ExeWatch

Discussion in 'other anti-malware software' started by flatfly, Apr 23, 2012.

Thread Status:
Not open for further replies.
  1. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    62
    [Edit]: sorry, I think I should have posted this in the "other anti-malware software" forum.

    I haven't seen ExeWatch discussed here...

    Has anyone else tried it already? Is it safe?

    http://dre.tx0.org/

    I've been testing it today, and it will simply beep every time it detects a new EXE file anywhere on the system disk.

    It won't take any other action, so it's only a minimalist monitoring tool - in that sense, it reminds me of Tiny Watcher a little bit, except that it can run resident and appears to monitor the WHOLE hard drive, not just some locations.

    Still, I'm finding it useful and am even thinking about
    adding it to my permanent setup...

    What do you think?
     
    Last edited: Apr 26, 2012
  2. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,541
    Location:
    Kolkata, India
    Tested this in Windows XP 32 bit. Cannot see the alert window, shows some orange shades temporarily with an alert beep using motherboard speaker.

    http://i.imgur.com/Yeo0g.jpg

    No GUI. rests silently in tray. No alert while quitting from Tray.
     
  3. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Seems useful. Nice share.
     
  4. Doraemon

    Doraemon Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    201
    Cute cat! ;)
     
  5. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    62
    After some more testing, and pondering if this is too simple of a tool
    to be useful or not, I decided to keep it on my system, for the following
    reasons:

    it is stable, lightweight and doesn't require updating. I found it most helpful in swiftly responding to any infections (including zero-days & drive-by downloads), giving nice clues that help narrow down exactly how they came in (when surfing on what website, through what software installation) - and it has very low CPU / RAM consumption. It also fits nicely in an LUA / No AV approach.

    I like the minimalistic approach, but wouldn't mind a few extra features,
    though (logging, email alerting being the ones I would most like to see).

    Did anyone else have a chance to try it?
     
  6. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,541
    Location:
    Kolkata, India
    v 1.07 is out.
    The main changes are, lower resource usage, support for multiple EXE detection,
    and a global log file.
     
  7. Yanick

    Yanick Registered Member

    Joined:
    May 3, 2011
    Posts:
    269
    Aye, this certainly is a very useful app. Minimalist anti-exe :D added to my security setup as well :)
     
  8. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    It only detects "exe" extension, not exe files. Is this enough?
     
  9. Yanick

    Yanick Registered Member

    Joined:
    May 3, 2011
    Posts:
    269
    ''ExeWatch will keep a careful eye on your whole system drive and will alert (beep) every time a new EXE file appears anywhere on the drive. Double-click the tray icon to view the lastest detections, if any. A solid and lightweight addition for the security-conscious power user.''

    Quote from home site. im not really expert or enything with this app just started using it :p still i think it does detect EXE files themselves, not just extension. Have you tested this?
     
  10. jabarnut

    jabarnut Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    20
    Hehe...thanks, flatfly.
    Kind of a fun little app...(and I do mean little). :D
    Potentially kind of handy as well.
    Just to try it out, I downloaded Precess Explorer (already have it, but was the first quick .exe I could think of right off the bat).
    Anyway, downloaded the .zip, and as soon as I extracted it to a folder, ExeWatch alerted me to the new .exe, and also included a log file showing the exact path to it.
    Call me silly, but I love little toys like this. A keeper for me. (Hey, for a tiny 200kb portable toy, why not keep it?) ;)
     
  11. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    Yes, that's why I said it only detects "exe" extension, not exe files. I created "New Text Document.txt" and renamed it to "New Text Document.exe" and got alert from ExeWatch. So it detected 0KB text file as exe file.
     
  12. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    62
    I think this is a good thing, actually. In my eyes, any .EXE file (whatever its internal structure, even if it's a fake EXE) popping up on my hard drive suddenly is potentially a suspicious event, that I want to be aware of. Wouldn't you agree?

    Now, what I would really be happy with, is support for other executable filetypes as well (such as .COM)...
     
  13. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    276
    My point is that it will not detect an exe file which doesn't have "exe" extension.
     
  14. clubhouse

    clubhouse Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    180
    Updated again........... V1.11


    "New in 1.11: rewrote detection engine for lightning-fast performance!"
     
  15. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    62
    And another update!

    "New in 1.12: multiple partition support, "-q" command-line option for quiet mode."
     
