How does the Anti-Execute tool work?

Re: new vs. old

How does the Anti-execute function in the new version of Returnil identify an executable? I had set up a rule in Anti-execute to allow the portable program Autoruns to execute without prompting in the future. I then downloaded the new version of Autoruns and replaced the old version with it. When I ran the new version of Autoruns for the first time I expected a new prompt from Returnil's Anti-execute but I got none. Does it just go on a program's name?

Also, I tried testing the "Trust all files in the real system" setting and found that I still got prompts from programs that haden't had a rule set up for them already. It was while system protection was off (don't know if that matters), is that how it should function?

 

Re: new vs. old

(bump)

Coldmoon?

 

Hi Firebytes,
Sorry for missing this earlier and I have split your questions off into their own thread as they are OT in the other thread.

There may be some idiosyncrasies in how the tool works as it was designed to address a specific type of threat rather than to be a mature, full featured HIPS implementation so it may behave in ways you are not used to; especially if you are experienced with other utilities that are designed to be a HIPS in a general sense.

The included tools are an intermediate step while we work on a new approach that will be introduced in a later release series following the 3x generation…

Mike

 

Sorry for being off topic in the other thread. Thanks for correcting my error and for taking the time to address my question.

I actually have very little experience with HIPS other than following some threads at Wilders concerning them. That's why I was curious about how Returnil's Anti-execute tool identifies programs. I do understand that it isn't meant to be a full blown HIPS. Probably a good thing or I would be in over my head.

I look forward to future versions of Returnil and the improvements you implement.

 

@ Coldmoon

Just curious, why do a few of the entries in my Anti-execute white list have blue text while the bulk are in black text?

At first I assumed it was to highlight newly added entries (a very good idea) but the entries have remained in blue even though I have viewed the list several times and have rebooted the computer a few times since adding them. What am I missing?

Once again, this is no big deal...just wondering.

Thanks

 

@Firebytes
The blue lines indicate items added by the user to the whitelist that is not part of the original list of items when you clicked Ok after turning on the AE plugin. Sort of a reminder to the user to crosscheck when he opens up the AE module again. Once you open up AE and click on Ok then exit, the list will be updated.

@Coldmoon
Can I ask about which file extensions the AE module intercepts? tyvm

 

I have viewed the white list several times (and clicked OK) since the items were added and they still remain blue, while others that I have added in the past have since changed to black text.