Trust-No-Exe

Discussion in 'other anti-malware software' started by ssj100, Aug 21, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    Hi guys, just wondering if anyone has any experiences with this neat application:
    http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

    I've done a bit of testing of it in my VM XP, and it seems to work very well. I suppose it's very similar to Faronic's Anti-executable, except that it's completely free!

    I've put it through a few drive-by downloads (via IE 7) and it blocked everything. Are there any known bypasses for this application?

    Also, it seems like it's no longer being updated. Anyone know why?
     
  2. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    I've tried it but had some stability issues (BSOD) and incorrect parsing of allow/deny e.g

    Deny all executables in 'MyDocuments'
    Allow all executables in 'MyDocuments\Development'

    Everything under 'MyDocuments' was blocked even though 'MyDocuments\Development' was allowed.

    You can block MSI files by adding 'msiexec.exe' to deny list; for scripts deny 'wscript.exe'
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I posted about it a while back.
    Its grand apart from that you have to see up what folders to block , and I wasn't sure about blocking some windows folders.

    I don't think a msi file can infect you itself .

    An .exe can do work or damage by itself.
    It can also "run"/ "call" .dll files.

    These 2 are what to the actual work or damage on a PC. AFAIK.
     
  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
  5. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    Did you include the full path to 'msiexec.exe' ?

    i.e 'c:\windows\system32\msiexec.exe'
     
  6. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    Yes Antiexecutable 2.3 is good but I would have liked the option to remove a 'whitelisted' executable if required.

    i.e I can add a new file to the Antiexecutable 2.3 whitelist by temporarily disabling it, running the new executable then re-enabling Antiexecutable 2.3. It then adds amything run to the whitelist; however I may want to 'remove' an executable from the Antiexecutable 2.3 whitelist and I couldn't find a way to do so.

    Antiexecutable 3.x allows editing of the whitelist but isn't as good as 2.3 in coverage of executable file types.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    MSI files are executable files used by the installer program, msiexec.exe. As an executable file, it could be compiled to do anything.. They also use the .tmp file extension.

    Last year when the MS08-041 (Snapviewer) exploit surfaced, I followed a couple of URLs and one served up a package of exploits. Among the garbage that attempted to download was this:

    msi-snapviewAE.gif

    Other filetypes can be spoofed. Here, a package object disguised as a SCR file, yet it's true identity is revealed when we see that packager.exe is the application that attempts to download the file:

    pkg.gif

    ----
    rich
     
  8. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Script malware can use cscript or wscript to deliver their payload.
     
  9. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
  10. dell boy

    dell boy Registered Member

    Joined:
    Apr 13, 2009
    Posts:
    240
    Location:
    uk, england
    but by blocking installers, exe's and scripts on your computer would be secure yes, but doesnt that compromise useability? i think you've got enough protection with sandboxing and a good AV ssj :p
     
  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Other than preventing all other unknown programs from running what else is AE2 and Trust-No-Exe good for?
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    Of course AE2 will block those stop tests from running, any HIPS program can do that. any HIPS program can provide bullet-proof protection by denying unknown programs to Run.

    What I was asking was what other features does AE2 have? How are you going to control the behavior of programs that are allowed to run?
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139

    well for starters you would still need a firewall to control outbound connections of programs that are allowed to run. There are Trusted apps around which do unwelcome activities. for example I play age of conquerors on igzones with igzones client, when ever I close down the igzone client it Terminates age of conquerors which is a damn nuisance so I need a HIPS to block it. I also have certain files on another partition which I do not wish any program to view and read so I need a HIPS with file and folder rules to block programs from reading the files.
     
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I don't quite understand this... (TNE, that's) how does TNE secure my system in its default settings? Does it have any effect whatsoever on an Administrator account?

    Those sorts of things is what I'm wondering... I'm trying to see an alternative to LUA and such in both usability and security.
     
  15. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    SSJ,

    How exacttly did you get your hands on AE v2.3? I thought it was up to v 3 now. Where can I get my hands on AE v2.3? Is that the last iteration of AE v2?
     
  16. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Yeah, AE just does 1 thing. But It works very well for me.
    Easy to switch on and off too

    I don't have any outbound control , which I wonder about now and then.

    Private files I have in an encypted folder.
    For new programs, which I would trust anyhow , I run them in Sandboxie , and see if they have any unexpected *.sys files. If no then they are ok for me.
     
  17. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Nothing else. :)
    It prevents all malware which uses an exe or dll.
    Some start with a script but all the in-wild ones use an *.exe or *.dll eventually, AFAIK

    But personally I also like that I don't need ever to update AE2 , and it will last until I stop using XP.
     
    Last edited: Aug 22, 2009
  18. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I've mine set to low , with Network Prevention enabled.
    I've added a trusted folder where I have my scanners etc.
    I added Notebook hardware control ( a tweaking program for graphics ) and threatfire as my only trusted applications

    (I use the free version of sandboxie , so don't have any sandboxie forced applications.)
     
Thread Status:
Not open for further replies.