What's The Chances On Busting Thru This?

Yeah, there is always the question: What is the goal of a file or set of files, and the so-called evokation of these files is the very heart of the word "heuristcs." Even though I'm playing with MS QBASIC toys for 9x/ME, I wrote at the very beginning that I felt that an AV or AS would be neceeasy: were this false, then why would SSM be found with weaknesses and to have its "file updates" by way of new release. It seems, that for the present as well as a ver long time, there shall be a need for AVs ASs and of utmost importance, an exchange if ideas.

Dave

 

First off let me substantiate the mega listings in my signature. It would be of course ludicrous to run too many of them together, and i don't. They are just the one's that at any time i can fashion together for security while at the same time keep MALWARE LURKERS who peer in this forum in a state of unknown. They have no idea which combo at which time i might be running and thats the idea while displaying what i do carry as a portion of my arsenal, still others not even listed. LoL

And therein lies my point for an important part of the subject of discussion in this topic. It just so happens however that AE assumes center stage for the reasons Rmus points out above.

AE automates automatically on non-whitelisted executables and that is quite a formidable prevention in and of itself. All White-Listed (considered safe) programs are safely isolated from tampering and kept within AE's protective database as should be and under guard.

I,ve not tested but i haven't read yet where AE itself could be disrupted. But at this point i'm interested in the RAW strenghth of AE to maintain a safe PC environment where nothing can bust thru it's safety zone.

This ensures a field wide scope of protection unique from any other app of it's type if there even be one.

In this way you only advance malicious content to circulate outside protected system files, programs, etc. And if you really want icing on the cake i use EQS for one example to examine activities outside AE's box, but for sake of this discussion i ommit HIPS for any AV, in this case i chose Avira but it could be any AV of your choice.

EASTER

 

Allso add to your hosts file entries such as:

.dll
.sys
.bat
.vbs
etc.

This can prevent a good deal of dll injection w/o extra software.

Dave

 

Great discussion.

I think looks like the answer is pretty near 0%.
Its also set and forget - apart from update files for your AV.

I'm looking at doing something like this soon but with a program called trust-no-exe which is even older than AE.

 

Kees post on it at "whats your security these days" inspired me to make use of it myself, and after all, it does work IMO like AE2 of Faronics in some ways.

Thanks for weighing in with your opinion.

EASTER

 

Doesn't Prevx with age/population heuristics set to high/maximum give a very nice replacement for AE2? Moreover the number of unnecessary alarms with "high" has been very small for me.

 

Please re-read posts #21 and #22.

Regarding the types of exploits Easter is referring to, Ade makes this challenge in #22:

For the sake of argument and illustration, I will say,

Bring a URL with malicious code that targets Opera or Firefox to download malware.​

The browser exploits in the wild all target IE. Vulnerabilities are patched in the other browsers very quickly these days.
Example from Firefox today:

Fixed in Firefox 3.0.9
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

So, you could argue that Using Opera or Firefox would prevent a drive-by exploit from even reaching Easter's arsenal.

There is one scenario where that might not hold: an exploit targeting an application or a plugin.

Here is part of the code for a recent PDF exploit:

Code:

<SCRIPT language="javascript">
        
function PDF()

f
var name = navigator.[B]plugins[/B][i].name;

if (name.indexOf("[B]Adobe Acrobat[/B]") != -1) 

location.href = "spl/pdf.pdf";

Even here there are several ways that this exploit can fail:

1) Disable java script

2) Have a version of the Reader that is patched

3) Have the browser configured to Prompt to download PDF instead of opening automatically.

​

So, the user is alerted to an unsolicited download of a PDF file which would have otherwise automatically opened in the browser window. Same thing in Opera and IE.

If the above precautions are not in place, the exploit can start, and we see that it is not Firefox, but Acrobat that executes malicious code in the PDF file to call out to a server to attempt to download the trojan:

So, Easter is protected in any case.

----
rich

 

Could someone comment this?

 

I agree. Last year several tested a drive-by exploit I set up and at least 7 different products as well as SRP successfully blocked it.

----
rich

 

Sorry Easter, slightly OT but still relevant:
@Ako; saw that other thread and PrevX Help reply you are probably correct other than the staement by PrevX Help

PrevX does offer good protection in the form of anti.exe protections: that's its' job..
IIRC you were in on Px from early ??
Is there some problem.
In PrevX 2 ( the now poor cousin ? ) pop-up warnings were dependent on the user defined settings.
In what I sometimes feel is a slightly dumbed down option for PrevX 3 most stuff is handled automagically to lessen the chance of user mistake/pop-up fatigue, although some user interaction seems to be optional.

Anyone want to comment here :
https://www.wilderssecurity.com/showthread.php?p=1453538#post1453538

 

Hi Longboard!

Using, testing, loving and criticizing PX over 3 years now. Mostly at (now dead) CC.

I really like the age/population heuristics in Prevx 3.0. When setting them to "high" should already give really strong anti-exe type protection without too many popups.