Prevent executable from running?
Hello,
I would like to programmatically monitor a directory for new files, and if the file happens to be an executable, I want to prevent it from running. Something like a AV program.
However, I don't know where to start. Simple is best. Any suggestions?
Re: Prevent executable from running?
If you simply want to prevent a user running certain programs, you might like to consider the facilities available via the group policy editor before you get too involved in producing your own solution
http://social.technet.microsoft.com/...m-group-policy
http://technet.microsoft.com/en-us/m...08.06.srp.aspx
Re: Prevent executable from running?
Nope, the program is for myself. I'm not sure if group policies would work like an AntiVirus program.
I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.
After some more searching, I found something interesting:
http://msdn.microsoft.com/en-us/wind.../gg462968.aspx
It seems I have to create a File System MiniFilter Driver. The program would only "filter" out executables.
It won't "scan" or analyze them, like a full-blown AV program. Looks like a good solution.
If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.
Re: Prevent executable from running?
Quote:
Originally Posted by
Roswell
I'm not sure if group policies would work like an AntiVirus program.
If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.
Quote:
I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.
As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?
Quote:
If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.
Execution prevention is based, as far as I know, on absolutely different techniques. A monitoring program installs itself into general loading mechanism (process/thread creation or mapping file to memory provided by OS) and due to this is able to suspend the process of loading, or eventually terminate the run.
Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
Re: Prevent executable from running?
Quote:
Originally Posted by
Igor Vartanov
If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.
Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
Thanks for your AV plug, but I don't care for a full-blown AV program that bogs down my computer.
Stopping an executable from running isn't as complex as you make it out to believe.
I found two very good examples:
Scanner File System Minifilter Driver
http://code.msdn.microsoft.com/windo...ystem-426c8cbe
AvScan File System Minifilter Driver
http://code.msdn.microsoft.com/windo...ystem-40053812
I want to be able to customize my own program. I only want to "filter" executables.
I don't want to scan/analyze them. Yes, it's simple, but that's what I want.
Quote:
As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?
I was just providing a simple example. There are dozens of directories I can exclude executables from running from.
Re: Prevent executable from running?
Quote:
Originally Posted by
Roswell
I want to be able to customize my own program. I only want to "filter" executables.
I don't want to scan/analyze them. Yes, it's simple, but that's what I want.
Okay, no problem in case you teach your driver to distinguish between plain opening and opening for execution. Otherwise you won't even be able to peek into the file, as your driver will prevent it from opening.
Re: Prevent executable from running?
you can solve this by just changing the security on the folder to not have execute privileges.
of course that just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.
depends what you want I guess...
Re: Prevent executable from running?
Quote:
Originally Posted by
Igor Vartanov
Okay, no problem in case you teach your driver to distinguish between plain opening and opening for execution. Otherwise you won't even be able to peek into the file, as your driver will prevent it from opening.
I believe filters run in kernel mode. That supposedly gives them access to any address in memory, including files.
This is exactly what I want to do:
http://www.bitnuts.de/KernelBasedMonitoring.pdf
Quote:
Originally Posted by
OReubens
you can solve this by just changing the security on the folder to not have execute privileges...
Is that for Windows or some other OS? My application is for Windows. A system-wide filter that runs in kernel mode might be better in the sense that I don't have to mess with privileges.
Re: Prevent executable from running?
>> ... might be better in the sense that I don't have to mess with privileges.
As apposed to writing some driver/application? If it's just for learning/exposure.
>> My application is for Windows.
http://support.microsoft.com/kb/308419
>> of course [no execute-permissions] just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.
If you really need to execute something it can be copied to an appropriate location first. So I'd go with just folder-permissions management - but then I'm not looking to implement filter drivers for fun and learning (not today anyway).
gg
Re: Prevent executable from running?
Quote:
Originally Posted by
Roswell
I believe filters run in kernel mode. That supposedly gives them access to any address in memory, including files.
Actually it was not about what KMD can or can not. I was talking about the exe file to be locked in your "protected" folder and not able to be copied somewhere else or examined by any user mode app. Under such a constraint I would better focus on preventing exe being copied to/created/renamed there in the folder.