��������

����������

������������������������
� ����������������������������
Last modified: February 2006
 ��������

About Faronics
Faronics Corporation develops and markets intelligent utilities for absolute control of multi-user
computing environments. Faronics’ market-leading solutions have dramatically impacted the day-to-
day lives of thousands of information technology professionals and computing lab managers, ensuring
100% availability of systems, thus significantly reducing workstation maintenance, and increasing user
satisfaction.
Faronics’ flagship solution, Deep Freeze, protects over 5 million workstations worldwide. Our user-
driven, powerful technology innovations benefit educational institutions, libraries, government
organizations and corporations.
As a customer-centric organization, Faronics’ products are researched and developed in close
consultation with our end-users. We value our customer’s ideas and suggestions, and depend on this
feedback to provide the innovative solutions our users have come to rely on. This approach is the basis
for Faronics’ industry-leading customer service strategy, continually working to build and maintain
lasting relationships with our users.
Incorporated in 1996, Faronics has two offices situated in the USA and Canada. An ambitious growth
strategy and global outlook has Faronics striving to reach new markets. Future diversification of Faronics’
utilities will provide innovative and unique solutions, continuing to enhance user productivity.

Technical Support
Every effort has been made to design this software for ease of use and to be problem free. If problems
are encountered, contact Technical Support:
Email: support@faronics.com
Phone: 800-943-6422 or 604-637-3333
Hours: 7:00am to 5:00pm (Pacific Time)

Contact Information
Web: www.faronics.com
Email: sales@faronics.com
Phone: 800-943-6422 or 604-637-3333
Fax: 800-943-6488 or 604-637-8188
Hours: 7:00am to 5:00pm (Pacific Time)
Address: Faronics Technologies USA Inc.
Suite 170 – 2411 Old Crow Canyon Road
San Ramon, CA 94583
USA
Faronics Corporation
620 - 609 Granville St.
Vancouver, BC V7Y 1G5
Canada

© 1999 – 2006 Faronics Corporation. All rights reserved. Deep Freeze, Faronics, Faronics Anti-Executable, Faronics System Profiler,
FreezeX, and WINSelect are trademarks and/or registered trademarks of Faronics Corporation. All other company and product names
are trademarks of their respective owners.
3
This page intentionally left blank
 ��������

Contents

Faronics Anti-Executable Standard Overview ......................................................................................................... 6

About Faronics Anti-Executable Standard ..................................................................................................................6
System Requirements .....................................................................................................................................................6
Definition of Terms ........................................................................................................................................................6
Installing Anti-Executable ...................................................................................................................................... 7

Logging in to Anti-Executable ................................................................................................................................. 8

Password ..........................................................................................................................................................................8
Configuring and Managing Anti-Executable ........................................................................................................... 9
General Tab .....................................................................................................................................................................9
Status Tab .........................................................................................................................................................................9
Configuration Tab ........................................................................................................................................................10
Security Settings ......................................................................................................................................................10
Other Security Settings Options ...........................................................................................................................10
Message .....................................................................................................................................................................11
Customizing the Message .......................................................................................................................................12
Exempted Folders ....................................................................................................................................................13
Trusted Applications ...............................................................................................................................................14
Password Tab .................................................................................................................................................................15
Uninstalling Anti-Executable ................................................................................................................................ 16

Installing and Upgrading Applications on Anti-Executable Protected Workstations ............................................. 17

Appendix A: Anti-Executable and Third-Party Antivirus Software ....................................................................... 18

Appendix B: Anti-Executable and Deep Freeze ..................................................................................................... 19

Installation of Deep Freeze and Anti-Executable .....................................................................................................19
Permanent Software Installations, Changes, or Removals with Deep Freeze and Anti-Executable..................19

5
 ��������

Faronics Anti-Executable Standard Overview

About Faronics Anti-Executable Standard
Faronics Anti-Executable™ is a productivity tool that prevents any unauthorized programs from
running, including viruses, keyloggers, and spyware. Powerful and secure, Anti-Executable ensures
that any new executable, introduced to the workstation by any means, never runs or installs.

System Requirements
Anti-Executable Standard requires Windows 9X/Me/2000/XP, with Microsoft Internet Explorer
version 5 or greater installed. The hardware specifications are the same as those required by the host
operating system.