  16. clubhouse

    clubhouse Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    180
    Excellent device.....And the Sven is doing a great job developing and coding this superb software!
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,230
    Location:
    Poland - Cracow
    I've tested it...nice, simply and lightweight app but for me its behaviour is a little bit strange. What I mean?:

    - EW correctly detects EXE files both as standalone file...examples from log file
    C:\Downloads\enigmavb.exe
    C:\Downloads\exewatch.exe
    C:\Downloads\picpick_inst.exe

    and as file included in some folder e.g. in program folder
    C:\Downloads\1by1\1by1.exe
    C:\Downloads\Autoruns\autoruns.exe
    C:\Downloads\Autoruns\autorunsc.exe
    C:\Downloads\FreeCommander\FcContextMenu64.exe
    C:\Downloads\FreeCommander\FreeCommander.exe


    - correctly detects files both on system disk (C) and other disk/device (D)
    D:\Downloads\20120505-016-v5i32.exe
    D:\Downloads\ashampoo_winoptimizer_free_1.0.0_sm.exe
    D:\Downloads\enigmavb.exe
    D:\Downloads\picpick_inst.exe
    D:\Services\1by1\1by1.exe

    - correctly detects when we deleting some EXE file from all disks
    C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc3.exe
    C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc4.exe
    D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd10.exe
    D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd11.exe

    and now is something strange...
    when standalone file is deleted - this action is detected
    when folder with EXE files is deleted - this action is not detected o_O

    ---------------------
    edit:
    Next nice action from few minutes ago...I downloaded and installed to try K9 Web Protection
    - starting of download
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\s76_pQbC.exe
    - the end of download and saving on disk
    D:\Downloads\k9-webprotection.exe
    - starting of installation
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe
    - the end of installation
    C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
    C:\Program Files\Blue Coat K9 Web Protection\UIHelper.exe
    C:\Program Files\Blue Coat K9 Web Protection\uninst.exe
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe


    Looks great :thumb:
     
    Last edited: May 6, 2012
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    65
    Hello, I am the author of ExeWatch and am very happy about the growing
    amount of interest ExeWatch is getting on the Wilders community forums.

    I totally didn't expect this! I will try to visit this forum
    regularly from now on, even though my free time is rather
    limited currently, due to some annoying medical and financial issues.


    I will try to explain what is happening here:

    ExeWatch alerts are triggered by 2 particular types of system events:
    new EXE file creations and EXE file renamings. Due to an oddity with the Windows Recycle Bin behavior, when deleting a folder, the files inside that folder do not get renamed, unlike when deleting individual files. (This can be verified by doing a command line DIR /A inside the Recycler directory)

    This is why ExeWatch triggers no alert, as it just views the operation as a regular file move.

    This is OK, as my design objective for this app was to monitor
    *new* (potentially suspicious) EXE files, which isn't the case here.

    I hope this explains the behavior you have noticed. I agree it is surprising
    at first sight. Perhaps I will add a note about this on the website.
     
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,230
    Location:
    Poland - Cracow
    Hi svenfaw :)
    Thanks for explanation...it's clear and enough to understand this behaviour :thumb:
    Could you think about support for USB devices?...or it's impossible? :)
     
  20. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Suggestion:

    How about adding monitoring of .PIF, .BAT, .SCR, .COM (especially), and .VBS files?
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,873
    Location:
    Canada
    and dll files
     
  22. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    65
    Hi, I will certainly look into supporting USB drives and multiple extensions.

    If I can implement these without impacting performance significantly, I will.

    Please note that I might consider offering such an enhanced version for a (small) price, though. I just can't afford to do everything for free at the moment, unless I can receive enough donations to support development.
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    65
    Version 1.16 is out, with support for USB drives and 2 additional file extensions. The app is still freeware and portable, and should be very stable.

    More extensions (DLL, VBS, SYS, OCX, COM, PIF) will be added in a later version, once I have verified performance remains acceptable.
     
    Last edited: May 9, 2012
  24. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,541
    Location:
    Kolkata, India
    Hello Sven, I am Sujay. If you have remembered we have talked before via email regarding ExeWatch.
    Nice changes in the new versions. Thanks you very much.
    Can you please add a keyboard shortcut to bring "View Status"?
     
  25. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    65
    Hello Sujay,

    Good idea!
    Please try "Win-S" in the latest version (1.18 - just released) :)
    Thanks for your great feedback.

    Cheers

    EDIT: Typo corrected: Win-S
     
Thread Status:
Not open for further replies.