Returnil's anti-execution component

View previous topic View next topic Go down

Returnil's anti-execution component

Post by ssj100 on 19/7/2010, 19:04

It appears that Returnil will only block executables not already on the REAL system. Therefore, wouldn't malware potentially be able to use "scripting" executables to bypass this component and infect the REAL system (like those rootkits)? What I mean is, if you don't block eg. command prompt execution or vbscript execution, wouldn't this leave a hole that could be exploited?

This was one reason why I stopped using Faronics Anti-Executable version 2 - you couldn't control it to prevent eg. command prompt or other scripting executables. In version 3, they allowed this control.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Returnil's anti-execution component

Post by Buster_BSA on 22/7/2010, 01:35

The question is that command prompt will not run spontaneously, there must be a code that executes it. What code? A program. Wink

Therefore if the program was not already on the real system it will be unable to run command prompt because the AE will not allow to run the program.

The same can be applied to vbscript or whatever.

Other question are the exploits. A trusted application (let´s say firefox) could be exploited to run command prompt or vbscript but it´s also possible that firefox doesn´t use command prompt to perform malicious actions.

Conclusion: Blocking executables not already on the real system is not a bad solution but indeed is better if the security solution can be configured, allowing custom white lists of software that can run.

avatar
Buster_BSA
Member
Member

Posts : 87
Join date : 2010-07-21

View user profile

Back to top Go down

Re: Returnil's anti-execution component

Post by ssj100 on 22/7/2010, 02:38

Yes, I suppose I was thinking more on the possibility of an application already on the REAL system running a scripting executable (through cmd.exe or cscript.exe etc) - I don't think a specific exploit of the browser is required to do this, since it's just calling an executable?

Perhaps an example is with .bat files - I can run these types of files simply by double clicking on them and Returnil does nothing to stop its execution. What's to stop a web-site from running a (malicious) script that is in the form of a .bat file via a "drive-by"?

I think your conclusion is spot on. Microsoft's SRP/AppLocker is a good example of such a system-wide solution. And they (must) have good reason to block scripting execution by default (although it's probably more related to the fact SRP/AppLocker is restrictive even to someone who has physical access to the system and doesn't know the Admin password).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Returnil's anti-execution component

Post by noorismail on 22/7/2010, 22:58

It has been awhile,but I am almost certain the AE module in Returnil 2008,was basically a ProcessGuard type affair,with a learning period,that allowed you to selectively block.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Returnil's anti-execution component

Post by Coldmoon on 31/7/2010, 04:36

Hi noorismail,
In 2008 it was a fragmented affair using configurable utilities provided as additional tools. This addition over RVS 2007 was to address the circumventors like the dog Trojans, Killdisk variants, etc. In Labs and 2010 it was simplified to trust or not trust to address the requirements of our customers in Public Access and cafe scenarios.

RVS 2010 and RSS 2011 share access to server side analysis of malware which is used to improve detections and reduce false positives. In the RSS series this will also include white listing as we go forward.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Returnil's anti-execution component

Post by noorismail on 31/7/2010, 05:52

Thank you for the explanation Mike.
I know Returnil never tried to hawk the anti-executable as being more than it was intended to be,protection from the Dog Class trojans. If
I remember limited user account was also suggested.

Still I found it to be a comforting presence,and really the lightest anti-executable I have used.
(well, other than SRP and Sandboxie start/run access settings)

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Returnil's anti-execution component

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum