Battle Best Anti-EXE/App Whitelisting 2015

Status
Not open for further replies.

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
Mine doesn't too, I doubt anyone here can run device guard without being part of a big company :D. But for those lucky ones that can, its arguably the best.

Hmmmm, I may get lucky to find a computer with it built in. I plan on getting a new one soon anyways. I'd love to get features like Windows Hello and fingerprint scanners and whatnot :)

Now can these zeroday exploits bypass applocker? Or is it running from Kernel level enough to stop it?

Should I really be running a AV alongside it? Cause currently I am not.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
It seems that many people vote for SecureAPlus.
I am curious about its advantages over the others.:)
During installation, it will do a full system scan with its UAV (12 antivirus engine on the cloud) meaning it will scan for possible threats and at the same time it will whitelist everything deemed safe. This means that the amount of alerts a user gets is greatly reduced.

While anti-exe/app whitelisting are useful, there's a danger that an inexperience user might accidentally whitelist a malware via some sort whitelisting mode (like learning mode from EXE Radar Pro and training mode from VoodooShield). That's the reason it is highly advised to make sure your computer is completely clean before using this type of software. Since essentially you're trying to lockdown your computer, and you wouldn't want the "bad guy" to be locked inside with you.

Here's an explanation from Yuki2718 from Wilders that you might find a lot more useful
SecureAPlus Freemium | Page 52 | Wilders Security Forums

Also I believe MalwareDoctor did a test on it some months ago, if you want you can look into it.

Have a good day :)
 

Online_Sword

Level 12
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Here's an explanation from Yuki2718 from Wilders that you might find a lot more useful
SecureAPlus Freemium | Page 52 | Wilders Security Forums

Thank you for your reply.
According to Yuki2718, SAP can not only block exe and scripts, but also can block dlls and drivers.
It is amazing for me. I think it is really a strong feature.:)

During installation, it will do a full system scan with its UAV
But I think the full scan is too slow.
I have ever tried the free (for-1-year) version of SAP.
It took half a day to perform the full scan, even after I left my computer idle.

While anti-exe/app whitelisting are useful, there's a danger that an inexperience user might accidentally whitelist a malware via some sort whitelisting mode (like learning mode from EXE Radar Pro and training mode from VoodooShield).

But in my opinion, a whitelist (and a blacklist) that can be manually edited could improve the usability.
However, it seems that the whitelist of SAP cannot be edited manually...(I am not sure about it).
 
I

illumination

SecureAplus and Voodoshield= can be for newbie up to advance users.

EXE Radar PRO and Appguard = range for medium to expert users.

But the advantage for SecureAplus and Voodoshield is AV engines as reference to reduce complex interaction alerts.

I would have to disagree somewhat with this assessment, as none of these products are really geared towards newbie/novice users, even though the companies claim them to be.

Example, SecureAplus..

You download a file, secureaplus pops up and states the file is digitally signed, but then the virus total scan on the same pop up claims that 12 out of so many engines claims this file is malicious, a novice user is not going to know which way to turn, whether to trust the fact that it is digitally signed, and those 12 detection's could be a false positive, or whether the file is indeed malicious.

This would be the over all compelling theme for all of these products, and that would be that they require knowledge to make sound judgments as to what should be allowed into the system or not. Even products like Voodoshield which does a great job making it easier, still require knowledge after training mode has been ran, and it is set up.

As for the technologies these products are definitely a step in the right direction with today's malware problems, as traditional AV's with signatures are just not going to cut it anymore.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
But I think the full scan is too slow.
I have ever tried the free (for-1-year) version of SAP.
It took half a day to perform the full scan, even after I left my computer idle.
.
True. It does take quite some time for it to finish, but it's mostly worth it. After that initial scan, the user is not required to ever do another manual scan again, this is because the UAV will continuously scan your computer. When a user logs on his/her computer he/she will receive a prompt indicating SecureAPlus had scanned the entire computer, this takes less than a minute to complete. So yeah, it's worth having to wait for the initial scan to finish cause all subsequent scans are very fast.

Personally I would recommend installing it during a day when the user doesn't have to use the computer. Pick "fast" scan and leave it until it's finished.


