ExeWatch

Discussion in 'other anti-malware software' started by flatfly, Apr 23, 2012.

Thread Status:
Not open for further replies.
  1. flatfly
    Offline

    flatfly Registered Member

    [Edit]: sorry, I think I should have posted this in the "other anti-malware software" forum.

    I haven't seen ExeWatch discussed here...

    Has anyone else tried it already? Is it safe?

    http://dre.tx0.org/

    I've been testing it today, and it will simply beep every time it detects a new EXE file anywhere on the system disk.

    It won't take any other action, so it's only a minimalist monitoring tool - in that sense, it reminds me of Tiny Watcher a little bit, except that it can run resident and appears to monitor the WHOLE hard drive, not just some locations.

    Still, I'm finding it useful and am even thinking about
    adding it to my permanent setup...

    What do you think?
    Last edited: Apr 26, 2012
  2. sg09
    Offline

    sg09 Registered Member

    Tested this in Windows XP 32 bit. Cannot see the alert window, shows some orange shades temporarily with an alert beep using motherboard speaker.

    http://i.imgur.com/Yeo0g.jpg

    No GUI. rests silently in tray. No alert while quitting from Tray.
  3. kupo
    Offline

    kupo Registered Member

    Seems useful. Nice share.
  4. Doraemon
    Offline

    Doraemon Registered Member

    Cute cat! ;)
  5. flatfly
    Offline

    flatfly Registered Member

    After some more testing, and pondering if this is too simple of a tool
    to be useful or not, I decided to keep it on my system, for the following
    reasons:

    it is stable, lightweight and doesn't require updating. I found it most helpful in swiftly responding to any infections (including zero-days & drive-by downloads), giving nice clues that help narrow down exactly how they came in (when surfing on what website, through what software installation) - and it has very low CPU / RAM consumption. It also fits nicely in an LUA / No AV approach.

    I like the minimalistic approach, but wouldn't mind a few extra features,
    though (logging, email alerting being the ones I would most like to see).

    Did anyone else have a chance to try it?
  6. sg09
    Offline

    sg09 Registered Member

    v 1.07 is out.
    The main changes are, lower resource usage, support for multiple EXE detection,
    and a global log file.
  7. Yanick
    Offline

    Yanick Registered Member

    Aye, this certainly is a very useful app. Minimalist anti-exe :D added to my security setup as well :)
  8. Pliskin
    Offline

    Pliskin Registered Member

    It only detects "exe" extension, not exe files. Is this enough?
  9. Yanick
    Offline

    Yanick Registered Member

    ''ExeWatch will keep a careful eye on your whole system drive and will alert (beep) every time a new EXE file appears anywhere on the drive. Double-click the tray icon to view the lastest detections, if any. A solid and lightweight addition for the security-conscious power user.''

    Quote from home site. im not really expert or enything with this app just started using it :p still i think it does detect EXE files themselves, not just extension. Have you tested this?
  10. jabarnut
    Offline

    jabarnut Registered Member

    Hehe...thanks, flatfly.
    Kind of a fun little app...(and I do mean little). :D
    Potentially kind of handy as well.
    Just to try it out, I downloaded Precess Explorer (already have it, but was the first quick .exe I could think of right off the bat).
    Anyway, downloaded the .zip, and as soon as I extracted it to a folder, ExeWatch alerted me to the new .exe, and also included a log file showing the exact path to it.
    Call me silly, but I love little toys like this. A keeper for me. (Hey, for a tiny 200kb portable toy, why not keep it?) ;)
  11. Pliskin
    Offline

    Pliskin Registered Member

    Yes, that's why I said it only detects "exe" extension, not exe files. I created "New Text Document.txt" and renamed it to "New Text Document.exe" and got alert from ExeWatch. So it detected 0KB text file as exe file.
  12. flatfly
    Offline

    flatfly Registered Member

    I think this is a good thing, actually. In my eyes, any .EXE file (whatever its internal structure, even if it's a fake EXE) popping up on my hard drive suddenly is potentially a suspicious event, that I want to be aware of. Wouldn't you agree?

    Now, what I would really be happy with, is support for other executable filetypes as well (such as .COM)...
  13. Pliskin
    Offline

    Pliskin Registered Member

    My point is that it will not detect an exe file which doesn't have "exe" extension.
  14. clubhouse
    Offline

    clubhouse Registered Member

    Updated again........... V1.11


    "New in 1.11: rewrote detection engine for lightning-fast performance!"
  15. flatfly
    Offline

    flatfly Registered Member

    And another update!

