Software Restriction Policy vs Antiexecutable

Discussion in 'other software & services' started by sukarof, Jan 14, 2008.

Thread Status:
Not open for further replies.
  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I was thinking about SRP and how it compares the software Antiexecutable. If they are comparable?
    I tried AE long time ago but it was too much hassle with it for my liking and I dont remember the exact function more than it too prevented anything not whitelisted to run.

    I have set up a Software Restriction Policy in windows that prevents anything that is (new) executable to run.
    I have allowed shortcuts (.lnk) to start software.
    If I want something allowed to run I whitelist (path rule)
    Some software needs a entry there to run right on boot, like FDISR.
    It didnt take more than a couple of minutes to whitelist the software I wanted to be able to start.

    Having done this way there is no excecutable code* that can run unless I whitelist it or do a run as a different user as far as I can see.

    I do run as limited user, but I guess ther would be no problem having SRP in a admin account too.

    So could one say that having this kind of SRP would be the same thing as running Antiexecutable?


    * Default filetypes that are not allowed to run automaically or by accident:
    .ADE .ADP .BAS .BAT .CHM .CMD .COM . CPL .CRT .EXE .HLP .HTA .INF .INS .ISP .MDB
    .MDE .MSC .MSI .MSP .MST .OCX .PCD .PIF .REG .SCR .SHS .URL .VB .WSC and I can add whatever filetype I want

    Most of them I have not heard of and I am surprised that windows runs at all :) but any new file, after I set the policy active, with the filetypes that I mentioned above wont run.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    My understanding of SRP is that it whitelists by file extension. Also, I don't believe that you can whitelist .dlls.

    Anti-Executable, on the other hand, white lists every executable filetype upon installation. As far as unauthorized executables, AE uses code analysis in addition to checking the file extension. This allows blocking of spoofed executables -- those renamed with file extensions such as .jpg, .gif. I'm not sure if SRP can allow for this.

    Also, by blocking by filetype using SRP, you can include script types, such as .vbs, .bat, .reg, which Anti-Executable does not block. Some people using Anti-Executable also run a script blocking program.

    As you point out, AE is much more restrictive than SRP -- having such restrictions is ideal in certain environments.


    ----
    rich
     
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I´m using both SRP and AE. Main reason for me using AE are for protection against spoofed executables while the main purpose for SRP are blocking scripts. I don´t use SRP for admin mode. AFAIK SRP doesn´t do any code analysis.

    /C.
     
  4. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for you replies.

    I will try that and see what happens

    I dont think so either, SRP is just a relatively dumb but effective executable code blocker, if I understand it right. And that is just fine with me, I like to keep things simple then I dont have to worry about if I can really trust this and that softwares analysis. And it wont use any resources while doing it.
     
  5. monkeysmagic

    monkeysmagic Registered Member

    Joined:
    Jan 15, 2008
    Posts:
    6
    I really don't understand what is ment by Software Restriction Policy, could you please explain by what happes when you do this.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  7. monkeysmagic

    monkeysmagic Registered Member

    Joined:
    Jan 15, 2008
    Posts:
    6
    Thanks for the links. Too bad there is no easy way to do this in vista basic or home premium(which is what i use) as they don't contain the local policy editor in basic or home premium.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Gee thanks lucas1985

    I've only ever had XP Professional so this is right up my alley. Although i been plenty secure enough running as Admin for a long time, this is a nice revelation i never even considered before.

    Best of all, it appears water tight too.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    When properly configured, yes ;)
    Call it a poor man's HIPS .
     
  10. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    any update on this? can spoofed exes trick SRP? is there a way i can test this out myself?
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Where can I block scripts in SRP ? You only have to give me the click path, I know the script extensions already. Thanks in advance.
     
  12. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    To open the Group policy editor: Start > Run, type "gpedit.msc"

    To add file extensions: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Designated File Types, type the file extension in the box and then click "Add".

    /C.
     
    Last edited: Jan 16, 2008
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks for showing me the path of illumination. :)
     
  14. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    it´s the road to Shangri-La...

    /C.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Indeed that it is. Also saves from clogging up system arteries with groups of various this and thats which can soak up resources/memory.

    Hey it's there, why not make use of it right?
     
  16. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Did you add something else than .VBS, .VBE, .JS, .JSE, .HTA, .WSF, .WSH,. SHS and .SHB? Those are Script Defender extensions. Some of those are there already but not all.
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    (run gpedit.msc) - SRP is one of the first things I configure after installing xp pro. It always surprises me that a user don't know about or use it.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    It is a bonus for XP Pro users no less, but with the torrent of security apps flooding or saturating the field with consistently new and ever more exciting innovations, it's always going to be more tempting to tack on a do-all app as opposed to configuring XP Pro thru Gpedit, even though it is quite thorough.
     
  19. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Well it doesn´t surprise me at all. How could one expect for example a novice that just enough know how to boot the computer, how to check the e-mail and finally how to use the browser for visiting some sites (and it´s hardly security sites with guides how to harden Windows), would possibly know how to enter the GPM console for doing some tweaking? Or, for the more knowledgeable user, it´s just plain habit to be in admin mode without been aware of using these harden tools, and rather use different third part tools for securing the OS...

    /C.
     
  20. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Cerxes your probably right but then again I probably wouldn't expect the policy editor to be on their machine, that much of a novice anyway perhaps would be using xp home in most cases - just a thought.
     
  21. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Anyone? I just want to know exactly what to add in that list :D
     
  22. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    what difference does it make how AE looks at exes, in the end if it's not on a white list it can't run, so I don't see how all the fancy code looking it does for malware does any good if an exe is not white listed it just doesn't run plain and simple.
     
  23. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    These are the extensions I´m blocking:

    .ADE,.ADP,.BAS,.BAT,.CHM,.CMD,.COM,.CPL,.CRT,.EML,.EXE,.HLP,.HTA,.INF,
    .INS,.ISP,.JS,.JSE,.MDB,.MDE,.MSC,.MSG,.MSI,.MSP,.MST,.OCX,.PCD,.PIF,
    .REG,.SCR,.SCT,.SHB,.SHS,.URL,.VB,.VBE,.VBS,.WSC,.WSF,.WSH,.XLM,.XLS

    /C.
     
  24. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    So you add these:

    .EML
    .JS
    .JSE
    .MSG
    .SCT
    .SHB
    .VBE
    .VBS
    .WSF
    .WSH
    .XLM
    .XLS

    .MSG and .XLM are the only one without "This file type can become infected and should be carefully scanned if someone sends you a file with this extension." However I understand why those extensions are good to add.

    Thanks a lot!

    -MikeNAS
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A simple spoofed extension should bypass the SRP.
     
Loading...
Thread Status:
Not open for further replies.