OK here is the instructions that everyone was asking about before. This is a ZERO POPUP setup making it more user friendly. There is probably other MD users who already know about this. With this strategy of my setup you can have some apps locked down while at the same time have other apps in learning mode with Zero Poups. the main advantage of this is to be able to install new apps and install updates with zero pop ups without compromising system security by having to disable MD and put every thing back in learning mode. MD is the only HIPS that I know of that allows you to do this. Its quite simple really.

after you first install MD Tick these 2 box's shown in the screenies below.

211934
211935

then in the default applications create a new group called locked down apps or something similar, like I have done below.

211936

Then set all rules to deny except for bottom 2 like I have done below.

211937

Ok so that's that setup. When apps first appear you will notice that by default they all have their rules to ignore . DO not change them Leave them all on Ignore for every app. when you feel each app has had enough time in training mode simply move each app 1 by 1 into the Locked down apps group. MD won't permit and create rules for apps in the locked down. Any permit rules which were not created during the apps training period will be default denied and logged inside the locked down folder.

BLOCKING ALL OTHER UNKNOWN EXECUTABLES AND SCRIPT EXECUTABLES FROM RUNNING.
select deny in both boxes shown below. if you install new apps after this to allow them to run you will need to add them to the white list
by selecting new rule, appilication rule and set it up in there. Or you can go into the logs and right click create permit rule. The create new process
setting is to deny all apps in training as well as all system apps from creating and process.

211939

you will notice that by default like in the screenie below in each system app child process is set to ignore
DO NOT change that because if you set it to ask or permit they will be able to execute new processes which is what we don't want.
Its kinda interesting how xiaolin has set these to default ignore.

211940

now nothing else can execute and run.

Hi arran,

thanks for the info. It's been a long time since I last used MD extensively so I've got it installed in VBox and playing about with it, trying to jog my memory. The rules you've applied to your "Locked Down Apps" folder are fine as long as the individual apps within that folder do not have rules that contradict those of the folder, because those apps rules take precedence over that of the folder's. It is all part of the rules processing hierarchy MD uses, working from the bottom (beginning with: "Application Rules - System" rules first). Rules applied to individual applications take precedence over rules applied to the Group folder's rules those applications reside in.. Otherwise, your setup may work fine.

-{ Quote: "Hi arran,

The rules you've applied to your "Locked Down Apps" folder are fine as long as the individual apps within that folder do not have rules that contradict those of the folder, because those apps rules take precedence over that of the folder's. It is all part of the rules processing hierarchy MD uses, working from the bottom (beginning with: "Application Rules - System" rules first). Rules applied to individual applications take precedence over rules applied to the Group folder's rules those applications reside in.. Otherwise, your setup may work fine." }-

yea true MD works from bottom going up. The individual apps inside the locked down folder will only either have "Ignore" or "Permit" if it is permit then the action will be permitted. if it is ignore then it goes up to the locked down folder rules which is Deny.

The permit rules are the ones MD created automatically while the individual app was in training mode.

Hi arran, how is your approach significantly different from just running MD in silent mode, with all denied actions logged so you can just create a permit rule if you need to? Thx

-{ Quote: "Hi arran, how is your approach significantly different from just running MD in silent mode, with all denied actions logged so you can just create a permit rule if you need to? Thx" }-

because you can't have any apps in training mode while MD is set to silent mode.

-{ Quote: "yea true MD works from bottom going up. The individual apps inside the locked down folder will only either have "Ignore" or "Permit" if it is permit then the action will be permitted. if it is ignore then it goes up to the locked down folder rules which is Deny.

The permit rules are the ones MD created automatically while the individual app was in training mode." }-

That should be fine then, as long as the individual app's permit rules don't contradict those of the Group folder's rules.

-{ Quote: " The individual apps inside the locked down folder will only either have "Ignore" or "Permit" if it is permit then the action will be permitted. if it is ignore then it goes up to the locked down folder rules which is Deny.
" }-

To get a better understanding, I did some experimenting and this looks to be correct. If the individual app has "Ask" while MD is in learning mode, it will automatically get changed to "Permit" if that particular action is attempted by the app.

I have to play around with this, but another excellent concept from Arran for sure.

Thanks so much,


Pete

:thumb: Will try this setup out~!

To tidy up my main default app training mode list. I also create another folder called security apps with all permissions set to permit. And move all my security programs in there. Less work for MD to do because permit rules won't be automatically created for each security app, all actions will automatically be permitted so as each security app can perform properly with no conflict issues.