Definition of Terms
Whitelist refers to the list of authorized executables created when Anti-Executable is installed.
Authorized executable or authorized program means any executable file already present on a workstation
at the time of the Anti-Executable installation, or any executable file installed while Anti-Executable is
turned off. All authorized executables are included on the whitelist.
Unauthorized executable refers to any executable file not included on the whitelist.
Violation means an attempt by the user or any program (including the operating system) to run an
unauthorized executable file while Anti-Executable is on.

6
 ��������

Installing Anti-Executable
To install Anti-Executable, complete the following steps:
1. Double-click the AEStd.exe file.
The following window appears:

2. Click Next to continue the installation.

3. Follow the steps presented. Read and accept the license agreement.
4. Click Finish.
The following dialog appears:

5. Click Yes to continue. Anti-Executable Standard begins installing.

The computer restarts to complete the installation process.
When the icon appears in the System Tray, Anti-Executable is activated.

7
 ��������

Logging in to Anti-Executable
Users must log in to access the Configuration Window, in order to configure and manage Anti-
Executable on a workstation.
Do one of the following to log in:
• Press SHIFT and double-click the Anti-Executable icon in the System Tray
• Use the keyboard shortcut CTRL+SHIFT+ALT+F10

Either method brings up the login dialog.

Password
When Anti-Executable is first installed, there is no password set. Click OK to gain access to the
Configuration Window.
Password protecting Anti-Executable is optional.
If there is no password set, do not enter anything in the password field, and click OK.
If a password has been set, enter it in the Enter Password field, and click OK.
The General tab in the Configuration Window appears:

8
 ��������

Configuring and Managing Anti-Executable

Anti-Executable can be configured and managed using the Configuration Window. The Configuration
Window has four tabs to access the options available: General, Status, Configuration, and Password.

General Tab
The General tab allows users to activate or deactivate Anti-Executable.
To activate Anti-Executable protection, click the On radio button and click Apply.
To deactivate Anti-Executable protection, click the Off radio button and click Apply.
Click OK to close the Configuration Window.

Status Tab
The Status tab provides a detailed report on the options available to configure Anti-Executable.
The following image details the status of a workstation:

On this workstation, the security setting for Anti-Executable is Low, and all the security options are
disabled, with only the Log File option enabled. This is the default configuration for Anti-Executable.

9
 ��������

Configuration Tab
The Configuration tab has four sub-tabs along the bottom used to configure various options in Anti-
Executable. They are: Security Settings, Message, Exempted Folders, and Trusted Applications.

Security Settings
The Security Settings tab sets the level of protection by Anti-Executable.
Use the slider bar to set the preferred level of security:

The default security level is Low, which does the following:

• Blocks unauthorized 32-bit executables
• Protects Anti-Executable Standard directory from access and tampering

In addition to the above, the High level of security does the following:
• Blocks unauthorized drivers and .dll files
• Allows optional enabling of Copy Prevention and Delete Prevention

For Windows 95, 98, and ME operating systems, the only security setting option
available is High.

Other Security Settings Options

Stealth Mode: Check the Stealth Mode option to ensure Anti-Executable icons are not visible on a
workstation’s System Tray.
Log File : If the Log File option is checked, when the Show Log button is clicked, a history of attempted
access violations on the workstation is displayed.
Network Prevention: When Network Prevention is checked, all executable files on a network drive
are blocked from execution. The Exempted Folders tab allows access to executable files in specified
10
 ��������

network folders, even if Network Prevention is checked. If the option is unchecked, all executable files
on a network can be executed normally.
Delete Prevention: When Delete Prevention is checked, all executables on the workstation are protected
from being deleted or renamed, regardless of whether they are authorized by Anti-Executable or not.
When this option is unchecked, the deletion or renaming of executables is controlled by the operating
system and access privileges — as if Anti-Executable was not installed. Delete Prevention can only be
enabled if the security level is set to High.
Copy Prevention: When Copy Prevention is checked, executables cannot be copied to another location,
downloaded via the Internet, or copied to the workstation from removable media. This helps reduce
accumulation of unauthorized or copied executable files, including files in the Internet Temp folder.
When this option is unchecked, the copying of executable files is controlled by the operating system
and access privileges. Copy Prevention can only be enabled if the security level is set to High.
Windows on Windows: When Do Not Allow is checked on this feature, all 16-bit executable files are
blocked from execution. If this option is unchecked, all 16-bit executable files are allowed to execute.

