Beyond Logic


Trust-No-Exe - An executable filter for Windows NT/2000/XP

It’s now a common daily occurrence to receive PE viruses such as the recent MyDoom via e-mail. On Windows platforms, nine out of ten of last year's top viruses were spread via e-mail. While staff training is the best deterrent, wouldn’t it be helpful to prevent users opening un-trusted executables yet being non-restrictive on the opening documents and other less harmful files?

With typical figures saying 70% of network related attacks come from within your organisation doesn't it make sense to prevent users running port scanners or other executable tools from floppy disk or CDROM drives yet still allowing the use of these drives to transfer files and maintain office efficiency.

Or perhaps you have caught users trying to install software on machines. While operating systems are becoming more secure, it is still possible to install programs as a user or run programs directly from the CDROM drive. Other users may choose to play games from CDROM drives?

The speed at which viruses can propagate must be a concern for all Administrators. Most sites now have automatic updates running which frequently update their scanners, sometimes as frequently as twice daily. However it takes time after a virus is released, to first be detected and identified and then to be added to the virus definitions of all the major virus scanners before the site administrator even gets their hand on it. Many people will remember the SQL Slammer Worm. Its peak occurred only three minutes after it was released to the wild. At its peak it was scanning 55 million Internet hosts per second and had infected at least 75,000 victims.

If any of these issues are of a concern, you need trust-no-exe.

Doesn't Windows NT/2000/XP have an execute permission?

Out of the box, Windows NT/2000 and XP together with a NTFS file system will provide the administrator with an execute permission per file. This permission is shared with the transverse folder right and can be used to prevent an executable from loading while still allowing it to be read or written to. However when applied to an executable the user receives the rather bland message simular to that on your right. This can confuse the user into thinking an error has occurred, rather than the fact they are not permitted to access this file.

The standard Windows dialog. Can be confusing for many users.

However the biggest disadvantage to this scheme is the administrator has no control over drives which do not have a NTFS file system or compatible network file system. Drives such as a 1.44MB 3.5" Floppy, CDROM, DVD, Zip Drive or even some network drives do not have adequate security descriptors and thus cannot be secured. Removing or disabling these drives is one option but doing so greatly effects the productivity that should be gained from a PC Workstation.

What is trust-no-exe?

Trust-no-exe is a executable file filter. It attaches to the operating system and filters all executable files, be it .exe .com .dll .drv .sys .dpl etc from all drives and all network shares against a list of files or paths, you, the administrator provide as trusted applications. If a prohibited executable (one not in the allow list or one explicitly defined in the deny list) is loaded, a popup box informs the user with an intelligent message that can be customised to your site.

The Trust-No-Exe Dialog showing path, executable and switches. The text in
the bottom line can be customised to your site, for example "Please contact
Joe Blobs ext 16 if you require access"

As Trust-no-exe will only allow executables to load from your allow list, enabling execution from files in c:\winnt\ (or c:\windows on XP), and c:\program files\ and by using normal file permission to restrict the write-ability of these folders, you can very quickly obtain a system which only allows authorised programs which you have installed to be executed, while still allowing normal access (all but execution) to other files.

On the other hand perhaps you are worried about all these PE viruses, executable Christmas/birthday cards, screen savers etc that are coming in via email. While most of your users do not click on these programs you are worried about security holes in your email client, either hiding extensions or embedding files into html messages, or if the virus is so new your virus scanner has not yet got a signature for it. By using Trust-no-exe, you can prevent users from opening executable email attachments. The popup message box can be customised to remind users that it is company policy not to open executable files. But what happens if the executable’s don’t have .exe or hidden extensions? How will trust-no-exe know if they are executable or data files?

Trust-no-exe hooks into the operating systems routines for creating a process and loading it into memory. If the operating system attempts to load any compiled code into memory ready to give it execution as a process or thread, trust-no-exe will jump on it and prevent the code from being loaded into memory. Therefore trust-no-one doesn’t rely on the file extension and can not be easily fooled.

The Trust-No-Exe Control Panel Applet.

Trust-no-exe has been designed for ease of use. Out of the box, a control panel applet is installed which allows for the configuration to be quickly modified. By default the program files and winnt/windows directories are added which in many cases is all that is required to make a secured, yet functional system.