Hi Arran

Are you saying you can give the folder all permissions, and then whatever you put there, inherits those permissions?

Pete

-{ Quote: "Hi Arran

Are you saying you can give the folder all permissions, and then whatever you put there, inherits those permissions?

Pete" }-


yes what ever app inside a folder inherits the folder permissions. PROVIDING each individual apps rules are are set to Ignore. if any individual apps have ask rules on them then they will not inherit the folder permissions.

-{ Quote: "yes what ever app inside a folder inherits the folder permissions. PROVIDING each individual apps rules are are set to Ignore. if any individual apps have ask rules on them then they will not inherit the folder permissions." }-

Hmm. I am slowly beginning to realize just how powerful this is. Wow.

Pete

-{ Quote: "Hmm. I am slowly beginning to realize just how powerful this is. Wow.

Pete" }-

Too powerful in fact, i got lost on step 3 and couldn't even create a folder called "Locked Down Apps" or "Security Apps" and had to reset everything lol.

I don't think i could ever use this for protection, even after 3 months these rules etc are all well beyond me. But.. If you work out how to use it, i don't think much would come close in terms of protection.

Hi Arran

Another question. My trusted folder has all the permission allowed which of course makes sense. I am sure most of the programs contained in it, have rules which is fine.

Now I am going to install a new piece of software which comes from a trusted source and is completely trusted.

A) if I can run the installer in the trusted folder, would that eliminate the pop up's of installing, and B) how would I do that. Didn't see an easy way off hand.

Thanks,

Pete

PS, this thread has been added to the sticky recommendations .

Wow,so cool.

In my opinion,using learning mode and running all applications once,then let MD establish rule,finally modifying them.In this way,we can set right rule for each application.But this way is so cockamamie.Your approach is set some groups,and put similar applications into those group.It is good:) ,thank you.

@peter

i did try to install fresh software to "all permit" group but pop ups appear , lets ask arran this , maybe there is a way :D

my question is same as peter . can u make a new software install with out any popups? also with out disable MD , that the point.

cheers

In my mind,MD doesn't have a mode which is like comodo's installing mode.

@arran

nice post u made , i got some to add maybe , u can add this rule to the "lock down apps" of yours , coz without it , outbound communication can be done with out your knowing.
also another remark , in "lock apps" u cant add your browser (fire fox crashes in my case) , actually i don't think using "lock folder" method is good , only using "security apps" and llet all "permit" is wize

cheers

I've been waiting for a good ruleset to be designed.
Time to install MD on my Win 7 box. Btw is there a method
to lockdown all access to the internet and allow only select apps
or is that something that already exists?

-{ Quote: "I've been waiting for a good ruleset to be designed.
Time to install MD on my Win 7 box. Btw is there a method
to lockdown all access to the internet and allow only select apps
or is that something that already exists?" }-


look at my comment above your post , its the key for doing it :)

move all application u trust to "trusted application" and edit it , add the line in the picture and all set ;)

-{ Quote: "Hi Arran

Another question. My trusted folder has all the permission allowed which of course makes sense. I am sure most of the programs contained in it, have rules which is fine.

" }-

well the programs in it wouldn't need their own rules because remember they inherit the folder rules if all the programs rules are set to ignore.

-{ Quote: "Hi Arran

Now I am going to install a new piece of software which comes from a trusted source and is completely trusted.

A) if I can run the installer in the trusted folder, would that eliminate the pop up's of installing, and B) how would I do that. Didn't see an easy way off hand.

Thanks,

Pete

PS, this thread has been added to the sticky recommendations ." }-

If you used my strategy of always leaving MD in training mode There wouldn't be any pop ups there is never any pops ups while MD is in training mode.

PS remember how I was saying before about creating a folder called security apps you can actually instead just rename the trusted app folder.

but for argument sake if you had MD in normal mode yes you can install from in the trusted folder and no there would not be any pop ups because all the rules are set to permit. here is 3 screenies in 3 steps of how to get an installer in the trusted app folder.

EDIT POST my bad, you do still get pop ups while MD is in normal mode, I can't see any way to avoid installation pop ups. Unless you apply my strategy and leave MD in learning mode.

lets say I want to install cc cleaner for example.

Hey Arran,

I installed MD and setup the application groups and rules
should I stay in learning mode or just start moving the apps
in the right categories?

