How does the Anti-Execute tool work?

Discussion in 'Returnil releases' started by Firebytes, Mar 30, 2009.

Thread Status:
Not open for further replies.
  1. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Re: new vs. old

    How does the Anti-execute function in the new version of Returnil identify an executable? I had set up a rule in Anti-execute to allow the portable program Autoruns to execute without prompting in the future. I then downloaded the new version of Autoruns and replaced the old version with it. When I ran the new version of Autoruns for the first time I expected a new prompt from Returnil's Anti-execute but I got none. Does it just go on a program's name?

    Also, I tried testing the "Trust all files in the real system" setting and found that I still got prompts from programs that haden't had a rule set up for them already. It was while system protection was off (don't know if that matters), is that how it should function?
     
  2. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Re: new vs. old

    (bump)

    Coldmoon?
     
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Firebytes,
    Sorry for missing this earlier and I have split your questions off into their own thread as they are OT in the other thread.

    There may be some idiosyncrasies in how the tool works as it was designed to address a specific type of threat rather than to be a mature, full featured HIPS implementation so it may behave in ways you are not used to; especially if you are experienced with other utilities that are designed to be a HIPS in a general sense.

    The included tools are an intermediate step while we work on a new approach that will be introduced in a later release series following the 3x generation…

    Mike
     
  4. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Sorry for being off topic in the other thread. Thanks for correcting my error and for taking the time to address my question.

    I actually have very little experience with HIPS other than following some threads at Wilders concerning them. That's why I was curious about how Returnil's Anti-execute tool identifies programs. I do understand that it isn't meant to be a full blown HIPS. Probably a good thing or I would be in over my head.

    I look forward to future versions of Returnil and the improvements you implement.
     
  5. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    @ Coldmoon

    Just curious, why do a few of the entries in my Anti-execute white list have blue text while the bulk are in black text?

    At first I assumed it was to highlight newly added entries (a very good idea) but the entries have remained in blue even though I have viewed the list several times and have rebooted the computer a few times since adding them. What am I missing?

    Once again, this is no big deal...just wondering.

    Thanks
     
  6. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    @Firebytes
    The blue lines indicate items added by the user to the whitelist that is not part of the original list of items when you clicked Ok after turning on the AE plugin. Sort of a reminder to the user to crosscheck when he opens up the AE module again. Once you open up AE and click on Ok then exit, the list will be updated.

    @Coldmoon
    Can I ask about which file extensions the AE module intercepts? tyvm
     
  7. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I have viewed the white list several times (and clicked OK) since the items were added and they still remain blue, while others that I have added in the past have since changed to black text.
     
Thread Status:
Not open for further replies.