-
August 30th, 2013, 08:18 PM
#1
Prevent executable from running?
Hello,
I would like to programmatically monitor a directory for new files, and if the file happens to be an executable, I want to prevent it from running. Something like a AV program.
However, I don't know where to start. Simple is best. Any suggestions?
-
August 31st, 2013, 06:03 AM
#2
Re: Prevent executable from running?
If you simply want to prevent a user running certain programs, you might like to consider the facilities available via the group policy editor before you get too involved in producing your own solution
http://social.technet.microsoft.com/...m-group-policy
http://technet.microsoft.com/en-us/m...08.06.srp.aspx
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
August 31st, 2013, 07:11 AM
#3
Re: Prevent executable from running?
Nope, the program is for myself. I'm not sure if group policies would work like an AntiVirus program.
I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.
After some more searching, I found something interesting:
http://msdn.microsoft.com/en-us/wind.../gg462968.aspx
It seems I have to create a File System MiniFilter Driver. The program would only "filter" out executables.
It won't "scan" or analyze them, like a full-blown AV program. Looks like a good solution.
If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.
-
September 1st, 2013, 07:55 AM
#4
Re: Prevent executable from running?
Originally Posted by Roswell
I'm not sure if group policies would work like an AntiVirus program.
If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.
I basically don't want any executables (good or bad) launching from my Internet browser cache directory or Documents directory.
As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?
If there was already a filter that allows you to exclude running executables from certain directories, then I would use it. But, it seems like I have to write my own.
Execution prevention is based, as far as I know, on absolutely different techniques. A monitoring program installs itself into general loading mechanism (process/thread creation or mapping file to memory provided by OS) and due to this is able to suspend the process of loading, or eventually terminate the run.
Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
Best regards,
Igor
-
September 1st, 2013, 06:10 PM
#5
Re: Prevent executable from running?
Originally Posted by Igor Vartanov
If you need something that works like an AntiVirus program, you need an AntiVirus program. The main issue with home-made solutions is a false sense of security that those give you.
Creation of AntiVirus products is based on detailed knowledge of OS internals and possible vulnerabilities and attack directions. And final product always provides a complex solution against multiple attack factors or combination of those. This kind of products is affordable for a team of highly skilled professionals, considering the complexity of contemporary OSs and diversity of threats and attack approaches.
Thanks for your AV plug, but I don't care for a full-blown AV program that bogs down my computer.
Stopping an executable from running isn't as complex as you make it out to believe.
I found two very good examples:
Scanner File System Minifilter Driver
http://code.msdn.microsoft.com/windo...ystem-426c8cbe
AvScan File System Minifilter Driver
http://code.msdn.microsoft.com/windo...ystem-40053812
I want to be able to customize my own program. I only want to "filter" executables.
I don't want to scan/analyze them. Yes, it's simple, but that's what I want.
As far as I know, contemporary browsers never put to cache anything able to execute itself, and use Downloads folder for downloading programs. Do you have any proofs for opposite?
I was just providing a simple example. There are dozens of directories I can exclude executables from running from.
-
September 2nd, 2013, 02:37 AM
#6
Re: Prevent executable from running?
Originally Posted by Roswell
I want to be able to customize my own program. I only want to "filter" executables.
I don't want to scan/analyze them. Yes, it's simple, but that's what I want.
Okay, no problem in case you teach your driver to distinguish between plain opening and opening for execution. Otherwise you won't even be able to peek into the file, as your driver will prevent it from opening.
Best regards,
Igor
-
September 2nd, 2013, 06:57 AM
#7
Re: Prevent executable from running?
you can solve this by just changing the security on the folder to not have execute privileges.
of course that just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.
depends what you want I guess...
-
September 2nd, 2013, 08:55 PM
#8
Re: Prevent executable from running?
>> ... might be better in the sense that I don't have to mess with privileges.
As apposed to writing some driver/application? If it's just for learning/exposure.
>> My application is for Windows.
http://support.microsoft.com/kb/308419
>> of course [no execute-permissions] just plain blocks it whereas filter drivers will pop a warning and allow you to choose yes or no.
If you really need to execute something it can be copied to an appropriate location first. So I'd go with just folder-permissions management - but then I'm not looking to implement filter drivers for fun and learning (not today anyway).
gg
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|