Software Restriction Policy vs Antiexecutable

has anyone ever tested this to confirm?

 

Tbh I dont know how to do that, is it just to change the file extension?. Tell me and I´ll test.

 

Block .exe but rename a file to .scr and see if it executes.

 

Thanks, I thought it was more sofisticated
If I change the AiRoboform.exe (installer for roboform) to AiRoboform.scr, it wont execute. I get: "Error executing program!" (Without SRP the .scr starts the installer as if it would´ve been a .exe.)
If I change it to .jpg (which is allowed in SRP) then windows picture viewer starts but it cant of course show any picture since it is an executable.

So I guess we can conclude that spoofing extension doesnt work with SRP?

 

What about a double extension (.exe.gif)?

 

Same result.

 

Interesting. If your tests are correct, SRP is more powerful than what I thought.
I still have my doubts, for example a spoofed executable placed by an exploit.

 

lol, that's all we had to do to test this? in a limited user account with SRP, i renamed my atf cleaner executable from atf_cleaner.exe to atf_cleaner.jpg and windows picture viewer opened up but aft cleaner didn't start. i also renamed atf_cleaner.exe to atf_cleaner.exe.jpg and again picture viewer opened up but atf cleaner didn't run. do these tests count as a pass?

 

No.

Windows launched the renamed files as images according to their associated extensions. It'd have passed if you launched those renamed files as EXECUTABLES, but SRP still blocked them.

 

dang so it failed eh? one quick question, if the spoofed executable don't run when click (i mean the program didn't start when clicked, windows picture viewer did), how are they a security risk?

 

A malicious spoofed executable might scape the jail made by LUA+SRP, but this is beyond the scope of my knowledge. Maybe solcroft is willing to do some tests.

 

I still have the spoofed .gif file from the SloanTreeFarm redirect exploit.
If anyone using SRP would like to test this file, send a PM to me and
I'll give you a download link.

Here is how Anti-Executable deals with it:

http://www.urs2.net/rsj/computing/tests/spoofexe/

I would like to see screen shots of the messages that SRP displays
when various attempts are made to copy/install this file to disk.


----
rich

 

PM sent.

 

Thanks for the link Rmus.
It behaved like it does when I rename any .exe to .gif - it opens internet explorer but shows nothing. If I open a real .gif I see the picture in the browser.
When I double clicked it and Internet explorer tried to open the gif but didnt show anything. In the adress bar it said D:\temp\cnte.gif

I ran it in sandboxie to trace what it does.
I couldnt find anything strange when I inspected the content of the sandbox.

When I rename it to .exe and run it as administrator I get a message: "The service cannot accept control messages at this time"
Still no traces in sandboxie. What is this .gif supposed to do?
*edit* Never mind, I did a online scan:

 

Hi sukarof,

I'm interested in whether or not having SRP enabled prevents an unauthorized executable from being downloaded to disk.

EDIT: in your case, does SRP permit the executable to extracted to disk from the ZIP file?

----
rich

 

Interesting
Perhaps your system is fully patched so this exploit can't run? Maybe a manual execution (as opposed to a drive-by when browsing) doesn't achieve the same results? Wish I know more
I would be very (and happily) surprised if a SRP is as powerful as Anti-Executable.

 

Hi Rmus

SRP does not stop you from downloading files to disk and will allow you to extract zip files to disk. It's only when you try to execute the file that SRP will kick in.

I guess that these are two differences between SRP and AE.

 

The only difference I have noticed between manually running and drive by, is that manual leads to a window highlighting that a file has been blocked and drive by doesn't.

In the event logs, both methods show the processes as being blocked.

 

Good to know, thanks

 

Thanks, SpikeyB for that clarification!


----
rich

 

if i'm reading this right, it means SRP stopped the file from executing? so this means that SRP stops spoofed executables?

 

Hi

As SpikeyB says it is no problem extract it from the zip and you can download anything to your hard drive, including viruses, but they will not execute.

For the first time in, I dont know how many years, I have found my computer infected!

After I done the test I decided to download Drweb cureit and do a scan. Cureit found a malware in my Pctools Firewall process. I got so chocked so I forgot to write down the name of it
I immediately restarted with Norton Ghost 12 (which I am trialling) and restored a image taken a couple of hours earlier. It restored the backup fine, but when it booted to the image I got blues screen. I tried once more but with the same result. (And so my newly found confidence in NG12 flew out through the window)
Luckily I have good old ShadowProtect to fall back to So Did a restore to a couple of days old image.

I did a scan with Cureit again and all was fine now.

I must admit though that I have not had the SRP policies activated for a couple of weeks since I thought there was some kind of bug; when i do a path rule for a executable and the folder (Polyview a photo viewer) with SRP polyview consumes 50% cpu power and is very sluggish while running.

I have done the same tests in this restored image as I did in my previous post and re scanned with cureit but now it didnt find anything. So it wasnt this malware that infected me.
I guess that was not a false positive so I have been infected somehow even though I run UAC. Obviously I have got it through a installer that I have allowed (I do test alot of software) that installer probably modified PCtools service (FWservice.exe) during the install.

Experience is the best teacher there is. So I have learnt my lesson and will now re evaluate my, somewhat cocky , decision not to run any security software while in limited account since it will not protect against process modification of software that doesnt protect them selves. Most software seems to require admin rights when installing, and process modification is the weak spot with LUA and SRP.

Well, it was fun (to run windows without paranoia) while it lasted.
Howdy HIPS Sukarof is back home

 

Double-clicking on a .gif file forces Windows to open the file in the default image program. In this case, naturally, there is no image, so nothing displays, as some have noted.

So manually clicking this .gif file doesn't really prove anything with respect to SRP and spoofed executables.

If this file is permitted to execute, it installs another executable - in this case, a spoofed .tmp file
which KAV identifies as Trojan-Downloader.Win32.Murlo.co


_____________________________________________________

Check your event log to see what it lists.

This type of test assumes that the malicious spoofed .gif file has somehow gotten onto your computer and that you decide to execute it. It's reminisicent of the firewall leaktests: you have to permit the file to download and then manually execute it. I don't know what that really proves.

For a true remote code execution test -- I just discovered that one of the old Google-Redirect exploits is still working: awfulplastics.com:


_____________________________________________________

It attempts to download a spoofed.gif file. The reference to the "Update..." file is
created in the Startup directory if the .gif file is permitted to download.

Read my writeup here if you would like to try this exploit.
It will be interesting to see at what point SRP catches it:

http://www.urs2.net/rsj/computing/tests/awful


----
rich

 

SRP allows the file to download and allows the creation of a startup entry. The file then tries to execute and is blocked by SRP.

Even though this is a drive by, a window does pop up to say that the file has been blocked. When I have come across other drive by's there is no window to say a file has been blocked.

 

This mirrors the behavior of the various HIPS products that were tested last year against this exploit.

It looks like SRP is a viable solution for unauthorized execution (as you have been saying for a long time!)


----
rich