For both the Normal and Agressive levels in the Image Execution Control configuration, one of its parameters is:
“Executable files not listed in the File to Check section are excluded”
Getting rid of the negatives to make this a more clear statement would be:
“Only executable files listed inthe Files to Check section are checked.”
The only entry in the Files to Check section is the .exe filetype. You really think that is the only executable filetype [that needs to be checked]? How about .com files, or .sys or .bin files, or methods called from DLL files? What does it matter what is the filetype? If there is a header within the file to denote the file is executable then it doesn’t matter what is the file’s extension. That’s one reason why I never enable the “smart scan” feature in anti-virus software that only checks on a limited set of filetypes, because any file can contain executable code. Just because a handler isn’t defined in the registry for a particular filetype doesn’t mean a caller cannot load that file into memory and then do like the loader and pass control to it.
It seems the safe operation would be to instead have a Files to Exclude section. ALL files would have their memory image checked unless they were specifically excluded (and this exclusion list should also use hash values to ensure malware doesn’t slide in and overwrite those files being excluded from the checking).
Although the user can use the Add button to, say, add the “Executables” group of filetypes (which is still checking by extension rather than interrogating the file to see if it is executable), it seems odd that the Executables group isn’t already included as an install-time default.