Is Anyone Using Anti-Executable v.3x?

Discussion in 'other anti-malware software' started by Rmus, Jan 28, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Several months ago I was on Faronic's web site looking at some papers in their Content Library. While on the site I checked a couple of the Products pages and noticed on the Anti-Executable (AE) page that some descriptions were missing. One was the reference to 80+ executable file types that AE watches out for. I didn't think about that very much at the time, but recently I had occasion to evaluate this latest edition of AE.

    Here are descriptions from the AE2 User Guide followed by that in the AE3 User Guide:

    v.2
    v.3
    Do you notice any difference?

    Now, I will attempt to run a non-White Listed program, AstroExp.exe.

    First, AE2:

    AE2_Prompt.gif

    Then, AE3:

    AE3_Prompt.gif

    Do you notice any difference?

    A bit of history. Years ago I became disillusioned with the reliability of Anti-Virus products. An acquaintance got a virus while using AIM. The AV was a reputable one and up to date. Shortly thereafter variants of the viruses were reported, undetected by most AV in the early days.

    I began reading different articles and came across the product, Abtrusion Protector. It claimed to verify all executable file types, and any others that tried to install were blocked. That opened the door to the concept of execution protection and White Listing. Another product that was more interesting was FreezeX - the predecessor of Anti-Executable. I installed an evaluation version of it and emailed Faronics Support with loads of questions. I was put in contact with the project manager and he informed me that they were phasing out FreezeX for a better product, Anti-Executable. It had just come out of Beta Testing and wasn't scheduled to be released for a couple of more weeks, but he was happy to send me a copy to evaluate. I thanked him and told him that I was also interested in Process Guard.

    While I didn't evaluate Process Guard, I was following with interest the discussions on the forum here at Wilders. Especially the long thread on rundll32.exe. Everyone was unsure how to configure it:

    • Let it run all of the time:
    • Let it run once:
    I decided I didn't want any part of having to make decisions as to what to allow. The problem, as I saw it, was not with rundll32 but with the file it executes.

    I wrote the AE Project Manager about this, and questioned him about one part of the AE tutorial video they had at that time:

    Of course, I shortly learned that it blocks all unauthorized executable file types. From the AE2 User Manual:

    So, AE2 it was.

    So what has changed in AE3? No longer does AE watch over all file types, rather, it selects just five. To its credit, AE retains some type of code analysis, because I changed several EXE types to BGT, TMP, and they were blocked. So spoofing of EXE still doesn't get by AE.

    But what about rundll32 and the executable file types that it handles. Here is a CPL - a Control Panel Applet.

    With AE3 installed with NO White List configured, it will prompt when any EXE attempts to run:

    AE3_cpl.gif

    Now, an AE user is put in the same predicament as one with Process Guard. AE has changed from Default-Deny to Prompt-for-decision. In the configuration, you can designate "External" users (those not trusted nor Administrator) so that they can not allow. That is fine for a multi-user workstation. But for a single-user as Administrator, you have to make a decison. The only one is, of course, to put rundll32 on the White List. Otherwise you will be prompted all of the time. Search in the Registry for rundll32 and see how much it is used.

    AE2 on the other hand doesn't care anything about rundll32 as long as it opens an authorized (White Listed) file. Otherwise it blocks:

    AE2_cpl.gif

    AE3 watches the application. The same as Process Guard (PG). AE2 watches the file. Big difference in approach. Of course, PG is an early prototype of HIPS and does more things. AE is interested only in blocking unauthorized executables.

    Continued next Post.
     
    Last edited: Jan 28, 2009
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A poster in the Process Guard thread mentioned the danger of rundll32.exe and DLL files.