Message
The Message tab is used to customize the message that displays when a user attempts to perform an
action that has been protected by Anti-Executable.
By default, Anti-Executable’s text message says: This action violates the acceptable use policy. To
customize the message text, delete the default message and type the preferred message.
By default, the bitmap option is checked, meaning the graphic displayed in the tab accompanies the
message when it appears. The default graphic is displayed on the tab. To change it, click Customize
and browse to the location of a saved graphic. Click Preview to see how the graphic and message will
display. Click Clear to revert to the default graphic.

11
 ��������

Customizing the Message

There are a number of options to customize the Message.
Check File name to display the name of the executable that the user is attempting to run. The complete
path to the executable displays in the dialog.
Check Reason for blocking to display the reason the attempted action has been blocked.
For example, if a user attempts to open an unauthorized executable file, the dialog would
display Reason: Open, after the custom message and file name (if those options are enabled).
Check Program name to display the name of the program that is attempting to perform the action.
For example, if a user attempts to run an executable, the dialog would display Program Name:
C:\WINNT\Explorer.EXE because Windows Explorer is the program the user is attempting
to open the application from. This line would be displayed in the dialog after the custom
message, file name and reason (if those options are enabled).
To suppress Anti-Executable’s violation message, uncheck all the display options available on the
message tab, including: File name, Reason for blocking, Program name, and Bitmap, and delete all the
text in the message box. Anti-Executable will continue to block all executables that are not on the
whitelist, but will no longer display a message to indicate the violations.
An example of a custom dialog with all options enabled is shown below after a user has attempted to
run a spyware.exe program from a CD-ROM.

To suppress Anti-Executable’s violation message, uncheck all the display options available on the
message tab, including: File name, Reason for blocking, Program name, and Bitmap, and delete all the
text in the message box. Anti-Executable will continue to block all executables that are not on the
whitelist, but will no longer display a message to indicate the violations.

12
 ��������

Exempted Folders
The Exempted Folders tab is used to designate folders that are not protected by Anti-Executable
Enterprise. Any executable in a folder on this list is authorized to run.

To add a folder to this list, click the [...] icon and browse to the location of the folder to be added. Select
it and click OK. In the Configuration Window, click Add Folder.
To add the sub-folders of a principal folder to the Exempted Folders list, check the Include sub-folders
box. All executables inside the main folder and its sub-folders are designated as exempted from Anti-
Executable’s protection. If there is a folder that does not need to be exempted, it should be removed
from the list.
To remove a folder from the list, select the folder to be removed and click Remove Folder.
To import a folder from a file, click Import From File. Browse to the location of the .fzx file containing
the list of Exempted Folders to be imported. Select it and click Open.
To export to a file, click Export to File. Browse to the location of the file to be exported to, and click
Save.
To clear all files from the Exempted Folders list, click Clear.

13
 ��������

Trusted Applications
The Trusted Applications tab is used to designate which programs are trusted. A Trusted Application
can open and modify other executables, such as an antivirus program.

To add an application to this list, click the [...] icon and browse to the location of the file to be added.
Select it and click OK. In the Configuration Window, click Add Application.
To add applications in sub-folders of the principal folder, check the Include sub-folders box. All
executables inside the main folder and its sub-folders are designated as Trusted Applications and are
authorized to open and modify other executables. If there are executables in a sub-folder that should
not be trusted, they should be removed from the list.
To remove an single application from the list, select the file or files to be removed and click Remove
Application.
To import a list of Trusted Applications from a file, click Import From File. Browse to the location of the
.fzx file to import from. Select it and click Open.
To export to a file, click Export to File. Browse to the location of the file to export to, and click Save.
To clear all files from the Trusted Applications list, click Clear.

14
 ��������

Password Tab
The Password tab, as shown below, allows users to set change the current password.

To set a new password or to change a current password:

1. Enter the password in the Enter New Password field.
2. Re-enter the same password in the Confirm Password field.
3. Click Apply.
The password has now been changed.

