Anti Execute Protection Options Query

Discussion in 'Returnil releases' started by Dark Star 72, Apr 27, 2009.

Thread Status:
Not open for further replies.
  1. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    I have a bit of difficulty understanding some of the Anti Execute protection options and need some clarification.

    Under 'Protection Options' there is:
    "Forbid Internet Explorer from activating programs that are not on the White List"

    Underneath there is:
    "Block activation of all programs not on the White List"

    Now, in the help document it states that when both of these options are activated together "IE can load programs as required"
    Surely if one option stops IE activating any programs not on the white list and the other option blocks activation of any programs not on the white list then no program not on the white list would be able to activate. Is this a typo or have I completely misunderstood.

    Also, if I am using Firefox would the "Forbid IE etc..." become irrelevant.
    And what exactly is the difference between "Enable Anti-Executable Protection" and "Block activation of all programs not on the White List".
    Would the second option simply block activation without a pop up or do they both do basically the same thing?
    Sorry if this seems a rather long convoluted query but I have a great liking for this program and want to ensure I use it correctly. No good finding out I didn't understand it properly when its too late :D
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    The difference here is in what you want to lock down. When you only activate the IE option, IE is not allowed to load programs that are not on the While List but you can. By activating the "Block activation of all programs not on the White List", you extend that restriction to activation of programs not actually activated by IE (IOW - everything else on the Real System).

    Yes, this is only for IE at this time.

    The first option will warn at activation of a program and the second will block activation of programs not already on the list.

    Mike
     
  3. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Mike,
    Many thanks for the clarification, the IE option makes sense now.
    One last question - would "Block activation of all programs not on the White List" be much the same as "Enable Anti-Executable Protection" with the "Deny all if there are no rules" option selected?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No, The "Deny all if there are no rules" option is a general setting that should silence the block so would only apply to not being "nagged" as often as being asked.
     
  5. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Thanks Mike for further the clarification. All set to go now.
     
  6. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Mike,
    One more question. A little while ago I had Firefox crash for the one and only time in 4 years. I had Anti-Execute on "Ask me if there are no rules" selected. Anti-Execute immediately popped up asking if it was OK for *** process to shut down Firefox - to which I clicked yes. Now, if I had had "Trust all files in the Real System" selected would Anti-Execute have allowed the process that shut Firefox down to have continued as a trusted process without a pop-up?
     
  7. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    Yes, or alternately add the process to the White list.
     
  8. jadejadejade

    jadejadejade Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    9
    Hi Moon and all buddies here,

    I have tried Process Guard long long before, but it seems to be forgotten these years. Now, we have switched to Comodo Internet Security to block the process in "Defence + Security Level" (no need to block the process in "Firewall Security Level"). Am I right? Secondly, is it poorer in substance than the anti-exec of Returnil? Thanks.:eek:

    Best Regards,
    Jade
     
  9. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    The AE in RVS is not a full featured HIPS implementation and was designed to provide protection from a specific type of malware rather than a general approach taken in products like Comodo. Given this we have consistently said that if you already use a full featured solution, the AE in RVS is redundant.

    HTH
    Mike
     
Thread Status:
Not open for further replies.