    Here is AE3 - rundll32 is not White Listed, so it throws up an alert:

    AE3_rundllAlert.gif

    If I 'Allow and add to the White List' the hnetwiz.dll wizard loads.
    Note that rundll32 is being added, not the DLL file, yet this executable file runs anyway:

    AE3_rundllOK.gif

    With AE2, run32dll.exe is on the White List but the DLL file is not, so it is blocked:

    AE2_rundllFail.gif

    Again, AE2 doesn't care about rundll32 as long as the executable file it opens is on the White List. In fact, when I attempted to copy this DLL from my flash drive to \System32, AE2's Copy Prevention blocked:

    AE2_dllCopyFail.gif

    AE3 has removed Copy Prevention. AE2 describes it thus:

    You can argue that Copy Prevention is in the 'nice to have' category, since an unauthorized executable can copy to disk, yet still be blocked from running. Nonetheless, I've found it a very useful function.

    Faronics has certainly changed what used to be one of the most unique Default-Deny security products ever developed. Some of the changes -- multiple/editable White Lists for example -- I'm sure came from user requests.

    AE2, upon installation, scans the entire system and creates one global White List. I've heard complaints about that, referring to how long it takes. AE3 installs instantly with no White List and the user has to create her/his own.

    Frankly, in the home environments where I've recommended AE, I don't know how the general user could understand what to do with AE3 and manually creating White Lists.

    I recently read a glowing review of AE3 by an education Administrator. The 'Allow and Add' option would be available to the Administrator only, not to the students (external users). Perhaps this is the type of market that Faronics has in mind for AE, and that the standard five executable file extensions are adequate for White Listing, since very few programs would need to be White Listed. From the web site:

    No mention of Home. Too bad


    ----
    rich
     
    Last edited: Jan 28, 2009
  3. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    V.Interesting post Rich.
    Thankyou.

    Any copies of V2.x anywhere ??
    You still have your contacts ??

    Pitching at 'console' and 'enterprise' and 'central management', all the catch words for "no $$ in the desktop" for this really interesting app.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Longboard,

    I'm in contact with Faronics about several issues, and I'm going to ask if they would consider continuing to offer AE2 Standard (home) even though it is not Vista-compatible. My guess is they will not want to continue with an older product.

    I would not trust acquiring AE or Deep Freeze from any source other than Faronics. Not only is it illegal, but pirated copies of DF have caused problems in the past, as I've noticed around the internet.

    Yes, the Enterprise editions of both with the maintenance packages are the money makers. But it is worth it for the institutions.

    ----
    rich
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Too bad. AE 3 is far far inferior to AE 2. Who will like to use AE3 now. It has become like a typical HIPS and yet inferior in choices.

    Faronics people are so wise?:rolleyes: I just wonder.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Indeed, and why I stay with ae2.
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,213
    AE v3 had a pretty bad start: On my Vista system (talking around May-June of last year) I couldn't even install it properly, when rebooting the system for the first time I couldn't even reach the stage of seeing the desktop, the system would hang forever. I had to use an image twice to get me out of troubles.

    I must say that support is really good. After informing them of my disaster, they offered to pay for express courier in order to get an image of my system so that they could study why this was happening. I declined, as I was too busy at the time, but also I had lost interest in it.

    In September they informed me that a new improved version was available and they had tested it with similar hardware as my computer (very nice indeed, I think they really care about their customers). I tried it and I like it very much, the new window giving you the choice to allow or block and add to the white list was very practical, you could check your white list, change it, save it etc.

    I think that if you wanted to use it as AE V2, you could indeed, although reading Rmus post it looks like it's not as restrictive as the old version. The reason I haven't kept it (I do have a license) is that it wouldn't allow FirstDefense PC Rescue to work properly, even disabling AE. Now I 'm not entitled to a new version unless I pay for maintenance, so I gave it it up.

    I also dislike nowadays to investigate why things are really happening, so virtualization and imaging are making my life easier.
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    What would ErikAlbert think about this?

    Sorry, couldn't resist, I miss his posts...