15
 ��������

Uninstalling Anti-Executable
Anti-Executable must be deactivated to be uninstalled from the workstation.
Complete the following steps to uninstall Anti-Executable Standard from a workstation:

1. Double-click the AEStd.exe file.

The following screen displays:

2. Click Uninstall to begin uninstalling Anti-Executable.

A screen appears informing the user that Anti-Executable will be uninstalled.
3. Click Finish to uninstall Anti-Executable Standard from the computer.
The computer restarts after Anti-Executable is uninstalled.

16
 ��������

Installing and Upgrading Applications on Anti-Executable

Protected Workstations
Anti-Executable restricts program execution to only those that are already installed at the time Anti-
Executable is installed. To install additional software on a workstation after Anti-Executable has been
installed, follow the steps below:
1. Turn Anti-Executable off.
2. Install and/or update additional software.
3. Turn Anti-Executable on.

All programs installed while Anti-Executable is off are permitted to run with no restrictions.

If an installation or setup program was already on the workstation when Anti-Executable

was first installed or was copied to the workstation while Anti-Executable was off, the
installation or setup program will run successfully.
If the installation or setup program is run while Anti-Executable is on, it is not able
to copy, create, or extract executable files to the workstation. This may result in an
incomplete installation with unpredictable results.
Anti-Executable must be off to perform third-party antivirus software updates.
Anti-Executable must be off to perform Microsoft Windows critical updates.

17
 ��������

Appendix A: Anti-Executable and Third-Party Antivirus Software

Anti-Executable has been tested with many major third-party antivirus applications. When Anti-
Executable is installed, it automatically detects certain antivirus applications and configures itself as
required.
To ensure proper operation and updating of antivirus applications, the following Anti-Executable
configuration settings are recommended.

Antivirus application Anti-Executable Configuration Details and Notes

Symantec™ AntiVirus Corporate Anti-Executable automatically adds all associated executable files to
Edition
Norton™ AntiVirus 2004
McAfee® VirusScan®
Trend Micro™ OfficeScan™
CA eTrust™ EZ Antivirus
Sophos AntiVirus
COMMAND Antivirus™
AVG AntiVirus (Grisoft)
Panda Software Antivirus
the Trusted Applications list
Anti-Executable automatically adds all associated executable files to
the Trusted Applications list
Anti-Executable must be set to the Low security level
Anti-Executable must be set to the Low security level
No files need to be Trusted
No files need to be Trusted
No files need to be Trusted
No files need to be Trusted
No files need to be Trusted

The information above was accurate when this user guide was published; due to the
changing nature of third-party antivirus software, different settings may be required
as they are revised. In most cases, either setting Anti-Executable to the High security
level and designating all executables associated with the antivirus software as Trusted
Applications will ensure compatibility.

It is strongly recommended that any third-party antivirus application be installed

and configured prior to the installation of Anti-Executable. Anti-Executable should
be uninstalled prior to the initial installation of an antivirus application and then
re-installed afterwards.
Antivirus software updates must be performed with Anti-Executable off or during a
scheduled Maintenance period.

18
 ��������

Appendix B: Anti-Executable and Deep Freeze

Anti-Executable and Deep Freeze complement each other well and can both be installed on the same
workstation. The procedures listed below outline the necessary steps for installation of the two programs
on the same workstation and performing subsequent permanent software installations, changes, or
removals on the workstation.

Installation of Deep Freeze and Anti-Executable

The following procedure must be used when installing Anti-Executable and Deep Freeze on the same
workstation:
1. Install Deep Freeze.
2. Boot the workstation Thawed.
3. Install Anti-Executable.
4. Configure Anti-Executable with the desired settings and turn the protection on.
5. Boot the workstation Frozen.

Permanent Software Installations, Changes, or Removals with Deep Freeze and

Anti-Executable
A similar procedure must be used when new software installations, updates, or permanent changes to
the workstation are required:
1. Boot the workstation Thawed.
2. Turn Anti-Executable off.
3. Install new software, update existing software, and make any permanent changes to the
workstation as required.
4. Restart the workstation if necessary and configure any new software as desired.
5. Turn Anti-Executable on.
6. Boot the workstation Frozen.

19