IBM Assured Execution Environment (AxE)
A simple PC security tool that provides a transparent protection layer for a Windows PC or server and that requires no configuration.
Date Posted: June 14, 2007
|
|
 |
|
|
|
IBM Assured Execution Environment installs the following components on the system:
- kernel driver
- system service
- user-agent for tray icon
- utility programs (file-system checkers and tagger)
The technology also creates a local user account that is used to protect its administrative operations (such as approving new programs or disabling protection).
File-system metadata is appended to all local files, conveying whether they are approved executables or not. Note: A full traversal on the initial install is necessary for adding this information to each executable file. This action is not required when adding programs or upgrading.
The above software components use only fully-documented and supported operating system APIs.
| | |
|
After a successful installation of the security tool, the system tray icon will be displayed. You can further test the technology by running an application from a CD-ROM or USB key-fob and verifying that the application is blocked; a tray icon notification message will be displayed.
Another good test will be to visit a Web site that downloads ActiveX controls on your machine and verify that these controls are also blocked. (Note that you must clear your browser cache before installing IBM Assured Execution Environment; otherwise, all cached ActiveX controls will be approved the installer).
| | |
|
The following features can be accessed by right-clicking on the system tray icon:
- Show Unapproved Programs Blocked by AxE: This feature displays a list of unapproved programs that actually attempted to execute on your machine but that were denied. These will commonly include ActiveX controls that arrive on your machine while browsing Web sites. You can see what tried to damage your machine but was prevented.
- Show All Unapproved Programs: This feature will continuously examine your hard drive for unapproved programs that you downloaded or that arrived unexpectedly.
- Approve Selected Files: This feature is reached via the Show All Unapproved Programs and Show Unapproved Programs Blocked by AxE menu items. This feature can be used to selectively approve files belonging to particular programs so that they can run on the machine without being blocked. Note that this may not work for files that were temporarily generated on the system. If this option does not allow your program to execute properly, then please use the Add/Remove Approved Programs feature in order to explicitly add the desired program(s).
- Add/Remove Approved Programs: This option is used when you want to install additional program(s) from a CD-ROM or the network, including ActiveX controls downloaded through Internet Explorer. During the addition of new program(s), IBM Assured Execution Environment protection is disabled but still tracks all the new files added to the machine. The run-time environment also displays a prompt that you must select in order to re-enable full protection after installation. At this time, IBM Assured Execution Environment will show you all the files added to the system; you can approve or reject them before protection is reactivated. (This process works even if the installation process requires a reboot).
Note that the Add/Remove Approved Programs feature is also useful for supporting the update of approved applications (such as programs from some anti-virus vendors) or applications that dynamically generate and load binaries.
- Windows® Update is explicitly supported through the Apply Windows Updates option.
| | |
|
The goal of this alphaWorks release is to get user feedback on the usability of our system, given an initial set of security policies. The alphaWorks version prevents only unapproved executables from running because that is the prevalent attack vector used by malware. Specifically, local NTFS and FAT formatted disks and removable media are protected.
However, to minimize impact on usability, the first alphaWorks version does not contain an implementation of the full security model:
- System registry and other system configuration information are not protected.
- Scripts are allowed to run, unless the script run-time DLLs are disabled.
- Attacks targeted at the IBM Assured Execution Environment itself are not fully addressed (for example, all methods of disabling protection are not fully secured).
- Certain media (non-NTFS and non-FAT) and network shares (to local or remote systems) are not protected.
- The approval tools are fully accessible on the client.
- Approval information can be readily deleted on the client.
We wish to use the alphaWorks release to gather feedback on the usability of our system. This feedback will be incorporated into the next version (which addresses many of the open security issues above).
IBM Assured Execution Environment complements existing anti-virus tools by providing an extra layer of protection and by preventing arbitrary file system changes from occurring, thus reducing the need for constant scanning of executable files.
This software run-time environment sits within the Windows operating system kernel (in a manner similar to that of current anti-virus programs). Therefore, it is, like them, also vulnerable to exploitation (such as buffer overflows) in the Windows kernel.
| | |
|
Because this technology aims to block unapproved binaries and prevent changes to approved ones, it hinders software development where new win32 binaries are generated.
Currently, it also hinders the use of IDEs that dynamically generate and load win32 binaries in order to support certain features. In order to approve the files dynamically generated by these IDEs so that you can use these applications, please employ the Add/Remove Approved Programs and Approve Selected Files options.
| | |
|
Because the approved binaries on your system are protected from change, it prevents all modifications to these files, including deletions and renamings (which could be attacks by malware scripts). If you wish to delete or rename approved executables, please use the Add/Remove Approved Programs option.
| | |
|
Data is fully accessible from any removable media. The technology blocks only program executables from these media. To run programs from these media, please use the Add/Remove Approved Programs option. | | |
|
IBM Assured Execution Environment causes a small overhead (not perceivable by the user) at program launch in order to verify that the program executable files are approved. After a program is executing, no additional overhead is incurred. | | |
|
In order to ensure that the technology is not adversely affecting an application on your system, we have supplied a quick way to disable the run-time and to diagnose problems. This is done through the Disable AxE Protection option on the system tray icon's context menu. Note: This option completely disables the technology, and new files added to the system at this time are not approved. After IBM Assured Execution Environment is re-enabled, the newly added files must be re-added using the Add/Remove Approved Programs option.
If for any reason your system stops booting all the way or behaves abnormally and you are unable to disable IBM Assured Execution Environment, please boot into Windows Safe Mode by pressing F8 after turning your computer on. After logging into Safe Mode using your local administrator user name and password, open a command prompt and go to the c:\windows\system32\drivers directory (if your system drive is C:\), and delete axemon.sys.
Reboot your system; IBM Assured Execution Environment is now disabled, and you can run uninstall.bat from the c:\axe directory if you wish to uninstall the software.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
IBM is a trademark of IBM Corporation in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
| |
|
|
|
|
| |
