Battle Best Anti-EXE/App Whitelisting 2015

[Overkill]

Which one do you choose?

 

[Deleted member 178]

AG, NVT ERP and VS have all been bypassed.

Find bypass, report it, it gets fixed.

Bypassed by what?

 

[hjlbx]

Bypassed by what?

@Malware1 discovered AG could be bypassed in Medium Mode by using .lnk file to cmd.exe about 6 months ago. It was reported to BRG and fixed. A few of us tested it thoroughly... it was Medium Mode bypass by ransomware script disguised as text file. If I am not mistaken, @Malware1 happened upon the vulnerability by merely crafting the cmd.exe shortcut from the desktop (User Space). So AG did not block the access to cmd.exe (System Space). Quite serious actually... although malware author would have to know about it and target AG specifically at that time.

NVT ERP was bypassed back in late 2012 by 16-bit, COM files and using Internet Explorer. Each of these was a bit arcane and reported to Andreas by discoverers. Once again, malware author would have to know about them and target ERP at that time. If I am not mistaken all have long been fixed.

VooDooShield has been bypassed by malware using rundll32.exe. It was fixed a few years ago.

Unfortunately, nothing is perfect... including AEs.

Fortunately, bypasses can be fixed.

 

[hjlbx]

For those that are particularly OCD about their security softs just remember this:

The number of anti-executable users is very small... maybe a few hundred thousand users total spread over three or four applications.

Malware authors tend to target softs that are mainstream with millions of users - like Adobe, browsers, Oracle, etc. This includes security softs... so big names AVs are much, much more of a target than some obscure anti-executable. Malware is, after all, a numbers game.

So, even if an AE has a vulnerability that enables a bypass, how likely is it that a malware writer will target a soft with a user base numbering in only the tens of thousands at most - when they know it is unlikely to net them very little, if anything at all.

Plus, at least from what I see, AE users tend to be quite conservative\safe in their computing habits = download very little and are not high-risk surfers.

Think about it...

 

[XhenEd]

I'm still waiting for a genius malware author who can bypass all security softwares with just one or many connected malware. hahahaha...
What if there's an Albert Einstein in the dark cyberworld? What could possibly happen? hahahaha...

 

[hjlbx]

@hjlbx,

Good to know that even VooDooShield was bypassed. Wondering what above the turnaround
time-frame was of each Anti-EXE/Application White-listing software? Of how long before the fix was taken care of between each Anti-EXE/Application White-listing software?

Also, this link: NVTE, not recommended for use with VPN's?

AppGuard, NVT ERP and VS are all developed and supported by very small teams.

IF a serious bypass is discovered... report it. The developers will fix bypasses quite quickly... as will most any security soft vendor if the bypass is demonstrably critical.

I am not the person to ask about VPNs and how they affect any AEs, since I have little experience with VPNs. I can't tell you anything that you would find useful...

 

[hjlbx]

I'm still waiting for a genius malware author who can bypass all security softwares with just one or many connected malware. hahahaha...
What if there's an Albert Einstein in the dark cyberworld? What could possibly happen? hahahaha...

Easy enough... theoretically speaking only:

• Develop malware
• Get it onto Microsoft update servers
• Get Microsoft updates to install it as part of Automatic Updates
  
• World-wide infection

You are now the greatest malware author \ hacker of all time...

 

[hjlbx]

What could possibly happen? hahahaha...

Bill Gates gives in to the Dark Side...

 

[Solarquest]

I'm still waiting for a genius malware author who can bypass all security softwares with just one or many connected malware. hahahaha...
What if there's an Albert Einstein in the dark cyberworld? What could possibly happen? hahahaha...

...apparently the Equation group has a "good" experience in this. ...

 

[Quassar]

Try WinPrivacy from Winpatrol "scotty" or SpyShelter

WinPatrolToGo, Ruiware, LLC.
SpyShelter | Anti-Keylogger Numer 1 na Świecie

SpyShelter have HIPS features also Sandbox and Keystore encryption which work better than alternative soft "KeyScrambler" you can also buy version with Firewall module

 

[hjlbx]

Try WinPrivacy from Winpatrol "scotty" or SpyShelter

WinPatrolToGo, Ruiware, LLC.
SpyShelter | Anti-Keylogger Numer 1 na Świecie

SpyShelter have HIPS features also Sandbox and Keystore encryption which work better than alternative soft "KeyScrambler" you can also buy version with Firewall module

WinPatrol is OK. I'm not sure Ruiware worked out 64-bit system bugs yet...

SpyShelter does not provide full protections on 64 bit systems due to Patch Guard... plus the GUI is clumsy, tedious.

Both are OK, dependable softs...

 

[Moose]

WinPatrol for deleting scripts work very well. But it does blocks them and it detection of scripts it is outstanding!
Waiting on their new ramson-ware software.

 

[Online_Sword]

WinPatrol is OK. I'm not sure Ruiware worked out 64-bit system bugs yet...

SpyShelter does not provide full protections on 64 bit systems due to Patch Guard... plus the GUI is clumsy, tedious.

Both are OK, dependable softs...

Is WinPatrol also an anti-exe?

 

[hjlbx]

Is WinPatrol also an anti-exe?

It is a pseudo-HIPS. It will alert upon specific behaviors\actions and then user has to Allow or Block. It is OK. It's been around for a long time.

 

[jamescv7]

@Online_Sword : It just focus on possible entry behaviour like start up and any crucial files on the system, good for at least not so paranoid to monitor all the changes.

However if you want a full anti-exe then WinPatrol is not the one you looking for, which needs a full maintenance check like EXE Radar Pro and few others.

 

[Quassar]

i told WinPrivacy not WinPatrol but you can use both HIDS + Anti-EXE with network monitoring looks nice
im also gonna buy new 3rd sofrware from Scotty this can be good monitor acess file/process.

It's something look like advanced option from SpyShelter but it will for sure more advanced

 

[Moose]

Salutations,Friends!

In your opinion which Anti-EXE/Application software of 2015 work with
Sandboxie? Providing the all around protections against scripts exploits?
Without conflicts!

Making each day better than yesterday!

 

[Online_Sword]

In your opinion which Anti-EXE/Application software of 2015 work with
Sandboxie?

According to the official documents, AppGuard and Exe Radar Pro can work with Sandboxie after some configuration.

• AppGuard:

If Sandboxie is using a folder C:\Sandbox, add this as an “Exception” folder on the Guarded Apps Tab. Make sure to change the type to Read/Write.

• Exe Radar Pro:

Open Sandboxie and follow these easy steps:

1. Click on Configure -> Edit Configuration
2. Add the following line under each of your sandboxes:
   OpenPipePath=*\mailslot\NVTInj\*

In addition, it is mentioned by Andreas that SmartObjectBlocker can also work with Sandboxie. Still, you need to do some configuration for Sandboxie.

• SmartObjectBlocker

1. Open Sandboxie window
2. Click on Configure -> Edit Configuration
3. Add these lines under the sandbox name (example [DefaultBox]):

OpenPipePath=*\mailslot\NVTInj\*
OpenIpcPath=*\BaseNamedObjects*\IOB_DLL_IPC*
OpenIpcPath=\RPC Control\mchIpcIOB_DLL_IPC
OpenIpcPath=$:SmartObjectBlocker.exe
InjectDll=C:\Program Files\NoVirusThanks\Smart Object Blocker\iobDLL32.dll
InjectDll64=C:\Program Files\NoVirusThanks\Smart Object Blocker\iobDLL64.dll​