ExeWatch

flatfly · #1 April 23rd, 2012, 04:10 PM

[Edit]: sorry, I think I should have posted this in the "other anti-malware software" forum.

I haven't seen ExeWatch discussed here...

Has anyone else tried it already? Is it safe?

http://dre.tx0.org/

I've been testing it today, and it will simply beep every time it detects a new EXE file anywhere on the system disk.

It won't take any other action, so it's only a minimalist monitoring tool - in that sense, it reminds me of Tiny Watcher a little bit, except that it can run resident and appears to monitor the WHOLE hard drive, not just some locations.

Still, I'm finding it useful and am even thinking about
adding it to my permanent setup...

What do you think?

sg09 · #2 April 24th, 2012, 01:01 AM

Tested this in Windows XP 32 bit. Cannot see the alert window, shows some orange shades temporarily with an alert beep using motherboard speaker.

http://i.imgur.com/Yeo0g.jpg

No GUI. rests silently in tray. No alert while quitting from Tray.

kupo · #3 April 24th, 2012, 01:04 AM

Seems useful. Nice share.

Doraemon · #4 April 24th, 2012, 08:55 AM

Quote:

Originally Posted by sg09

Tested this in Windows XP 32 bit. Cannot see the alert window, shows some orange shades temporarily with an alert beep using motherboard speaker.

http://i.imgur.com/Yeo0g.jpg

No GUI. rests silently in tray. No alert while quitting from Tray.

Cute cat!

flatfly · #5 April 25th, 2012, 08:33 AM

After some more testing, and pondering if this is too simple of a tool
to be useful or not, I decided to keep it on my system, for the following
reasons:

it is stable, lightweight and doesn't require updating. I found it most helpful in swiftly responding to any infections (including zero-days & drive-by downloads), giving nice clues that help narrow down exactly how they came in (when surfing on what website, through what software installation) - and it has very low CPU / RAM consumption. It also fits nicely in an LUA / No AV approach.

I like the minimalistic approach, but wouldn't mind a few extra features,
though (logging, email alerting being the ones I would most like to see).

Did anyone else have a chance to try it?

sg09 · #6 April 26th, 2012, 09:42 AM

v 1.07 is out.
The main changes are, lower resource usage, support for multiple EXE detection,
and a global log file.

Yanick · #7 April 29th, 2012, 09:02 AM

Quote:

Originally Posted by flatfly

After some more testing, and pondering if this is too simple of a tool
to be useful or not, I decided to keep it on my system, for the following
reasons:

it is stable, lightweight and doesn't require updating. I found it most helpful in swiftly responding to any infections (including zero-days & drive-by downloads), giving nice clues that help narrow down exactly how they came in (when surfing on what website, through what software installation) - and it has very low CPU / RAM consumption. It also fits nicely in an LUA / No AV approach.

I like the minimalistic approach, but wouldn't mind a few extra features,
though (logging, email alerting being the ones I would most like to see).

Did anyone else have a chance to try it?

Aye, this certainly is a very useful app. Minimalist anti-exe

added to my security setup as well

Pliskin · #8 April 29th, 2012, 09:47 AM

It only detects "exe" extension, not exe files. Is this enough?

Yanick · #9 April 29th, 2012, 09:54 AM

Quote:

Originally Posted by Pliskin

It only detects "exe" extension, not exe files. Is this enough?

''ExeWatch will keep a careful eye on your whole system drive and will alert (beep) every time a new EXE file appears anywhere on the drive. Double-click the tray icon to view the lastest detections, if any. A solid and lightweight addition for the security-conscious power user.''

Quote from home site. im not really expert or enything with this app just started using it :p still i think it does detect EXE files themselves, not just extension. Have you tested this?

jabarnut · #10 April 29th, 2012, 11:39 AM

Hehe...thanks, flatfly.
Kind of a fun little app...(and I do mean little).

Potentially kind of handy as well.
Just to try it out, I downloaded Precess Explorer (already have it, but was the first quick .exe I could think of right off the bat).
Anyway, downloaded the .zip, and as soon as I extracted it to a folder, ExeWatch alerted me to the new .exe, and also included a log file showing the exact path to it.
Call me silly, but I love little toys like this. A keeper for me. (Hey, for a tiny 200kb portable toy, why not keep it?)

Pliskin · #11 April 29th, 2012, 11:39 AM

Quote:

Originally Posted by Yanick

'still i think it does detect EXE files themselves, not just extension. Have you tested this?

Yes, that's why I said it only detects "exe" extension, not exe files. I created "New Text Document.txt" and renamed it to "New Text Document.exe" and got alert from ExeWatch. So it detected 0KB text file as exe file.

flatfly · #12 April 30th, 2012, 06:56 AM

Quote:

Originally Posted by Pliskin

Yes, that's why I said it only detects "exe" extension, not exe files. I created "New Text Document.txt" and renamed it to "New Text Document.exe" and got alert from ExeWatch. So it detected 0KB text file as exe file.

I think this is a good thing, actually. In my eyes, any .EXE file (whatever its internal structure, even if it's a fake EXE) popping up on my hard drive suddenly is potentially a suspicious event, that I want to be aware of. Wouldn't you agree?

Now, what I would really be happy with, is support for other executable filetypes as well (such as .COM)...

