UVK Help

UVK Help - Execute Prevent

Carifred logo
Show menu

This module can be accessed by pressing the Execute Prevent button, in the System Immunization section.

Execute prevent

 

 

Execute Prevent overview

The new Execute Prevent UVK feature provides you with a new level of protection against viruses. It works by adding a few Software restriction policies directly to the Windows registry. On their turn, these policies prevent running files in specific directories, and optionally their sub directories.

The policies set by Execute prevent disallow running the different types of executable files (.exe, .com, .pif, etc.), command line scripts (.bat, .cmd), VB scripts (.vb), regedit scripts (.reg) and also shortcuts (.lnk).

Even if you have good malware/spyware protection software, you know you're not totally protected. New viruses are often ignored by anti-virus programs because they are not yet present in the virus signatures databases. Execute prevent ensures that if the viruses are not detected, at least they will not be executed.

Execute Prevent is easy to setup, can be kept enabled even if you uninstall UVK, and doesn't use any system resources. Also, unlike other similar tools, Execute prevent creates very few policy keys. For instance, to immunize the whole user profile folder for all users (including sub directories), it creates less than 20 policy registry keys, including the exceptions' keys.

Malware usually hides itself in sub directories of the Application data folders, and also in other user related directories, sometimes it also hides in the Fonts folder (C.\Windows\Fonts) or in hidden sub directories of the recycle bin folder, because the Windows explorer will ot show their files there. Execute prevent has presets that automatically add the paths of those folders to the Locked items list, providing a very a quick setup. This way, even if you get infected, you're not really infected, because the infected files can not be executed.

So, now you may be thinking: But if those policies also block shortcuts, won't they block the ones in the Start menu and desktop folders?

That's when the exclusions come in. Excluded paths have priority over the locked ones, meaning you can lock a parent directory, including sub folders, and unlock the children folders and files you want. Execute prevent automatically adds exclusions for the folders where users usually have executable files and shortcuts, such as the Start menu and All programs folders. I also automatically excludes system related paths such as the temporary folders and the Internet Explorer's cache folder, ensuring you remain able to install/uninstall programs, or run downloaded files.

Take a good tour through this help page to fully understand how it works.

▲ Back to the list

 

Configuring Execute Prevent

To setup Execute prevent, all you really need to do is select the desired preset, in the Execute Prevent settings tab and press Save & Apply. This means you can setup Execute prevent with just a few clicks/taps.

Below is the full description of each preset and option:

Main settings:

Check Disable Execute prevent: Remove all the policies. To quickly remove all locked and excluded paths, just select this option and press Save & Apply.

Check Enable Execute prevent only for the paths you specify in the Locked and Excluded items lists: Select this option if you want to define the paths to lock and exclude yourself. Use the Locked items list and Excluded items list tabs to add the desired paths, and press Save & Apply.

Check Enable Execute prevent for the Applicaton data folders: This option will disallow running files in the Local and Roaming Application data folders, and sub directories. If Enable Execute prevent for all users is checked, the restrictions will be effective for all users. Otherwise they will be applied only for the current user. Commonly used folders are automatically excluded.

Check Enable Execute prevent for the whole user profile: This option will disallow running files in any folder belonging to the user profile. If Enable Execute prevent for all users is checked, the restrictions will be effective for all users. Otherwise they will be applied only for the current user. Commonly used folders are automatically excluded.

 

Additional directories (recommended): 

Check Fonts folder: Restrict running files in the Fonts folder (%Windir%\Fonts).

Check Recycle bin folder: Restrict running files in the recycle bin folder. Each user is granted a recycle bin folder, which is a sub directory of C:\Recycler, for XP, and C:\$Recycle.bin, for vista and higher. If Enable Execute prevent for all users is checked, the restrictions will be effective for all users.

Check Common Applicaton data: Restrict running files in the common application data folder (usually C:\ProgramData).

Check Public profile: Restrict running files in the public profile folder folder (usually C:\Users\Public).

Note: Important sub directories are automatically excluded, such as the Public desktop, and the Common Start menu folders.

 

Excluded paths: 

Check Desktop folders: Allow running files in the User's desktop folder (usually %USERPROFILE%\Desktop).

Check Downloads folder: Allow running files in the User's Downloads folder (usually %USERPROFILE%\Downloads). 

Check Documents folder: Allow running files in the User's Documents folder (usually %USERPROFILE%\Documents).

Note: These options will only be available for the "Enable Execute prevent for the whole user profile" preset. You don't need these policies for the other presets.

 

Additional options: 

Check Enable Execute Prevent for all users: Select this option if you wish to enable the selected preset for all users.

