Preventing Unauthorized Executables From Running/Installing By Remote Code Execution (aka Drive-by Download)

Remote Code Execution exploits use different attack vectors, including Browsers Plugins (Flash, Quicktime, PDF Readers) media files (WMF) AutoRun.inf files It doesn't really matter what the attack method is for sneaking in these trojan exploits: many solutions exist to negate a zero-day scenario (pre-patch, pre-update, pre-AV detection, etc). Current malware such as MS08-067 (Windows Server service) and Mebroot (Master Boot Record) can be found in any of the above attack methods. This test is Remote Code Execution using the IE browser exploit MS06-014 to download an executable file -- spoofed as an .htm file -- and copy it to %temp% as svchost.exe, where it attempts to execute. Code excerpts: The following successfully intercepted the exploit. Some solutions were Default-Deny, where the user had no choice. Others prompted for decision to Permit or Deny the download. Software Restriction Policies (SRP) on XP-PRO Tested by SpikeyB Note that the alert is Default-Deny: Process Guard Tested by fcukdat Anti-Executable v.2 (AE) Tested by rich Note that the alert is Default-Deny. Note also that AE's copy protection blocks the download of the executable file itself (test.htm). Comodo with Defence+ Tested by aigle Online Armor Tested by aigle GesSWall Tested by aigle Default-Deny EQSecure Tested by aigle Neoava Guard Tested by aigle HauteSecure Tested by aigle SafeSpace Tested by aigle Threatfire Tested by aigle