But in my opinion, a whitelist (and a blacklist) that can be manually edited could improve the usability.
However, it seems that the whitelist of SAP cannot be edited manually...(I am not sure about it).
Yeah, that is useful. EXE Radar Pro does a good job in letting the user be able to manually edit the list. As for SecureAPlus, I don't recall if it allowed it. I would recommend either here
SecureAPlus Freemium
And asking one of the representatives of SecureAplus
@sap
Or you can go to thread I posted from Wilders and ask there.

Good day. :)
 
  • Like
Reactions: Online_Sword

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
Can someone give me the link or tutorial how to start using/configuring Applocker (Win 10)?
Tnx

Something like this or not?



Is this the right site to start?
AppLocker Step-by-Step Scenarios


I can show you how! You can message me. I have mine set up in Windows 10 perfectly! :)

I've watched that video. Applocker has more options starting with Windows 8, so there's more options you can do, especially if you want Metro Apps to work.

Before you waste your time, please note Applocker in Windows 10 requires the Education or Enterprise edition in order to work. On the Pro version you can make rules, however the rules will unable to be enforced and therefore will not work.

Many users think Applocker is available in the lower versions of Windows and get disappointed when they find out it's not. It's unfortunate Microsoft only includes it in the higher end versions of Windows when it is such a amazing security feature.

@Online_Sword I seem to be the only one voting for Applocker. :cool:
 
Last edited:
  • Like
Reactions: Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
I can start Service but can't put it in Automatic mode.
This is because i'm on Pro version?
 

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
I can start Service but can't put it in Automatic mode.

I had that issue. I had to reinstall anyways since Windows update was causing issues. After I did, the service had no problems starting in automatic mode. It may of just been luck that it worked.

Here is proof, just in case :)

HhR9B10.png
 
  • Like
Reactions: Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
I'm at work now can i conntact you tomorrow after 18h?
I would like to learn more about this.

Tnx
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I have some question for all that tested these products: exe radar, voodoos, appguard and Sap.
Do they in principle work the same way, do they whitelist apps and block/check unknown ones?
Which ones work at kernel level (Appguard apparently does)?
What files do each program check and block?
Last, what additional features does each program offer, e.g memory, registry, file protection etc? What are the week points of each program?
These infos/summary of facts would help a lot to highlight the differences and to choose between them. :)
Thank you all for yor inputs!
 
Last edited:
H

hjlbx

Do they in principle work the same way, do they whitelist apps and block/check unknown ones?
Which ones work at kernel level (Appguard apparently does)?
What files do each program check and block?
Last, what additional features does each program offer, e.g memory, registry, file protection etc? What are the week points of each program?
These infos/summary of facts would help a lot to highlight the differences and to choose between them. :)
Thank you all for yor inpurs!

The only ones that use File Reputation are VooDooSheld (uses Virus Total lookup) and I believe SecureAPlus (uses its own database).
Kernel Level = the only ones I know of are AppGuard and VooDooShield (v 3 not yet released)
Basically if it's not on the local white-list or allowed by rules, digital signature, Trusted vendor, etc, then it is blocked - All of them
AppGuard has the most features - memory, registry and folder protection

I will make it very easy for you:

If you want simplicity, highly reliable with little trouble = NVT ERP
If you want additional lockdown, reliable but can be problematic dependent upon installed softs, quirky GUI = AppGuard

VooDooShield 3.0 is to be released soon with Kernel Mode driver; I can't comment as I haven't gotten my hands on it yet, but prior version have been OK to very good.

Right now I am running NVT ERP and Sandboxie constantly. I've had some troubles with AG and WFC, so I removed them until I get it sorted out.

If used correctly...

NVT ERP + SBIE = Blocked !
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I m using Voodoshield 2.75 and I like it as its ability to scan with 56 VT scanner when something unknown is detected.:D
I asked the above because I didn't know if Voodoshield worked at kernel level (thanks Hjlb for the info that v. 3 will be!:)) and exactly what kind of files are controlled.
I don't think they have a memory or folder, registry protection.

I read a lot about AG, but I'm still not sure what files are guarded.

NVT is where I have no infos. Does it wotk at kernel mode, what files does it guard, does it have memory protection?
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top