-{ Quote: " you do still get pop ups while MD is in normal mode, I can't see any way to avoid installation pop ups. Unless you apply my strategy and leave MD in learning mode.
" }-

I agree. Experimenting in VBox there was no way to avoid pop-ups when installing something, even when I chose to place the setup.exe and subsequent application executable in the Trusted folder. As you mention, Training mode will work, but that unfortunately creates a ton of unnecessary rules that need to be cleaned up later. However, I think selecting the option "Delete Stale rules" later on might help purge at least most of those rules. If MD ever gets an "Installation mode" feature, it will be perfect.

-{ Quote: "@arran

nice post u made , i got some to add maybe , u can add this rule to the "lock down apps" of yours , coz without it , outbound communication can be done with out your knowing.
cheers" }-

yes I know about that I was going to add this in later, I was trying to explain to people just 1 step at a time so as every one would first get the general idea of training apps up first and then putting them in the lock down folder.
for net work rules. like the screenies below add these rules in. while the app is in training mode like all the other rules MD will automatically create the permit needed networks rules.

211996
211997

-{ Quote: "@arran

also another remark , in "lock apps" u cant add your browser (fire fox crashes in my case) , actually i don't think using "lock folder" method is good , only using "security apps" and llet all "permit" is wize

cheers" }-

should be no reason why it would crash, did you train up firefox first before you moved it into the locked down folder??

-{ Quote: "Wow,so cool.

In my opinion,using learning mode and running all applications once,then let MD establish rule,finally modifying them.In this way,we can set right rule for each application.But this way is so cockamamie.Your approach is set some groups,and put similar applications into those group.It is good:) ,thank you." }-

yes you have basic understanding of it, you are slowly locking down each app 1 by 1. instead of having to keep on switching in and out of learning mode. you can install new apps and have them in training while at the same time have other apps Permanently locked down.

-{ Quote: "look at my comment above your post , its the key for doing it :)

move all application u trust to "trusted application" and edit it , add the line in the picture and all set ;)" }-

fire fox needs internet access and dont to want to move ff inside the trusted folder. my post above is a better method.

-{ Quote: "Hey Arran,

I installed MD and setup the application groups and rules
should I stay in learning mode or just start moving the apps
in the right categories?" }-

move them when you feel each app has had enough time in training mode, everybody has to use their own judgement as to when they get moved into the lock down folder. If any app in the locked down folder isn't working properly you can either move it back to the training folder or the better way is to look at MDs logs. and see any denied actions and right click the denied action on the logs and select create permit rule.


-{ Quote: "I agree. Experimenting in VBox there was no way to avoid pop-ups when installing something, even when I chose to place the setup.exe and subsequent application executable in the Trusted folder. As you mention, Training mode will work, but that unfortunately creates a ton of unnecessary rules that need to be cleaned up later. However, I think selecting the option "Delete Stale rules" later on might help purge at least most of those rules. If MD ever gets an "Installation mode" feature, it will be perfect." }-


I forgot to mention before that by using the trusted folder to install apps does however REDUCE the amount of pop ups.

later on I am going to test and see how well the "Delete Stale rules" purge does at cleaning out the install rules.

-{ Quote: "
I forgot to mention before that by using the trusted folder to install apps does however REDUCE the amount of pop ups." }-

Absolutely, by more than half I'd say.

-{ Quote: "later on I am going to test and see how well the "Delete Stale rules" purge does at cleaning out the install rules." }-

Thank you! I may give that a try too, time permitting.

-{ Quote: "Absolutely, by more than half I'd say.
" }-

what it is, is this. you will always get 1 pop up being the first which is asking if explorer.exe can create a new process. after this first pop up most installers or for a lot of installers there won't be any more pop ups because when installing they only normally write to the registry and file system and those rules are already set to permit. what causes the other pop ups is some installers during the install process do things like creating new executables which needs executing, or they do things calling up system services to create new start ups. particually common when installers install things like drivers.

