Simple executable-blocker?

Discussion in 'other anti-malware software' started by ola nordmann, Aug 13, 2007.

Thread Status:
Not open for further replies.
  1. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    I'm trying to futher secure a computer running WinXP.

    It already has antivirus and is setup to use limited user accounts, so users should not (easily) be able to tamper with system files.

    But I would like to protect some users against themselves, that is running .exe, ActiveX and other stuff downloaded from the internet. Basically we are talking about completely computer-illiterate users that shouldn't be able to run og install anything on their own :p

    Problem is I want a simple solution, and software like Faronics Anti-Executable seems a bit overkill for my setup.

    All I really need is some kind of white/blacklisting of execution from folders, so that people can run all apps in say: C:\Windows and C:\Program Files, but not in other dirs (like their own home directories). I really don't need to scan all files on my system with hashes etc. I rather prefer the directory-approach combined with sane NTFS permissions.

    So is there a lightweight solution for my needs? :)
     
  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    You may want to look at Spyware Blaster for one thing. You'll need to manually download updates about once a month or so. I am sure there are many other solutions to add to your needs as well.

    http://www.javacoolsoftware.com/spywareblaster.html

    Using firefox browser with no script and adblock plus may be another thing to consider.

    As far as whitelisting/blacklisting execution, the only thing off the top of my head would be to consider something like Syatem Safety Monitor with some of the apps allowed/not allowed and then hide the systray icon? Not sure if that would do it or not, though.

    http://www.syssafety.com/
     
  3. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    At first, I thought about simply applying Software restriction policies using the Local Security Policy editor included in WinXP Pro, because you can set restrictions on directories, hashes etc.

    But it seems a bit limited, and one thing I dislike is that it also blocks shortcuts, even though they point to a secure location.

    Example:

    Use John Doe is not allowed to run/install software, but makes a shortcut to Firefox on his desktop.

    Shortcut: C:\Documents and Settings\JohnDoe\Desktop\Firefox
    Application: C:\Program Files\Firefox\Firefox.exe

    So even though the Firefox executable is in a safe location, the shortcut won't work because it's placed in a blacklisted directory. I think that's a bit too restrictive - after all, it's the location of the .EXE that matters.
     
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    ExeLockdown is a great freebie that might be what you're looking for.

    http://www.horizondatasys.com/169602.ihtml

    Its actually been discontinued by its company Horizon Datasys, the last version is 5.01, i don't know if you can still download it from the horizon website, i couldn't see any download option. However you should be able to find on any of the popular software sites. If you want to try it but can't find it send me a pm and i can forward you the email i recieved from horizon data when they still hosted the program.

    One helpful tip is make sure you read the instructions when installing it as it is password protected by default and the instructions will give you the password.
     
  5. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,
    You can use the Group Policies and Software Restriction Policies to do just that - prevent downloads, installation of activex, executing certain files etc.
    Built-in (XP Pro), free, no impact on performance.
    Mrk
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Same here.

    That makes "2" of their programs that i had to drop because they were jaggedly ineffective and unstable, the other being RollbackRx which fudged my whole system and locked me out of the backups i had made with it. No matter though.

    Leapfrog's FD-ISR "is" efficient and extremely reliable + safe.

    If i'm not mistaken, CoreForce was designed to make very much use of those built-in restrictions/policies etc. It's just that it was a bit more heavy & slow in practice then i anticipated although the concept was very unique and solid.
     
  8. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Exelockdown never caused me any problems, it was very stable on my system. There is no noticeable performance impact in my experience, it doesn't even show up in the task manager if i remember correctly.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Really u need Anti-Executable. It will be easiest to use with max protection and no hassles. Just my guess.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Just don't turn on the "delete" protection. It will drive you nuts.

    Also if you download much and particular an exe file you have to disable it.
     
  11. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
  12. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Just remove .lnk from the designated file types.
     
  13. Dogbiscuit

    Dogbiscuit Guest

    In XP, you needn't worry about limited users running ActiveX controls. It's very difficult to run ActiveX controls from within a limited user account, and probably not possible with non-technical users.

    To quote from Aaron Margosis' "Non-Admin" Weblog (6/15/06):
     
Thread Status:
Not open for further replies.