New in version 3 is the ability to add a custom message. This allows you to put in a contact name and number should your users require special access to certain files. The other unique feature of Trust-no-exe is the file denied dialog is a single executable that is called by the trust-no-exe driver. Therefore you can create your own dialog with company logo should the need arise. Please contact us if you would like to explore this option. We can assist my providing a Visual C++.net or Borland C++ Builder Template.

It is just as important, if not more, to have trust-no-exe protection when logged in as an Administrator. Trust-No-Exe protects your PC all the time regardless of what user is logged in. To install software, or run executables from un-trusted locations, the administrator can utilise the control panel to stop the driver and briefly interrupt filtering while the software is installed. Trust-No-Exe also protects tasks running in the SYSTEM account.

Trust-No-Exe Version 3 now has support for installing and cloning settings to groups of computers.

Installing software and modify settings on multiple computers is never fun, yet alone efficient. With Trust-no-exe you need only install the package on a single workstation. Once installed and appropriately configured, you may utilise the Multiple Workstation functionality to remotely install it with your configuration on other selected computers. All that is needed is a single click. Likewise changes to the access list can be distributed almost instantly and with minimal fuss. Computer groups compatible with beyondexec can be quickly loaded, or you can effortlessly create your own using the built in computer picker and save it for later use.

Download

  • Version 3.04 (255KB - .pdf manual included)


  • Version 3.04 Manual (.pdf)


  • Revision History
    • 6th February 2004 - Version 3.04 (Free Download) Windows NT/2000/XP.
      • Added support for DFS (Distributed File System) Network Shares.
      • Added support for Windows .Net/2003 Server.
      • Added DenyExe\Refresh registry key to allow for the periodic refreshing of the access lists. This allows third party registry distribution tools such as ZenWorks to distribute/modify the access lists.
      • Corrected bug where trust-no-exe allows some unauthorised executables to load under specific circumstances.
    • 13th December 2003 - Version 3.02 (Free download) Windows NT/2000/XP.
      • Added Event Log Functionality.
      • Fixed buffer overrun bug in driver affecting sites with many entries in the allow/deny lists.
      • Tweaked denyexe.exe to fix problem found on some copies of Windows XP SP1 where denyexe would not unload correctly hence remaining in memory.
      • Fixed various non-critical bugs.
      • Tested on Windows XP SP1, Windows 2000 SP4.
    • 2nd August 2003 - Version 3.0 (Free download) Windows NT/2000/XP.
      • Rewritten Control Panel Applet to reduce code size. Added updated dialogs, Custom Messages and Multiple Workstation Support. Control Panel Applet now unloads and un-installs properly
      • Rewritten denyexe.exe to accept custom messages. Reduced code size.
      • Rewritten GetDriveDeviceObject routine. No longer seeks the A: drive and improved the speed and reliability of the routine.
      • Modified HookZwCreateSection routines to improve reliability across WinNT/2000 and XP.
      • Fixed problem with running programs on network shares mounted on Windows XP.
      • Modified installer so driver is automatically loaded by the service control manager and not by the system loader.
      • Modified driver so if registry keys are missing, driver is inactive. This prevents the computer from failing to boot in rare instances.
      • Tested on Windows 2000 SP3 & SP4, Windows NT4 SP5 & SP6(a), and Windows XP & SP2.
    • 3rd October 2002 - Version 2.1 (Free download/demo) Windows NT/2000/XP.
      • Tested on Windows 2000 SP2 & SP3, Windows NT4 SP5 & SP6(a), and Windows XP.
    • 1st October 2002 - Version 2.0.
      • Added support for Windows NT and Windows XP. Driver now automatically detects the O/S and hooks the appropriate O/S specific functions.
    • 27 June 2002 - Version 0.9 (Beta/demo) Windows 2000 Only.
      • First demo release for public evaluation
    • 13 April 2002 - Version 0.2 (Release Candidate).
      • Added installation program and control panel applet. Tested only on Win2000.
    • 20 February 2002 - Version 0.1.
      • Proof of Concept.


    Other Unique and Innovative Software Solutions from Beyond Logic
    Copyright 2002-2007 Craig Peacock - 6th April 2007.