Prevent executable from running?
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 10 of 10

Thread: Prevent executable from running?

  1. #1
    Join Date
    Feb 2008
    Posts
    5

    Question Prevent executable from running?

    Hello,

    I would like to programmatically monitor a directory for new files, and if the file happens to be an executable, I want to prevent it from running. Something like a AV program.

    However, I don't know where to start. Simple is best. Any suggestions?

  2. #2
    Join Date
    Dec 2012
    Location
    England
    Posts
    2,381

    Re: Prevent executable from running?

    If you simply want to prevent a user running certain programs, you might like to consider the facilities available via the group policy editor before you get too involved in producing your own solution

    http://social.technet.microsoft.com/...m-group-policy

    http://technet.microsoft.com/en-us/m...08.06.srp.aspx
    All advice is offered in good faith only. You are ultimately responsible for effects of your programs and the integrity of the machines they run on.

  3. #3
    Join Date
    Feb 2008
    Posts
    5

    Re: Prevent executable from running?

    Nope, the program is for myself. I'm not sure if group policies would work like an AntiVirus program.

    I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.

    After some more searching, I found something interesting:
    http://msdn.microsoft.com/en-us/wind.../gg462968.aspx

    It seems I have to create a File System MiniFilter Driver. The program would only "filter" out executables.
    It won't "scan" or analyze them, like a full-blown AV program. Looks like a good solution.

    If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.

  4. #4
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    5,976

    Re: Prevent executable from running?

    Quote Originally Posted by Roswell View Post
    I'm not sure if group policies would work like an AntiVirus program.
    If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.

    I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.
    As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?

    If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.
    Execution prevention is based, as far as I know, on absolutely different techniques. A monitoring program installs itself into general loading mechanism (process/thread creation or mapping file to memory provided by OS) and due to this is able to suspend the process of loading, or eventually terminate the run.

    Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
    Best regards,
    Igor

  5. #5
    Join Date
    Feb 2008
    Posts
    5

    Re: Prevent executable from running?

    Quote Originally Posted by Igor Vartanov View Post
    If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.

    Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
    Thanks for your AV plug, but I don't care for a full-blown AV program that bogs down my computer.
    Stopping an executable from running isn't as complex as you make it out to believe.

    I found two very good examples:

    Scanner File System Minifilter Driver
    http://code.msdn.microsoft.com/windo...ystem-426c8cbe

    AvScan File System Minifilter Driver
    http://code.msdn.microsoft.com/windo...ystem-40053812

    I want to be able to customize my own program. I only want to "filter" executables.
    I don't want to scan/analyze them. Yes, it's simple, but that's what I want.

    As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?
    I was just providing a simple example. There are dozens of directories I can exclude executables from running from.

  6. #6
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    5,976

    Re: Prevent executable from running?

    Quote Originally Posted by Roswell View Post
    I want to be able to customize my own program. I only want to "filter" executables.
    I don't want to scan/analyze them. Yes, it's simple, but that's what I want.
    Okay, no problem in case you teach your driver to distinguish between plain opening and opening for execution. Otherwise you won't even be able to peek into the file, as your driver will prevent it from opening.
    Best regards,
    Igor

  7. #7
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    3,886

    Re: Prevent executable from running?

    you can solve this by just changing the security on the folder to not have execute privileges.

    of course that just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.

    depends what you want I guess...

  8. #8
    Join Date
    Feb 2008
    Posts
    5

    Re: Prevent executable from running?

    Quote Originally Posted by Igor Vartanov View Post
    Okay, no problem in case you teach your driver to distinguish between plain opening and opening for execution. Otherwise you won't even be able to peek into the file, as your driver will prevent it from opening.
    I believe filters run in kernel mode. That supposedly gives them access to any address in memory, including files.

    This is exactly what I want to do:
    http://www.bitnuts.de/KernelBasedMonitoring.pdf


    Quote Originally Posted by OReubens View Post
    you can solve this by just changing the security on the folder to not have execute privileges...
    Is that for Windows or some other OS? My application is for Windows. A system-wide filter that runs in kernel mode might be better in the sense that I don't have to mess with privileges.

  9. #9
    Join Date
    Nov 2003
    Posts
    1,797

    Re: Prevent executable from running?

    >> ... might be better in the sense that I don't have to mess with privileges.
    As apposed to writing some driver/application? If it's just for learning/exposure.

    >> My application is for Windows.
    http://support.microsoft.com/kb/308419

    >> of course [no execute-permissions] just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.
    If you really need to execute something it can be copied to an appropriate location first. So I'd go with just folder-permissions management - but then I'm not looking to implement filter drivers for fun and learning (not today anyway).

    gg

  10. #10
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    5,976

    Re: Prevent executable from running?

    Quote Originally Posted by Roswell View Post
    I believe filters run in kernel mode. That supposedly gives them access to any address in memory, including files.
    Actually it was not about what KMD can or can not. I was talking about the exe file to be locked in your "protected" folder and not able to be copied somewhere else or examined by any user mode app. Under such a constraint I would better focus on preventing exe being copied to/created/renamed there in the folder.
    Last edited by Igor Vartanov; September 3rd, 2013 at 01:20 AM.
    Best regards,
    Igor

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center