Image Execution Control: Why are only .exe files checked?

For both the Normal and Agressive levels in the Image Execution Control configuration, one of its parameters is:

“Executable files not listed in the File to Check section are excluded”

Getting rid of the negatives to make this a more clear statement would be:

“Only executable files listed inthe Files to Check section are checked.”

The only entry in the Files to Check section is the .exe filetype. You really think that is the only executable filetype [that needs to be checked]? How about .com files, or .sys or .bin files, or methods called from DLL files? What does it matter what is the filetype? If there is a header within the file to denote the file is executable then it doesn’t matter what is the file’s extension. That’s one reason why I never enable the “smart scan” feature in anti-virus software that only checks on a limited set of filetypes, because any file can contain executable code. Just because a handler isn’t defined in the registry for a particular filetype doesn’t mean a caller cannot load that file into memory and then do like the loader and pass control to it.

It seems the safe operation would be to instead have a Files to Exclude section. ALL files would have their memory image checked unless they were specifically excluded (and this exclusion list should also use hash values to ensure malware doesn’t slide in and overwrite those files being excluded from the checking).

Although the user can use the Add button to, say, add the “Executables” group of filetypes (which is still checking by extension rather than interrogating the file to see if it is executable), it seems odd that the Executables group isn’t already included as an install-time default.

This is a bit complicated. It IS going to alert for other extensions too. For example “file.tmp” if executed, will be detected. But that section will help you to include all sorts of executable mappings such as DLL, OCX, Sys etc.

So process creations will always be intercepted but other types of image executions for example loading a DLL into the memory etc will not.

To better understand what i mean, you can TEST including “*.dll” there and see the difference. But be careful as the number of popups can be huge.


So with .dll not being included in the Files to Check section, is it expected that the method called from the DLL will already have the calling process (caller) checked?

Sure. But forcing a process to load a DLL is called “hooking a process” and thats handled seperately than Image Execution Control.