A traditional signature-based antivirus utility checks files against a database of malware signatures. Behavior-based monitors detect malware by looking for signs of malicious activity. Anti-Executable 5.0 ($45, direct) takes a much simpler approach. Any program that’s not on the list of permitted applications just can’t run, period. Version 5.0 streamlines the user experience a bit, but it still has a few quirks.
Think of your antivirus utility as the doorman at a fancy nightclub. Bitdefender Antivirus Plus (2014) includes traditional signature-based detection; that’s like a doorman with a list of undesirables who are banned from the club. The behavior-based SONAR detection built into Norton AntiVirus (2013) is like a doorman who sizes up the crowd and only lets in well-behaved patrons. As for Anti-Executable, it’s the guy who just growls, “You’re not on the list!”
In addition to the Standard edition reviewed here, Faronics offers a version specifically tuned for use on servers. There’s also a centrally managed version designed for Enterprises. But at the core of all three is the same “default deny” technology.
The download package for Anti-Executable includes the PDF-based documentation, and you’d do well to read it before proceeding with installation. That way you’ll know why you’re being prompted to define an Administrator User password and a Trusted User password, and what it means if you check the “Include DLL files when creating control list” box.
The install process has changed since the last edition. Previously, you could choose whether or not to have Anti-Executable scan your system and add files to the whitelist. Opting out of that initial scan left you with a blank whitelist, meaning every program would be blocked. Sensibly, the current version always runs an initial scan.
Anti-Executable does assume that your system is malware-free. Its initial scan whitelists absolutely every program it finds, without considering whether it’s malware or not. For best protection, you’ll want to pre-scan the system with a free, tough cleanup tool like Malwarebytes Anti-Malware 1.70, Comodo Cleaning Essentials 6, or Norton Power Eraser.
As for including DLLs in the scan, doing so will help protect against threats like malicious Browser Helper Objects that don’t run from an .EXE file. You can also set it to monitor Java JAR files. In theory, increasing the types of files tracked might affect performance, but I didn’t notice any difference.
Execution Control List
The previous edition’s separate whitelist and blacklist are now merged into a single Execution Control List. As noted, by default Anti-Executable whitelists every file it finds in a scan. You can go through the list and set it to block specific programs if necessary. Not sure about a file? From the list you can launch a Google search, or look it up in the Faronics Identifile database.
Note that if you check the box to include DLL files, you’ll need to update the list. Otherwise launching an authorized executable could trigger dozens of alerts for not-yet-authorized DLLs used by that executable. Just click the Add button, select all relevant drives, and re-run the scan. You can also scan any particular folder and allow or block all found items in that folder, or in that folder and its subfolders.
There’s an option to mark any executable on the list as Trusted. That means it’s permitted to launch other executable files that aren’t whitelisted. This seems a bit dangerous to me; I’d think twice before checking the Trusted box.
You can also whitelist files by publisher; just click Show Publishers and run a scan. Faronics sensibly removed the ability block publishers, since any program not explicitly allowed won’t run. This edition also gives you granular control over publisher-based whitelisting. Most often, you’ll whitelist all files signed by the specified publisher. Now, though, you can also whitelist based on the product name, the filename, and even the specific file versions. I’m not seeing the value of control at this level of detail; perhaps it’s more significant in Enterprise settings.
By default, the Windows user account that installs Anti-Executable becomes an Anti-Executable Administrator User, with access to all program features. These include editing the Execution Control List, managing other users, and controlling who has access to Temporary Execution Mode (more about that later).
When you add another user account as a Trusted User, that person can edit the list and allow or block programs, but can’t make significant changes in Anti-Executable’s configuration. A new tab offering a report of most-blocked programs is available to Trusted Users and Administrators.
Adding another user remains a rather awkward affair for those not familiar with the “Select Users or Groups” dialog in Windows. If you know the username, you can type it in and then click a button to check that it’s valid. However, if you want a list of user accounts you’ll have to launch the somewhat-daunting Advanced dialog. I’d like to see this simplified.
The difference between a Trusted User and an Administrator is a simple checkbox, and Anti-Executable will not warn you or prevent you from removing your own Administrator privileges. If you do that, the only way to recover is to boot into the Windows Administrator user account, so be careful.
Anti-Executable in Action
After installing the program I let Firefox go for an update, just to see what would happen. When the updated program tried to launch, Anti-Executable popped up a notification saying “This action violates the acceptable use policy,” along with Faronics’s arms-crossed tough guy logo. The dialog included buttons to Allow or Deny execution, with a checkbox to remember that decision in the control list.
Whether I chose Allow or Deny, I had to re-enter the Administrator password. Since Firefox isn’t just a single, simple program, I had to enter that password quite a few times. I repeated the exercise with DLL tracking turned on; the now-enabled checkbox to treat associated DLLs the same way as the program was a big help.
Trusted users have the same power to allow or deny a new, unknown program. Other users get no choice. If it’s not on the list, it won’t run. In a business setting, you may want to change the notification message to include contact information for the Administrator User. You can also swap your own company logo for the Faronics icon.
Anti-Executable was completely effective at blocking new malware. I couldn’t find any way for a malicious program to get around its protection. Of course, malware samples that were already present on the test system before I installed the product got whitelisted along with everything else.
Modes of Operation
As Administrator, you have the power to put Anti-Executable in Stealth Mode. You can hide the tray icon, eliminate the notifications, or both. A regular user will find that unapproved programs just don’t launch. Administrators open the console using a secret key combination. In a business setting, you might configure the Execution Control List on a super-clean PC that contains only approved programs and then export that list and import it to your other PCs. That way your employees are permitted to use approved programs and nothing else.
Temporary Execution Mode enables launching of any program that isn’t explicitly blocked. You click the program’s tray icon and choose how long you want to run in this mode; a warning three minutes before time runs out gives you a chance to add more time.
By default only Administrator Users can enter Temporary Execution Mode, but you can extend this ability to Trusted Users, or even to all users. Note that if you install or update any programs in this mode you’ll need to run a new scan to whitelist them when back in normal mode. Let’s hope also that you don’t get tricked by social engineering into installing a Trojan.
Maintenance Mode is what you use when you’re making big changes like updating Windows or installing new applications. Every executable that launches while you’re running in Maintenance Mode gets added to the list. That would include any malware that launches, so you’ll want to be extra careful. Anti-Executable can pop up regular reminders that Maintenance Mode is active.
I find the user interface choice for ending Maintenance Mode rather questionable. If you switch from Maintenance to Enabled, the program finalizes its new additions to the Execution Control List. If instead you switch from Maintenance to Disabled, it discards those additions, meaning everything you added or changed during maintenance won’t be whitelisted. That behavior isn’t at all what I would have guessed.
The concept behind Anti-Executable is simple—don’t let any programs run unless they’ve been whitelisted. The implementation, with its various operating modes and user types, isn’t quite so simple. It’s not a good solution for the family PC. Do you really want to log in as Administrator every time your kids install a new game?
The best use for Anti-Executable, as I see it, is on computers owned by a small business. The software collection on Office PCs doesn’t change a lot, and employees aren’t necessarily authorized to run arbitrary programs. It definitely does keep new malware from running (along with all other new programs), making it worthwhile to spend the necessary time on administration.
|Tech Support||Phone, email, chat|
|OS Compatibility||Windows Vista, Windows XP, Windows 7|
|Type||Business, Personal, Enterprise, Professional|
Copyright © 2012 Ziff Davis, Inc