Question about anti-execute module...

Discussion in 'General Returnil discussions' started by Gullible Jones, Sep 12, 2009.

Thread Status:
Not open for further replies.
  1. Does it intercept the running of DLLs as executables, e.g. via rundll32.exe? TIA...
  2. pegr

    pegr Registered Member

    Apr 8, 2008
    As far as I'm aware, it only intercepts files with .exe and .sys extensions, but Coldmoon should be able to provide a definitive answer.
  3. Coldmoon

    Coldmoon Returnil Moderator

    Sep 18, 2006
    Hi Gullible Jones,
    The Anti-Execute feature in 2x will block specific content already known, but is not and never was intended to be a full featured HIPS. The targeting for it has been to enable users to deal with potential issues arising from a very short list of malware families that have been created to bypass virtualization (regardless of which ISR program you are discussing as all share the same issue and are usually updated to address each bypass report as soon as they are known in one way or another).

    Remember that strict ISR is only able to do the following things:

    1. Drop all changes
    2. Save some changes
    3. Save all changes

    They do not have any detection or blocking capabilities by default and this has always been their Achilles Heel. The design of RVS 2010 however is based on the use of intelligent layering where the weakness of one component part is covered by the strengths of other component parts. In the first 3x generation, this layering was to add:

    1. Detection/blocking, especially for the very same types of malware described above.
    2. Collection and analysis of malware components and behavior that helps improve the product's abilities and performance over time

Thread Status:
Not open for further replies.