 

▲ Back to the list

 

Locked items list

The Locked items list shows the restricted paths currently waiting to be applied. Remember: These are the paths where files can not be executed.

The paths corresponding to the selected preset are shown in the top group of the list, and can not be edited or deleted.

The paths you have eventually added are shown in the bottom group. You can add more paths to this group, and delete or edit the existing ones.

To add a file path path, press the Add file path button. To add a directory path, press the Add folder path button. To edit an existing path, select it in the list, and then press the Edit selected button. A small dialog box will be displayed, similar to the screenshot below, which will help you to setup the desired path.

Add execute prevent path

The picture above ilustrates how to add a path of a known malware folder. You can use this feature to prevent executing any malware you know where it resides. The path does not need to exist. Obviously you wouldn't want to block the root of system paths such as the Program files, or the Windows folders and all sub directories. Be careful with that. if you don't know which paths to add, just don't add any paths.

Check Checking Use environment strings will make the paths you define work for all users, and in any system, so you may want to use this feature.

Check Check Include sub directories if you want to disallow running files in the selected folder and all its sub folders. Uncheck it if you only want to block this folder and leave sub directories unlocked. This option is not valid for file paths, obviously.

Check When you have correctly setup your new path, press Save. You can see your new path in the Locked items list. Press Save & Apply to add the new path(s) to the software restriction policies.

Check Press Cancel if you wish to cancel the operation instead.

▲ Back to the list

 

Excluded items list

The Excluded items list shows the unresticted paths currently waiting to be applied. Remember: These are the paths where files CAN be inconditionally executed.

The paths corresponding to the selected preset are shown in the top group of the list, and can not be edited or deleted.

The paths you have eventually added are shown in the bottom group. You can add more paths to this group, and delete or edit the existing ones.

To add a file path path, press the Add file path button. To add a directory path, press the Add folder path button. To edit an existing path, select it in the list, and then press the Edit selected button. A small dialog box will be displayed, similar to the screenshot below, which will help you to setup the desired path.

Edit execute prevent path

The picture above ilustrates how to add a path you may need to unlock if you use the Enable Execute prevent for the whole user profile preset. The path does not need to exist.

Check Checking Use environment strings will make the paths you define work for all users, and in any system, so you may want to use this feature.

Check Check Include sub directories if you want to allow running files in the selected folder and all its sub folders. Uncheck it if you only want to unlock this folder and leave sub directories untouched. This option is not valid for file paths, obviously.

Check When you have correctly setup your new path, press Save. You can see your new path in the Locked items list. Press Save & Apply to add the new path(s) to the software restriction policies.

Check Press Cancel if you wish to cancel the operation instead. 

▲ Back to the list

 

List affected files

  Once you have configured your disallowed and unrestricted paths, you can check out which files will be blocked. To do so, press the List affected files button, in the Execute prevent settings tab. Execute prevent will start searching your system for affected files.

When the scan is complete, Execute prevent's interface will look like the screenshot below.

List affected files

The list shows the files affected (blocked) by the selected preset and additional paths. If you want to exclude some of the paths, tick the corresponding check marks and press Exclude checked. This will automatically add the selected files to the exclusions list, meaning the selected files will be allowed to be executed.

You can also right-click the items in the list. A menu with four options will popup:

Check Open file location: Open the selected file's location in Windows explorer. The same as simply double-clicking the item in the list.

Check Exclude parent folder: Clicking this menu item will add the parent folder of the selected file to the exclusions list. Useful to quickly unrestrict all files in a folder.

Check Check all: Check all the files in the list.

Check Check none: Uncheck all the files in the list.

 The Use environment strings when excluding checkbox in the low status bar defines whether to use environment strings for the excluded paths. Using environment strings will make the new exclusions work for all users.

Once you have excluded all the desired items, press Close to return to the normal Execute prevent's interface.

▲ Back to the list

 

Saving and applying

Like most UVK settings, the Execute Prevent settings and custom paths can be saved to an ini file, which can be loaded by the UVK setup and portable packages, allowing you to easily tranfer the settings to another PC. After you save your Execute Prevent settings and paths, go to the Options section, and export the settings to an ini file.

Check Press Save only if you wish to save your Execute Prevent settings and paths, but you do not want to apply them immediately.

Check Press Save & Apply if you wish to apply your Execute Prevent settings and paths. All settings and paths are saved before they are applied.

Check Press Close/Cancel to close the Execute prevent window.

▲ Back to the list

 

Copyright Carifred © 2010 - 2024, all rights reserved.

Scroll to top