It’s now a common daily occurrence to receive PE viruses via e-mail. While staff training is the best deterrent, wouldn’t it be good to prevent users opening un-trusted executable files yet being non restrictive on opening documents and other less harmful files?

With typical figures saying 70% of network related attacks come from within your organisation wouldn’t it be nice to prevent users running port scanners or other executable tools from floppy disk or CDROM drives yet still allowing the use of these drives to transfer files?

Perhaps you have caught users trying to install software on machines. While operating systems are becoming more secure, it’s still possible to install programs as a user. Other users may choose to play games from CDROM drives.

If any of these issues are of a concern, you need trust-no-exe.

Trust-no-exe, simply put is an executable file filter. It attaches to the operating system and filters all executable files, be it .exe .com .dll .drv .sys .dpl etc against a list of files or paths you provide. If an attempt is made to load a prohibited executable, a popup box informs the user that this executable is prohibited and cannot be loaded.

By only allowing execution of files in c:\winnt\, and c:\program files\ and by using normal file permission to restrict the writability of these folders, you can very quickly obtain a system which only allows authorised programs which you have installed to be executed, while still allowing normal access (all but execution) to other files.

On the other hand perhaps you are not ready for total lock down just yet, but are worried about all these PE viruses, executable christmas/birthday cards, screen savers etc that are coming in via email. While most of your users don’t click on these you are worried about security holes in your email client, either hiding extensions or embedding files into html messages.

By placing Trust-no-exe into deny mode and entering your e-mail attachment directory into the deny list, you can prevent users from opening executable files. The popup message box can be customised to remind users that it is company policy not to open executable files. But what happens if the executable’s don’t have .exe or hidden extensions? How will trust-no-exe know if they are executable or data files?

Trust-no-exe hooks into the operating systems routines for creating a process and loading it into memory. If the operating system attempts to load any compiled code into memory ready to give it execution as a process or thread, trust-no-exe will jump on it and prevent the code from being loaded into memory. Therefore trust-no-one doesn’t rely on the file extension.

Installation of trust-no-exe is easy. Simply run install.exe from the trust-no-exe distribution. After accepting the licence agreement trust-no-exe is installed on your system. At completion of the install, the trust-no-exe driver is not immediately started. It will start on the next reboot or can be manually started by using the trust-no- exe control panel applet.

This gives the administrator time after the install to verify your filtered paths are correct. Paths can be added or deleted by using the control panel. When installed for the first time, the executables in the following paths are allowed, c:\winnt and c:\program files. Take caution when setting the paths as removing c:\winnt can prevent your computer from booting up.

TrustNoExe consists of three components –

• a monolithic kernel mode driver loaded at boot time
• a control panel applet which is used to configure the driver specifying the trusted applications at your site
• an substitute executable file displaying a message indicating to the user that the program they just opened is prohibited.

The driver attaches itself to the operating system’s ZwCreateSection function which is used to load executable code into memory during the creation of a process. In plain english, it attaches itself to a part of the operating system which handles the loading of all compiled code whether it be a .exe, .com, .sys, .dll, .scr, .cpl, .api, .drv, .bpl or other executable objects. Emphasis should be put on compiled, as it is possible to interpret high level code such as visual basic scripts or java applets etc.

Every time the ZwCreateSection function is called, trust-no-exe makes a check to see if the file being called is allowed to be loaded into memory. If so, it allows the loading and hence the execution of the file. On the otherhand if the file is not allowed, trust-no-one replaces the handle to the prohibited file with that of a “You are not allowed to execute this program” message executable. This reduces any interaction between usermode and kernel mode not only making the program more efficient but also allows custom applets to be called by the administrator.

This could simply be an error message with your organisations logo and/or policy on it. However it can extend to logging either locally or via email and other means. This is completely adaptable by the administrator to suit the needs of your site.

Beyond Logic provides the source and images for some simple applets providing an easy start. These applets are targeted at Microsoft Visual C++.net and Borland C++ Builder. At a small additional fee you can provide us your logo and text you wish to be displayed and we can produce the applet and even integrate it into the install wizard providing a custom install.

When the trust-no-exe driver starts it must make a list of all available drives and their associated DeviceObject. When this occurs normally at boot time, the floppy drive may seek. If the driver is started manually after boot-up, the first thing the driver will do is interrogate the floppy disk drive and display an error “There is no disk in the drive. Please insert a disk into drive A:” – If this occurs simply press continue. This is normal operation.

Trust-no-exe converts all network drive path names to UNC paths. If you intend to allow files to be loaded from network drives the UNC path should be used. e.g. if I:\ was mapped to \\mars\temp then executing I:\hello.exe would report \\mars\temp\hello.exe.

Some organisations may wish to distribute trust-no-exe via zero administration utilities such as Novell ZenWorks. 1. Copy the driver, bltrust.sys to c:\winnt\system32\drivers\bltrust.sys 2. Copy the denyexe.exe to c:\winnt\system32\trustnoexe\denyexe.exe 3. Copy the registry keys at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bltrust and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bltrust\exenames]
"0"="C:\\WINNT\\System32"
"1"="C:\\WINNT"
"2"="C:\\Program Files"
"3"="C:\\progra~1"
"Count"=dword:00000004

Once the registry keys have been pushed out, trust-no-exe will start on the next boot of the client computer. The administrator may choose to push out the trust-no-exe control applet to the workstations. If desired, this file trustnoexe.cpl should be placed in c:\winnt\system32\trustnoexe.cpl and allows the administrator to change the local filter privileges.

Don’t ask me how I did it, but my computer no longer boots up – prehaps it is trust-no-exe? My computer displays a BSOD (bugcheck) : STOP c0000139 {Entry Point Not Found}

If you believe the trust-no-exe driver is preventing critical executables from loading due to a misconfiguration of the filter paths don’t despair.

Boot to the Windows 2000 recovery console so you have rights to the file system. Delete the driver, c:\winnt\system32\drivers\bltrust.sys.

Now boot your system. Windows will complain it can’t load the driver. This annoying dialog box can be removed by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bltrust registry key or by using the trust-no-exe uninstall wizard found in control panel, add/remove programs.

Some older 16 bits programs require entries for c:\program files and c:\progra~1

Any features you would like to see implemented can be e-mailed to trust-no-exe@beyondlogic.org