Pliskin · #13 April 30th, 2012, 10:31 AM

Quote:

Originally Posted by flatfly

I think this is a good thing, actually. In my eyes, any .EXE file (whatever its internal structure, even if it's a fake EXE) popping up on my hard drive suddenly is potentially a suspicious event, that I want to be aware of. Wouldn't you agree?

My point is that it will not detect an exe file which doesn't have "exe" extension.

clubhouse · #14 April 30th, 2012, 10:42 AM

Updated again........... V1.11

"New in 1.11: rewrote detection engine for lightning-fast performance!"

flatfly · #15 May 3rd, 2012, 05:11 PM

And another update!

"New in 1.12: multiple partition support, "-q" command-line option for quiet mode."

clubhouse · #16 May 3rd, 2012, 05:49 PM

Excellent device.....And the Sven is doing a great job developing and coding this superb software!

ichito · #17 May 6th, 2012, 09:27 PM

I've tested it...nice, simply and lightweight app but for me its behaviour is a little bit strange. What I mean?:

- EW correctly detects EXE files both as standalone file...examples from log file
C:\Downloads\enigmavb.exe
C:\Downloads\exewatch.exe
C:\Downloads\picpick_inst.exe
and as file included in some folder e.g. in program folder
C:\Downloads\1by1\1by1.exe
C:\Downloads\Autoruns\autoruns.exe
C:\Downloads\Autoruns\autorunsc.exe
C:\Downloads\FreeCommander\FcContextMenu64.exe
C:\Downloads\FreeCommander\FreeCommander.exe

- correctly detects files both on system disk (C) and other disk/device (D)
D:\Downloads\20120505-016-v5i32.exe
D:\Downloads\ashampoo_winoptimizer_free_1.0.0_sm.exe
D:\Downloads\enigmavb.exe
D:\Downloads\picpick_inst.exe
D:\Services\1by1\1by1.exe

- correctly detects when we deleting some EXE file from all disks
C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc3.exe
C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc4.exe
D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd10.exe
D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd11.exe

and now is something strange...
when standalone file is deleted - this action is detected
when folder with EXE files is deleted - this action is not detected

---------------------
edit:
Next nice action from few minutes ago...I downloaded and installed to try K9 Web Protection
- starting of download
C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\s76_pQbC.exe
- the end of download and saving on disk
D:\Downloads\k9-webprotection.exe
- starting of installation
C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe
- the end of installation
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Blue Coat K9 Web Protection\UIHelper.exe
C:\Program Files\Blue Coat K9 Web Protection\uninst.exe
C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe

Looks great

svenfaw · #18 May 7th, 2012, 06:37 AM

Hello, I am the author of ExeWatch and am very happy about the growing
amount of interest ExeWatch is getting on the Wilders community forums.

I totally didn't expect this! I will try to visit this forum
regularly from now on, even though my free time is rather
limited currently, due to some annoying medical and financial issues.

Quote:

Originally Posted by ichito

...
and now is something strange...
when standalone file is deleted - this action is detected
when folder with EXE files is deleted - this action is not detected

I will try to explain what is happening here:

ExeWatch alerts are triggered by 2 particular types of system events:
new EXE file creations and EXE file renamings. Due to an oddity with the Windows Recycle Bin behavior, when deleting a folder, the files inside that folder do not get renamed, unlike when deleting individual files. (This can be verified by doing a command line DIR /A inside the Recycler directory)

This is why ExeWatch triggers no alert, as it just views the operation as a regular file move.

This is OK, as my design objective for this app was to monitor
*new* (potentially suspicious) EXE files, which isn't the case here.

I hope this explains the behavior you have noticed. I agree it is surprising
at first sight. Perhaps I will add a note about this on the website.

ichito · #19 May 7th, 2012, 09:17 PM

Hi svenfaw

Thanks for explanation...it's clear and enough to understand this behaviour

Could you think about support for USB devices?...or it's impossible?

kjempen · #20 May 8th, 2012, 03:59 AM

Suggestion:

How about adding monitoring of .PIF, .BAT, .SCR, .COM (especially), and .VBS files?

jmonge · #21 May 8th, 2012, 09:47 AM

and dll files

svenfaw · #22 May 8th, 2012, 11:58 AM

Hi, I will certainly look into supporting USB drives and multiple extensions.

If I can implement these without impacting performance significantly, I will.

Please note that I might consider offering such an enhanced version for a (small) price, though. I just can't afford to do everything for free at the moment, unless I can receive enough donations to support development.

svenfaw · #23 May 9th, 2012, 10:53 AM

Version 1.16 is out, with support for USB drives and 2 additional file extensions. The app is still freeware and portable, and should be very stable.

More extensions (DLL, VBS, SYS, OCX, COM, PIF) will be added in a later version, once I have verified performance remains acceptable.

sg09 · #24 May 10th, 2012, 12:41 PM

Hello Sven, I am Sujay. If you have remembered we have talked before via email regarding ExeWatch.
Nice changes in the new versions. Thanks you very much.
Can you please add a keyboard shortcut to bring "View Status"?

svenfaw · #25 May 10th, 2012, 01:26 PM

Quote:

Originally Posted by sg09

Hello Sven, I am Sujay. If you have remembered we have talked before via email regarding ExeWatch.
Nice changes in the new versions. Thanks you very much.
Can you please add a keyboard shortcut to bring "View Status"?

Hello Sujay,

Good idea!
Please try "Win-S" in the latest version (1.18 - just released)

Thanks for your great feedback.

Cheers

EDIT: Typo corrected: Win-S

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search