-{ Quote: "
PS remember how I was saying before about creating a folder called security apps you can actually instead just rename the trusted app folder.

but for argument sake if you had MD in normal mode yes you can install from in the trusted folder and no there would not be any pop ups because all the rules are set to permit. here is 3 screenies in 3 steps of how to get an installer in the trusted app folder.
." }-
arran are u sure u mean folder not GROUP?according to facts and your pics its secure group :D

-{ Quote: "Hey Arran,

I installed MD and setup the application groups and rules
should I stay in learning mode or just start moving the apps
in the right categories?" }-

this one for all MD users , i used "learn mode" for 5 minutes and in this time i did all action i used to be like open winword , run firefox, save doc , run all installed software in here , and than i "import" rules to safe place , set back MD to "normal mode" . when MD pop up again if i misses any action i use to do i just handle the pop up window, u will get much more less pop ups in the way :).
also........in this way YOU EXPOSE your system to minimum time with out protection , unlike some bad idea of MD users "leave learn mode for couple days " which is stupid

cheers:)

Not sure that this really works. When I move applications to a group it resets all permissions to ignore. This is how its supposed to work as a group is really a permissions template. If applications retained their own settings it would defeat the object of groups. Also how would this handle exceptions that have been placed in the various tabs?

Isn't it better just to set all permissions in an application to deny after a period of learning. That way you retain all the exceptions and the program will work but any attempt to create a new rule will be denied (would have to check that new exceptions can't be created).

-{ Quote: "arran are u sure u mean folder not GROUP?according to facts and your pics its secure group :D" }-

I guess what he means is creating a folder in the computer and then configuring a special rule in MD to give this folder privilege.Finally installing some security apps into this folder.In this way,we can't avoid many prompts.

But in my opinion,this approach will not so secure.Because if a installer contain a virus and put this virus into the folder.Maybe it is a little dangerous,and if the virus runs,we only can see it run without any opinion:P .

@arran. Thnx for this config. ;)

-{ Quote: "I guess what he means is creating a folder in the computer and then configuring a special rule in MD to give this folder privilege." }-

No, he's created a Group folder from within MD: Right-click on an existing Group folder -> Manage Group... -> New Group -> Edit Group, type in a Group Name -> Ok

also i found something important that can be apply to MD configuration .
i disabled MD "network protection" and add Comodo FW only (hips disabled) .
the reason i do that can be more than one reason , comodo fire wall is more powerful than MD outbound only protection , and also when u install new software (md in learn mode of course) , software gain free access to network and u cant know what it is doing , in this part comodo will pick up any address/port software try to reach .
this tip "cost" nothing since comodo is free :)

cheers

-{ Quote: "No, he's created a Group folder from within MD: Right-click on an existing Group folder -> Manage Group... -> New Group -> Edit Group, type in a Group Name -> Ok" }-

That's the part i don't understand. I created a new group folder called "Internet Blocked" where i want to put programs that can do anything locally except access the internet.

But the group folder doesn't appear on the main rules page, nor can i right click an application and move it to this group. I even put a test application in that group manually called "Color Schemer Studio" but on the main rules page both the folder and application don't exist.

212041

The way the rules work just doesn't make sense to me, surely there must be something i'm missing. ???

-{ Quote: "That's the part i don't understand. I created a new group folder called "Internet Blocked" where i want to put programs that can do anything locally except access the internet.

But the group folder doesn't appear on the main rules page, nor can i right click an application and move it to this group. I even put a test application in that group manually called "Color Schemer Studio" but on the main rules page both the folder and application don't exist.

The way the rules work just doesn't make sense to me, surely there must be something i'm missing. ???" }-

u must add rule to the group in order to see it in the list .

cheers

-{ Quote: "u must add rule to the group in order to see it in the list .

cheers" }-

Right, and that can be done as:

Right-click on any application or Group folder ->New Rule ->Application Rule ->click: Select an application group radio button -> from the drop-down arrow find and select the Group folder you created ->Ok

I don't know why this has to be done, but that's how it's designed.

-{ Quote: "
The way the rules work just doesn't make sense to me, surely there must be something i'm missing. ???" }-

Indeed, it's important to understand the rules processing order of MD. I created a thread back in February here (http://www.wilderssecurity.com/showthread.php?t=233728) which can hopefully help. Also, Kees1958 created an excellent found here (http://www.wilderssecurity.com/showthread.php?t=226940). Along with Arran's advice there should be enough to get you going in the right direction :)

-{ Quote: "Right, and that can be done as:

Right-click on any application or Group folder ->New Rule ->Application Rule ->click: Select an application group radio button -> from the drop-down arrow find and select the Group folder you created ->Ok

I don't know why this has to be done, but that's how it's designed." }-


right ;)

-{ Quote: "u must add rule to the group in order to see it in the list .

cheers" }-


-{ Quote: "Right, and that can be done as:

Right-click on any application or Group folder ->New Rule ->Application Rule ->click: Select an application group radio button -> from the drop-down arrow find and select the Group folder you created ->Ok

I don't know why this has to be done, but that's how it's designed.

