Question about anti-execute module...

Does it intercept the running of DLLs as executables, e.g. via rundll32.exe? TIA...

[pegr]

Quote:

Originally Posted by Gullible Jones

Does it intercept the running of DLLs as executables, e.g. via rundll32.exe? TIA...

As far as I'm aware, it only intercepts files with .exe and .sys extensions, but Coldmoon should be able to provide a definitive answer.

[Coldmoon]

Hi Gullible Jones,
The Anti-Execute feature in 2x will block specific content already known, but is not and never was intended to be a full featured HIPS. The targeting for it has been to enable users to deal with potential issues arising from a very short list of malware families that have been created to bypass virtualization (regardless of which ISR program you are discussing as all share the same issue and are usually updated to address each bypass report as soon as they are known in one way or another).

Remember that strict ISR is only able to do the following things:

1. Drop all changes
2. Save some changes
3. Save all changes

They do not have any detection or blocking capabilities by default and this has always been their Achilles Heel. The design of RVS 2010 however is based on the use of intelligent layering where the weakness of one component part is covered by the strengths of other component parts. In the first 3x generation, this layering was to add:

1. Detection/blocking, especially for the very same types of malware described above.
2. Collection and analysis of malware components and behavior that helps improve the product's abilities and performance over time

Mike