executable. It doesn't really "turn off" so much as "allow" new executables to be installed. While "turned off", Anti-Executable adds any new executables to its encrypted whitelist that arrive on the system from that point onward. It's transparent to the user.

    When turned on, it blocks any new executable code from running. Period. No user bypass, no workarounds, nothing. It is absolutely unforgiving, by design.

    What you WILL find is that there are a small minority of applications that generate or modify executable code "on the fly" when they are run (betcha didn't know that was going on!). Anti-Virus programs, Adobe Acrobat, Quicktime, and BeyondTV are the four that I've found so far. This will be blocked initially by Anti-Executable, and you'll be told precisely what they are and where they're located. For these minority applications, they can then be added to a "trusted applications" list to allow this normal activity, at which point you won't be bothered by Anti-Executable until you get hit with something serious.

    Common Anti-Virus programs are automatically sensed at initial install, so if you've got Norton or McAfee, those will be taken care of for you.

    Basically, you install it, it scans your system, you add your 3-4 oddball apps to the trusted list, and you're done. You're now impervious to any malicious or unauthorized executable code, both known past threats and unknown future code. And your kids won't be able to install junk on your machine while you're gone.

    Does it impact workflow? There's no reboot required when turning it on or off. You just open the systray icon, give it a password, turn it off, add your new legit app, and turn it back on. Done.

    It keeps a log so you can see its effectiveness as well.
     
  15. Anonymous111

    Anonymous111 Guest

    well that sounds allright. How does it stand up against malicious scripts? As far as I can tell there's no protection against this in Anti-Executable, but correct me if I'm wrong... ?!
     
  16. Bite

    Bite Guest

    Thanks for the description/explanation db12. I will install later today.

    http://www.faronics.com/exe/AEStd.exe

    "Common Anti-Virus programs are automatically sensed at initial install.."

    I think this could be weakness.
     
  17. Anonymous111

    Anonymous111 Guest

    @Bite

    - this is not supposed to "know" malware. Only stops malware from running when
    installed on a machine known to be clean in the first place including the A/V set of files.

    Your A/V, on the other hand, knows malware, and should be strong enough agains infections in its own files.
     
  18. Anonymous111

    Anonymous111 Guest

    @db12 -

    To rephrase yesterday's question - do you know whether AE blocks malicious scripts from running?
    Would be a fantastic feature for this if it's not implemented already.

    Hope to hear from you.

    Kind regards
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    AE does not block scripts.

    There are several ways of blocking scripts:

    1) from within Windows (editing the default filetype action) and

    2) a script-blocking program.

    I hope Faronics will develop such a program. It would require different analyzing engines, as for instance the separate products, WormGuard (scripts) and Process Guard (anti-execution, etc) Although, I've often wondered why they couldn't be combined into one program.

    I'm evaluating WormGuard at the moment - it seems to be the most powerful of the ones I've tested, in that it has several script analysis engines in addition to just blocking script filetypes.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. Anonymous111

    Anonymous111 Guest

    Ok - thanks Rich!I second the thought that Faronics should work on a security software that would combine anti execution and script analysis. That would be just sooo great!
    I thought that it didn't though - just wanted to make sure ;-)
    - Jacob
     
Loading...
Thread Status:
Not open for further replies.