    Back on topic, it's very sad what Faronics is doing with AE. This was a great tool for thos who don't have XP Pro and no acces to SRP.
    I used v2 for about a month and really liked it, had no problems whatsoever...
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    I too tried AE v3 but dropped it because it no longer has a Default-Deny option.
    However both Returnil 2.0.1.8510 beta Anti-Execute and Executable Lockdown have settings options for 'Ask' or Default-Deny. Returnil creates a visible White List and Black List so if any action gets terminated it is easy to move it to the White List. But, it is VERY sensitive. Switched on my printer and had to approve four pop-ups to allow it to run! Executable Lockdown appears more docile, perhaps more intelligent, no visible White List but has a black list. Both when password protected require admin to approve any actions.
    It would need someone more knowledgeable than me to test these out but I would be very surprised if anything got past Returnil Anti-Execute.
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    actually...SRP by default has only 30 designated file types on block control..ae2 had 80 or so..yeah,thats ~266% more file types..i tried to find them all a while back,but was too lazy for it :D
    would be truly lovely if anyone could paste them :)
     
  11. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    it does ...just put your user out of AE administration group...(right)ctrl+alt+shift+F10 to bring the options tab up
     
  12. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    compiling from
    1.- http://pcsupport.about.com/od/tipstricks/a/execfileext.htm
    2.- http://antivirus.about.com/od/securitytips/a/fileextview.htm

    A6P: Authorware 6 Program
    AC: Autoconfig Script
    ACR: ACRobot Script
    ACTION: Automator Action
    ADE - Microsoft Access Project Extension
    ADP - Microsoft Access Project
    AIR: Adobe AIR Installation Package
    APP: FoxPro Generated Application
    APP: Symbian OS Application
    AS: Adobe Flash ActionScript File
    AWK: AWK Script
    BAS - Visual Basic Class Module
    BAT: Batch File
    CGI: Common Gateway Interface Script
    CHM - Compiled HTML Help File
    CMD - Windows NT Command Script
    COM: DOS Command File
    CPL - Control Panel Extension
    CRT - Security Certificate
    CSH: C Shell Script
    DEK: Eavesdropper Batch File
    DLD: EdLog Compiled Program
    DLL - Dynamic Link Library
    DO* - Word Documents and Templates
    DS: TWAIN Data Source
    EBM: EXTRA! Basic Macro
    ESH: Extended Shell Batch File
    EXE: Windows Executable File
    EZS: EZ-R Stats Batch Script
    FKY: FoxPro Macro
    FRS: Flash Renamer Script
    FXP: FoxPro Compiled Source
    GADGET: Windows Gadget
    HLP - Windows Help File
    HMS: HostMonitor Script File
    HTA: HTML Application
    ICD: SafeDisc Encrypted Program
    INF - Setup Information File
    INS - Internet Communication Settings
    INX: Compiled Script
    IPF: SMS Installer Script
    ISP - Internet Communication Settings
    ISU: InstallShield Uninstaller Script
    JAR: Java Archive File
    JS: JScript Executable Script
    JSE - JScript Encoded Script File
    JSX: ExtendScript Script File
    KIX: KiXtart Script File
    LNK - Shortcut
    MCR: 3ds Max Macroscript File
    MDB - Microsoft Access Application
    MDE - Microsoft Access MDE Database
    MEM: Macro Editor Macro
    MPX: FoxPro Compiled Menu Program
    MS: 3ds Max Script File
    MSC - Microsoft Common Console Document
    MSI - Windows Installer Package
    MSP - Windows Installer Patch
    MST: Windows SDK Setup Transform Script
    OBS: ObjectScript Script File
    OCX - ActiveX Objects
    PAF: Portable Application Installer File
    PCD - Photo CD Image
    PEX: ProBoard Executable File
    PIF - Shortcut to MS-DOS Program
    PIF: Program Information File
    POT - PowerPoint Templates
    PPT - PowerPoint Files
    PRC: Palm Resource Code File
    PRG: Generica Program File
    PVD: Instalit Script
    PWC: PictureTaker File
    PY: Python Script
    PYC: Python Compiled File
    PYO: Python Optimized Code
    QPX: FoxPro Compiled Query Program
    RBX: Rembo-C Compiled Script
    REG - Registration Entries
    RGS: Registry Script
    ROX: Actuate Report Object Executable File
    RPJ: Real Pac Batch Job File
    SCAR: SCAR Script
    SCR - Screen Saver
    SCRIPT: Generic Script File
    SCT - Windows Script Component
    SHB - Document Shortcut File
    SHS: Shell Scrap Object File
    SPR: FoxPro Generated Screen File
    SYS - System Config/Driver
    TLB: OLE Type Library
    TMS: Telemate Script
    U3P: U3 Smart Application
    UDF: Excel User Defined Function
    URL - Internet Shortcut (Uniform Resource Locator)
    VB - VBScript File
    VBE - VBScript Encoded Script File
    VBS: VBScript File
    VBSCRIPT: Visual Basic Script
    WCM: WordPerfect Macro
    WPK: WordPerfect Macro
    WS: Windows Script
    WSC - Windows Script Component
    WSF: Windows Script File
    WSH - Windows Scripting Host Settings File
    XL* - Excel Files and Templates
    XQT: SuperCalc Macro File


