Returnil's anti-execution component

It appears that Returnil will only block executables not already on the REAL system. Therefore, wouldn't malware potentially be able to use "scripting" executables to bypass this component and infect the REAL system (like those rootkits)? What I mean is, if you don't block eg. command prompt execution or vbscript execution, wouldn't this leave a hole that could be exploited?

This was one reason why I stopped using Faronics Anti-Executable version 2 - you couldn't control it to prevent eg. command prompt or other scripting executables. In version 3, they allowed this control.

The question is that command prompt will not run spontaneously, there must be a code that executes it. What code? A program.

Therefore if the program was not already on the real system it will be unable to run command prompt because the AE will not allow to run the program.

The same can be applied to vbscript or whatever.

Other question are the exploits. A trusted application (let´s say firefox) could be exploited to run command prompt or vbscript but it´s also possible that firefox doesn´t use command prompt to perform malicious actions.

Conclusion: Blocking executables not already on the real system is not a bad solution but indeed is better if the security solution can be configured, allowing custom white lists of software that can run.

Yes, I suppose I was thinking more on the possibility of an application already on the REAL system running a scripting executable (through cmd.exe or cscript.exe etc) - I don't think a specific exploit of the browser is required to do this, since it's just calling an executable?

Perhaps an example is with .bat files - I can run these types of files simply by double clicking on them and Returnil does nothing to stop its execution. What's to stop a web-site from running a (malicious) script that is in the form of a .bat file via a "drive-by"?

I think your conclusion is spot on. Microsoft's SRP/AppLocker is a good example of such a system-wide solution. And they (must) have good reason to block scripting execution by default (although it's probably more related to the fact SRP/AppLocker is restrictive even to someone who has physical access to the system and doesn't know the Admin password).

It has been awhile,but I am almost certain the AE module in Returnil 2008,was basically a ProcessGuard type affair,with a learning period,that allowed you to selectively block.

Hi noorismail,
In 2008 it was a fragmented affair using configurable utilities provided as additional tools. This addition over RVS 2007 was to address the circumventors like the dog Trojans, Killdisk variants, etc. In Labs and 2010 it was simplified to trust or not trust to address the requirements of our customers in Public Access and cafe scenarios.

RVS 2010 and RSS 2011 share access to server side analysis of malware which is used to improve detections and reduce false positives. In the RSS series this will also include white listing as we go forward.

Mike

Thank you for the explanation Mike.
I know Returnil never tried to hawk the anti-executable as being more than it was intended to be,protection from the Dog Class trojans. If
I remember limited user account was also suggested.

Still I found it to be a comforting presence,and really the lightest anti-executable I have used.
(well, other than SRP and Sandboxie start/run access settings)