Indeed, it's important to understand the rules processing order of MD. I created a thread back in February here (http://www.wilderssecurity.com/showthread.php?t=233728) which can hopefully help. Also, Kees1958 created an excellent found here (http://www.wilderssecurity.com/showthread.php?t=226940). Along with Arran's advice there should be enough to get you going in the right direction :)" }-

Ahhhh HUH!

Thankyou thankyou, now this is starting to make some sense! Got it, made a "Blocked Internet" group and blocked internet, drivers and shutdown. I trust these applications, but they have no real reason to perform these actions.

Tested the applications and got no popups, but as soon as i tried to perform one of the three blocked actions MD gave me an alert (which is what i want). So it's working perfect. :thumb:

Great thread aaran, MD has been gathering dust just waiting for a thread like this. I will go check out the other 2 threads now this is making sense.

-{ Quote: "Ahhhh HUH!

Thankyou thankyou, now this is starting to make some sense! " }-

Great to see you're getting the hang of it :thumb:

-{ Quote: "Great thread aaran, MD has been gathering dust just waiting for a thread like this. " }-

It is great that arran started this thread. I'm just getting reacquainted again with MD after about a 4 month hiatus ;)

-{ Quote: "arran are u sure u mean folder not GROUP?according to facts and your pics its secure group :D" }-

folder and group are the same thing. going into a different folder = going into a different group.

-{ Quote: "Not sure that this really works. When I move applications to a group it resets all permissions to ignore. This is how its supposed to work as a group is really a permissions template. If applications retained their own settings it would defeat the object of groups. Also how would this handle exceptions that have been placed in the various tabs?
" }-

when applications come onto MD's list they get given default ignore settings. when in training mode MD automatically creates permit rules on each application. when each app has finished its training time move it into the locked down folder group. the permissions on the app do not all get reset to ignore, the permit rules created while the app was in training stay there.

-{ Quote: "
Isn't it better just to set all permissions in an application to deny after a period of learning. That way you retain all the exceptions and the program will work but any attempt to create a new rule will be denied (would have to check that new exceptions can't be created)." }-

yes you can set all other permissions on each app to deny instead of moving it into the locked down folder group. but it involves a lot more time consuming work.

-{ Quote: "also i found something important that can be apply to MD configuration .
i disabled MD "network protection" and add Comodo FW only (hips disabled) .
the reason i do that can be more than one reason , comodo fire wall is more powerful than MD outbound only protection , and also when u install new software (md in learn mode of course) , software gain free access to network and u cant know what it is doing , in this part comodo will pick up any address/port software try to reach .
this tip "cost" nothing since comodo is free :)

cheers" }-

xiaolin has admitted before that MD doesn't filter outgoing low level packets. while it isn't on my sig yet I am using kerio 2.15 to filter low level packets.

LOCKING DOWN THE REGISTRY

just like doing the network rules I explained before. create these rules as shown below.

212068
212073


as per normal MD will automatically create the needed permit rules in each individual app. after each app has finished its training mode put it back into the locked down folder group.

IMPORTANT TIPS

1. because we have now asked MD to make registry rules for each app in training this place is no longer suitable for Trusted installers to run. because when trusted installers are running they are writing to registry in a whole lot of places all at once this will cause high CPU usage and cause system slow down. So I just move my trusted installers into the security apps folder group where all permission are set to permit.

2. by creating registry rules for each app in training there will also be registry rules created for each system application down below. explorer.exe is will create millions of permit rules, explorer.exe is always writing to the registry here there and every where its mind boggling. lets not go there. So to stop MD creating rules for explorer create a rule as shown below in my screenie.
And if you don't want md to create permit rules for other system apps do the same thing in each app.

To lock the down the system apps registry rules after they have finished training simply create a deny rule at the top of the list in each app.

212070

3. Before you move your apps back into the locked down folder group you can tidy up the rules. like in the screenie below you will notice that all the reg keys have the same extension or are in the same place. this is another good reason to be running all your apps inside sandboxie because it makes life
a whole lot easier when tidying up reg key rules. to tidy up this mess create a rule like I have at the top where the arrow is and delete all the rules underneath it.

212072

PROTECT THIS APPLICATION FROM BEING ACCESSED BY OTHER PROCESSES

so how many people click this box for each app? I can imagine a lot of people would because it sounds like a good thing to do. But is it really a good thing to do? No not always. if you have other security software installed it can cause conflicts. because this setting can block your other security software from doing its job properly. once upon a time I had defensewall running along side MD. and I had this setting on each app and it showed up in MD's log that it was blocking defense wall from accessing the app. So if you have other security software best not to apply this setting. I only apply the protection for security software.

