Several months ago I was on Faronic's web site looking at some papers in their Content Library. While on the site I checked a couple of the Products pages and noticed on the Anti-Executable (AE) page that some descriptions were missing. One was the reference to 80+ executable file types that AE watches out for. I didn't think about that very much at the time, but recently I had occasion to evaluate this latest edition of AE. Here are descriptions from the AE2 User Guide followed by that in the AE3 User Guide: v.2 v.3 Do you notice any difference? Now, I will attempt to run a non-White Listed program, AstroExp.exe. First, AE2: Then, AE3: Do you notice any difference? A bit of history. Years ago I became disillusioned with the reliability of Anti-Virus products. An acquaintance got a virus while using AIM. The AV was a reputable one and up to date. Shortly thereafter variants of the viruses were reported, undetected by most AV in the early days. I began reading different articles and came across the product, Abtrusion Protector. It claimed to verify all executable file types, and any others that tried to install were blocked. That opened the door to the concept of execution protection and White Listing. Another product that was more interesting was FreezeX - the predecessor of Anti-Executable. I installed an evaluation version of it and emailed Faronics Support with loads of questions. I was put in contact with the project manager and he informed me that they were phasing out FreezeX for a better product, Anti-Executable. It had just come out of Beta Testing and wasn't scheduled to be released for a couple of more weeks, but he was happy to send me a copy to evaluate. I thanked him and told him that I was also interested in Process Guard. While I didn't evaluate Process Guard, I was following with interest the discussions on the forum here at Wilders. Especially the long thread on rundll32.exe. Everyone was unsure how to configure it: • Let it run all of the time: • Let it run once: I decided I didn't want any part of having to make decisions as to what to allow. The problem, as I saw it, was not with rundll32 but with the file it executes. I wrote the AE Project Manager about this, and questioned him about one part of the AE tutorial video they had at that time: Of course, I shortly learned that it blocks all unauthorized executable file types. From the AE2 User Manual: So, AE2 it was. So what has changed in AE3? No longer does AE watch over all file types, rather, it selects just five. To its credit, AE retains some type of code analysis, because I changed several EXE types to BGT, TMP, and they were blocked. So spoofing of EXE still doesn't get by AE. But what about rundll32 and the executable file types that it handles. Here is a CPL - a Control Panel Applet. With AE3 installed with NO White List configured, it will prompt when any EXE attempts to run: Now, an AE user is put in the same predicament as one with Process Guard. AE has changed from Default-Deny to Prompt-for-decision. In the configuration, you can designate "External" users (those not trusted nor Administrator) so that they can not allow. That is fine for a multi-user workstation. But for a single-user as Administrator, you have to make a decison. The only one is, of course, to put rundll32 on the White List. Otherwise you will be prompted all of the time. Search in the Registry for rundll32 and see how much it is used. AE2 on the other hand doesn't care anything about rundll32 as long as it opens an authorized (White Listed) file. Otherwise it blocks: AE3 watches the application. The same as Process Guard (PG). AE2 watches the file. Big difference in approach. Of course, PG is an early prototype of HIPS and does more things. AE is interested only in blocking unauthorized executables. Continued next Post.