Originally Posted by Windchild
...I don't see why AE would pop up an alert like that when there seem to be no .lnk files around. Well, I suppose the simple explanation would be that the .lnk files actually are there, but they're covered by the alert pop up. Or maybe there's an autorun file somewhere in there that tries to execute those .tmp files directly, without any exploit. Or something. But if none of those are true and the malicious .lnk files are missing, then that alert makes no sense. Something has to be executing the files for the alert to make sense, but what is it?
I don't have the .lnk files. I would like to get them to really test the entire exploit.
Anti-Executable v.2 parses the files in a directory and flags an alert if an executable is not on the white list. Here is firehole.exe, an old leak test I keep around. It's not on the white list, so when I go to the directory, AE pops up an alert:
A similar example is blocking downloads by its Copy protection. Here, a remote code execution exploit attempts to download an executable spoofed as a .gif file. AE somehow "reads" the code as it attempts to download, and is prevented from getting onto the computer at all:
Some years ago, BlueZannetti and I discussed this in a thread. He had some ideas as to how this works, but I've forgotten exactly what he wrote.