    "New in 1.12: multiple partition support, "-q" command-line option for quiet mode."
  16. clubhouse
    Offline

    clubhouse Registered Member

    Excellent device.....And the Sven is doing a great job developing and coding this superb software!
  17. ichito
    Offline

    ichito Registered Member

    I've tested it...nice, simply and lightweight app but for me its behaviour is a little bit strange. What I mean?:

    - EW correctly detects EXE files both as standalone file...examples from log file
    C:\Downloads\enigmavb.exe
    C:\Downloads\exewatch.exe
    C:\Downloads\picpick_inst.exe

    and as file included in some folder e.g. in program folder
    C:\Downloads\1by1\1by1.exe
    C:\Downloads\Autoruns\autoruns.exe
    C:\Downloads\Autoruns\autorunsc.exe
    C:\Downloads\FreeCommander\FcContextMenu64.exe
    C:\Downloads\FreeCommander\FreeCommander.exe


    - correctly detects files both on system disk (C) and other disk/device (D)
    D:\Downloads\20120505-016-v5i32.exe
    D:\Downloads\ashampoo_winoptimizer_free_1.0.0_sm.exe
    D:\Downloads\enigmavb.exe
    D:\Downloads\picpick_inst.exe
    D:\Services\1by1\1by1.exe

    - correctly detects when we deleting some EXE file from all disks
    C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc3.exe
    C:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dc4.exe
    D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd10.exe
    D:\RECYCLER\S-1-5-21-632532318-2666670698-1580278117-36839\Dd11.exe

    and now is something strange...
    when standalone file is deleted - this action is detected
    when folder with EXE files is deleted - this action is not detected o_O

    ---------------------
    edit:
    Next nice action from few minutes ago...I downloaded and installed to try K9 Web Protection
    - starting of download
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\s76_pQbC.exe
    - the end of download and saving on disk
    D:\Downloads\k9-webprotection.exe
    - starting of installation
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe
    - the end of installation
    C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
    C:\Program Files\Blue Coat K9 Web Protection\UIHelper.exe
    C:\Program Files\Blue Coat K9 Web Protection\uninst.exe
    C:\DOCUME~1\xxxxxx\USTAWI~1\Temp\k9filter.exe


    Looks great :thumb:
    Last edited: May 6, 2012
  18. svenfaw
    Offline

    svenfaw Registered Member

    Hello, I am the author of ExeWatch and am very happy about the growing
    amount of interest ExeWatch is getting on the Wilders community forums.

    I totally didn't expect this! I will try to visit this forum
    regularly from now on, even though my free time is rather
    limited currently, due to some annoying medical and financial issues.


    I will try to explain what is happening here:

    ExeWatch alerts are triggered by 2 particular types of system events:
    new EXE file creations and EXE file renamings. Due to an oddity with the Windows Recycle Bin behavior, when deleting a folder, the files inside that folder do not get renamed, unlike when deleting individual files. (This can be verified by doing a command line DIR /A inside the Recycler directory)

    This is why ExeWatch triggers no alert, as it just views the operation as a regular file move.

    This is OK, as my design objective for this app was to monitor
    *new* (potentially suspicious) EXE files, which isn't the case here.

    I hope this explains the behavior you have noticed. I agree it is surprising
    at first sight. Perhaps I will add a note about this on the website.
  19. ichito
    Offline

    ichito Registered Member

    Hi svenfaw :)
    Thanks for explanation...it's clear and enough to understand this behaviour :thumb:
    Could you think about support for USB devices?...or it's impossible? :)
  20. kjempen
    Offline

    kjempen Registered Member

    Suggestion:

    How about adding monitoring of .PIF, .BAT, .SCR, .COM (especially), and .VBS files?
  21. jmonge
    Offline

    jmonge Registered Member

    and dll files
  22. svenfaw
    Offline

    svenfaw Registered Member

    Hi, I will certainly look into supporting USB drives and multiple extensions.

    If I can implement these without impacting performance significantly, I will.

    Please note that I might consider offering such an enhanced version for a (small) price, though. I just can't afford to do everything for free at the moment, unless I can receive enough donations to support development.
  23. svenfaw
    Offline

    svenfaw Registered Member

    Version 1.16 is out, with support for USB drives and 2 additional file extensions. The app is still freeware and portable, and should be very stable.

    More extensions (DLL, VBS, SYS, OCX, COM, PIF) will be added in a later version, once I have verified performance remains acceptable.
    Last edited: May 9, 2012
  24. sg09
    Offline

    sg09 Registered Member

    Hello Sven, I am Sujay. If you have remembered we have talked before via email regarding ExeWatch.
    Nice changes in the new versions. Thanks you very much.
    Can you please add a keyboard shortcut to bring "View Status"?
  25. svenfaw
    Offline

    svenfaw Registered Member

    Hello Sujay,

    Good idea!
    Please try "Win-S" in the latest version (1.18 - just released) :)
    Thanks for your great feedback.

    Cheers

    EDIT: Typo corrected: Win-S
Thread Status:
Not open for further replies.