Exewatch ??

Discussion in 'other anti-malware software' started by smallhagrid, Feb 4, 2013.

Thread Status:
Not open for further replies.
  1. smallhagrid

    smallhagrid Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    64
    Location:
    Vermont, America
    There is a thread here explaining the author's difficulties and that he moved his site and that site is now gone too. (http://dre.redmartian.org/)

    Unfortunately:
    Homepage: http://dre.tx0.org/
    Download: http://dre.tx0.org/exewatch.exe
    Have vanished utterly.

    Does anyone know of any existing mirror for this, please ??

    Thanks.

    PS:
    Yes, I like older, proven software and as such I am a happy XP user as well.
     
  2. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    Maybe this could serve as an alternative ??

    -http://www.novirusthanks.org/product/pe-dropper-monitor/-
     
  3. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
  4. smallhagrid

    smallhagrid Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    64
    Location:
    Vermont, America
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    You 're welcome. The real thanks go to the dev. It's a fine,ultralight little application and covers also .bat, ocx and some other extension. If you have a PC in "steadystate" it's very nice to keep an eye for new things that drop in your hard disk.
     
  6. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    474
    @Fuzzfas

    You are using Exewatch and NVT Exe radar pro, are they both needed ?
     
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I use NVT with default settings for usability reasons. For example, scripts can run, anything from program folders can run. So, theoretically, something may drop in there and NVT won't react or a script may run. To give you an example. I use ClownBD. It's in the programs folder. NVT auto-allows it. ClownBD, when put to work, creates 2 batch files that also run "undetected" by NVT. Exewatch flags them both. The good thing with Exewatch, is that it doesn't need your immediate attention. It just flashes when something new was executed. So you don't have to click "allow" all the time. You can go see what it was, at your leisure. So, i consider it complementary to NVT, in a more "usability"-oriented setup. After all, my current take on infections is: "The only thing i care about, is be able to tell that i was infected. If i do, i restore a Macrium image, which will also rewrite the MBR and bye bye malware. Important information is either encrypted or locked up and exist in copies in DVDs. So the worst case, is ransomware. Fine. Let's say the ransomware encrypts everything in my HDDs (included the Macrium images on my HDD). I still have an offline copy of the important stuff, i will lose some unimportant stuff. I will restore a Macrium image of Windows only (freshly installed) that i keep in DVD, bye bye ransomware and copy the important stuff from the DVD".

    You can set NVT to behave in a more restrictive manner, but it becomes more of a pain with popups for legitimate things as it is now.

    On the bright side, the PC feels sooooooooo snappy without antivirus/heavy HIPS. ExeWatch is superlight, it's as if it didn't exist and if you 're bored with it, you can simply ignore it. It will keep flashing, but you can simply ignore it. A pop up that asks you all the time and waits for input, you can't ingore it.
     
    Last edited: Feb 6, 2013
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Ah, another use of ExeWatch, is a bit like "post-mortem" of NVT decisions. Say you install something. You click allow on the NVT to allow install. NVT will leave the installer do it's job without further hassle. Exewatch will keep tracking all exes that will be created, even if in the programs folder (which NVT auto-allows), so if you 're not too bored, you can give a look to see if all "seems normal".
     
  9. brainrb1

    brainrb1 Registered Member

    Joined:
    Mar 15, 2010
    Posts:
    474
    Thanks.I will try it this weekend. Any known problems on windows 8 ×64 bit ?
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I don't know. Unfortunately the developer stopped updating the program before Windows 8 was officially released, so we don't know. But on Win7 x64 it works just fine, so with a bit of luck it will work on Windows 8 too.
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    where can i get it from?i also want to try it for the first time :)
     
  13. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Ah, i see it works for XP too! Nice! Well, it's not exactly famous as application. I only noticed it here in Wilders where the dev had a thread about it. Otherwise it was unknown. But it works as advertized and is a useful monitoring tool. Even for people who can't stand classical HIPS, this is a viable alternative for watching for new exes without having to answer any pop up. Won't stop the malware, but at least you ll know about it.

    Oh, careful about the "Panic mode". This is supposed to be used only in case you are sure to be witnessing a massive infection. It will then start renaming all new exes in an extension i don't remember, in an attempt to stop the infection.


    See link in post no.3!
     
    Last edited: Feb 6, 2013
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks
     
  15. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    What is the MD5 of your copy Fuzzfas?
    Mine is: 15C8521B8DDFB0C7ECAA72DEA02E1047
    I can't DL yours as my DNS is blocking me. lol
     
  16. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753

    Same (v.1.28, the last one AFAIK).

    MD5 Hash 15C8521B8DDFB0C7ECAA72DEA02E1047
    SHA-1 Hash 951AA882FC6A1F67FD1ED0E12E194E15D6AEF8C6
     
  17. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    Thanks! I wonder what became of the dev?
     
  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    The author "svenfaw", has posted for last time in Wilders in July 2012. After that, he is missing and the website that was hosting the application is gone. Who knows...
     
  19. DX2

    DX2 Guest

    How do you add it to start up?
     
  20. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Put the executable in a folder, place the folder in your Program Files directory.
    Right click on the executable, send to desktop (shortcut). Take the shortcut and drop it to :

    C:\Users\Yourusername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    Reboot. It should now be loading with Windows.

    This for Win7. For XP i don't remember where the startup folder is.
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,726
    Location:
    Texas
    Some off topic posts removed.
     
  22. DX2

    DX2 Guest

    Thanks :)
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    134
    Hi,

    thanks all for your feedback. I'm sorry I was away from these forums for so long.
    I'm very grateful to see that ExeWatch wasn't forgotten in the meantime.

    I have just released v1.30, which is a minor update that adds an autostart option, support for JAR files and a proper about dialog.

    The MD5 for v1.30 is C60FEF21B20FF5C468058392B65740C0
    and the new URL is http://dre.natverk.org.

    Sven
     
  24. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Welcome back!
    :)

    Can you add .scr and .msi extensions?
    I think maybe popup instead of four rectangles would be better choice?
     
    Last edited: Feb 13, 2013
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Welcome back, Sven! Thank you for the update and the ultralight,useful program.
     
Thread Status:
Not open for further replies.