    106 filetypes. I filtered the repeated ones, sorry if I missed some.
    BTW, I once found a website which claimed to have ALL executable extensions listed. When I arrive home I'll check if I bookmarked it.
     
  13. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    You are just lovely :D
    Gonna have to do a little trimming myself too :) can't have SRP blocking .doc and having to run them only as admin to read them :D nt smart
     
  14. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Thanks for that :thumb:
    Must read the help file a bit better next time, or get some new glasses :D
     
  15. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Ok just to revive this thread for a minute if I may: spurred on by another thread...
    https://www.wilderssecurity.com/showthread.php?t=233634

    All in aid of 'trimming the fat"
    Wanted to check with Rmus re AE2 v AE3:
    CAn AE3 be jigged to function like V2??
    Anyone had further experiences with AE3??

    ?? Rich..
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It can be Default-Deny if you don't run as the Administrator. You would have to set up user accounts for others who use your computer, or the potential for someone permitting malware is present.

    Other features cannot be changed, eg:

    • you create your own white list
    • you can't add executables other than the five (no DLL for example)

    A new version 3.2 was just released; I may look at it to see if there are any other changes, but none of any significance for the home user were mentioned in the release notes.

    ----
    rich
     
  17. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    new /latest AE conflict with SB , make it not loading properly
     
  18. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,213
    They have acknowledged the conflict though, no mention about First Defense PC Rescue, but I'm no longer interested in having AE anyway.
    The attachment is an excerpt from the new AE release notes.
     

    Attached Files:

  19. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Good grief, what on earth did Faronics do to AE? I have AE version 2 and it works great with SandboxIE and First-Defense (original classic).

    Acadia
     
  20. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi guys, anyone have any experience with Returnil's AE or Executable lockdown? Any other similar products out there that I can check out?
     
  21. controler

    controler Guest

    Hello

    If I remember right, Faronics products were originally created for the public environment. I am guessing the home line was not cost effective and they decided to keep targeting the public, schools ect?

    I think products like PG SSM ect were all to nonuser friendly for average home users. Don't you agree? If a product is going to be cost effective for home use, it needs to be simple and with a minimum of pop ups. Of course that doesn't set well with most types that frequent these type forums.
     
  22. slangen

    slangen Guest

    Hey guys i got my hands onto a copy of AE v2.3. I got two questions.

    1. is there any malware which has managed to get past AE? i know that a scripting exploit would work, but what exactly does work mean? i mean it won't be able to install something so on reboot its all gone right?

    2. does anyone have the help file.... :D


    thanks
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I think before anyone answers this the question "I got my hands on a copy" means what. Faronics no longer sells this version.

    Pete
     
  24. slangen

    slangen Guest

    oopps... :D


    anyways, i got my answers. dontcha love the 'search' function. :rolleyes:

    sorry about that.
     
Loading...
Thread Status:
Not open for further replies.