Ping Rmus..

Discussion in 'other anti-malware software' started by Longboard, Jun 11, 2010.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    "lo Rich

    Just wanted to ask about a/your best recommendation/experience re Anti.exe tools/white listing tools atm ?
    Any single app stand out ?
    Combos.?

    I'm experimenting to re-finesse the system here.

    How did it go with Faronics newer versions ?

    ANy others ?

    OA as a whitelister o_O

    PS:
    I've re-read this thread: https://www.wilderssecurity.com/showthread.php?t=171576
    Any updates iyo ?

    PPS: where have your pages gone ?? :(
     
    Last edited: Jun 12, 2010
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Longboard,

    I've been away for awhile, and just now saw your thread.

    I confess to not keeping up with newer products. By many accounts, there are a number of products that have incorporated anti-execution protection. I would do some serious testing, because in past years, some products filtered by file extension only, which is the weakest protection. Also, some products can be bypassed by extension spoofing. This is easy to test.

    I renamed a text editor from metapad.exe to metapad.tmp to demonstrate how the command prompt or the windows script host doesn't care about file extensions -- metapad.tmp will launch:

    tmp_1.gif

    Now, I take an executable not on the White List (Firehole.exe) and rename to Firehole.tmp. The Anti Execution Program should alert:

    tmp_2.gif

    It's evident that AE checks the code and not just the file extension.

    You will notice that the alert is Default-Deny. This is the most robust protection, since the user should not have to be prompted whether or not to allow a non-white listed executable to run in a remote code execution exploit.


    I haven't checked the latest releases of Version 3, but early on, they added the option to have the White List created automatically on installation, which was the way version 2 did it.

    I'm rebuilding that site, since much was outdated!

    -rich
     
Thread Status:
Not open for further replies.