Ping Rmus..

Discussion in 'other anti-malware software' started by Longboard, Jun 11, 2010.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Oct 2, 2004
    Sydney, Australia
    "lo Rich

    Just wanted to ask about a/your best recommendation/experience re Anti.exe tools/white listing tools atm ?
    Any single app stand out ?

    I'm experimenting to re-finesse the system here.

    How did it go with Faronics newer versions ?

    ANy others ?

    OA as a whitelister o_O

    I've re-read this thread:
    Any updates iyo ?

    PPS: where have your pages gone ?? :(
    Last edited: Jun 12, 2010
  2. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Hello, Longboard,

    I've been away for awhile, and just now saw your thread.

    I confess to not keeping up with newer products. By many accounts, there are a number of products that have incorporated anti-execution protection. I would do some serious testing, because in past years, some products filtered by file extension only, which is the weakest protection. Also, some products can be bypassed by extension spoofing. This is easy to test.

    I renamed a text editor from metapad.exe to metapad.tmp to demonstrate how the command prompt or the windows script host doesn't care about file extensions -- metapad.tmp will launch:


    Now, I take an executable not on the White List (Firehole.exe) and rename to Firehole.tmp. The Anti Execution Program should alert:


    It's evident that AE checks the code and not just the file extension.

    You will notice that the alert is Default-Deny. This is the most robust protection, since the user should not have to be prompted whether or not to allow a non-white listed executable to run in a remote code execution exploit.

    I haven't checked the latest releases of Version 3, but early on, they added the option to have the White List created automatically on installation, which was the way version 2 did it.

    I'm rebuilding that site, since much was outdated!

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.