-{ Quote: "
i disabled MD "network protection" and add Comodo FW only (hips disabled) .
the reason i do that can be more than one reason , comodo fire wall is more powerful than MD outbound only protection , and also when u install new software (md in learn mode of course) , software gain free access to network and u cant know what it is doing , in this part comodo will pick up any address/port software try to reach . " }-

When you need to install new software if you disable File, Registry and Application protection, but leave Network protection enabled, MD will let the program install, but will alert to any attempts to connect to the network. So you don't have to lose total control over applications when you install them. At least this is how it appears to have worked on the installs I have tried :)

from the other thread about the recent discussion of explorer.exe file rules I decided to show how easy it is to make a near 100 percent bullet proof rule set.

212119

with the "ASK" rule at the top in learning mode MD is automatically creating a white list of places that explorer.exe is able to write to. there is actually not many places that explorer normally writes to. to lock down explorers file rules later on simply change the rule at the top from "ASK" to "DENY" I also have in protection for my other partitions "i" "f" and "e" so explorer can't write to them.

-{ Quote: "
when applications come onto MD's list they get given default ignore settings. when in training mode MD automatically creates permit rules on each application. when each app has finished its training time move it into the locked down folder group. the permissions on the app do not all get reset to ignore, the permit rules created while the app was in training stay there.

yes you can set all other permissions on each app to deny instead of moving it into the locked down folder group. but it involves a lot more time consuming work.
" }-

Thanks for your answer arran. I'll have to try it again. Having said that, is it really a good idea to leave it in learning mode? It's very easy to get infected just by having an open internet connection if your firewall fails. Try going on-line with no firewall for half an hour and see what happens. In my experience its surprisingly easy to pick up an infection that way.

Also if Malware Defender doesn't set things to ignore when you put them in a group, isn't this a design fault? What if you allowed a few things then decided it looked dodgy so you put it in blocked applications. If the permissions are not reset you'd have some allow rules. I think you'll find something like Comodo would block everything if you made it an isolated app.

I followed the steps as directed, but, once i launch an app, its denied.

MD SEES the app within lets say the "trusted" folder, but denies it anyway...


Thoughts?

-{ Quote: "once i launch an app, its denied" }-visit the MalwareDefender "Logs" tab. Right-click the entry for the event in which your app launch was denied and choose "Jump to Rule". This will display the "Rules" tab and will highlight the relevant rule. Double-click the rule to examine its details & find/change the "Deny".

In you don't see an entry logged for the event, right click the MD tray icon } Options } Logs and checkmark the "Log all denied actions", then retry the launch & recheck the Logs tab.

Explorer.exe is whats denying the app from launching...

But its set to permit in the application settings...hum.

okay, now that you have determined that a rule specific to explorer.exe is set to "deny"...

...double-click it (the application rule shown for explorer.exe, which would have been highlighted when you clicked "jump to rule"). This will open an "edit application rule" window. Select the "child applications" tab. Here, another double-click (on the line for the blocked app) will raise an "edit child application" window. You can delete the "deny" rule listed for your blocked app, or change it to "ask" or to "permit".

Click "OK" button to close each of the rule editing windows
(if you 'escape' or click the corner [x] or click cancel, you're changes will not be committed)

-{ Quote: "But its set to permit in the application settings...hum" }-guessing you're referring to the "execute permission" selectbox, within the "Permissions" tab of the "edit application rule" window for explorer.exe
Yes, "Permit" here means that, in general, explorer.exe has permission to execute child applications...

...but, along the way, an overriding child rule must have been created by an accidental click in response to a popup. The default ruleset contains zero "child application" rules specific to explorer.exe

-{ Quote: "
guessing you're referring to the "execute permission" selectbox, within the "Permissions" tab of the "edit application rule" window for explorer.exe
Yes, "Permit" here means that, in general, explorer.exe has permission to execute child applications...
" }-

The "execute permission" will be used when explorer.exe be executed by other processes. But it only take effect in following case.

If the execute permission of child process is not "Permit", and the rule priority is higher than the matched rule of parent process, then the execute permission of child process will be used.

The "execute permission" can be used to write complex rule set. If you are using the default rule set, you can ignore it.

Executing child applications is controlled by the "Create new processes".

-{ Quote: "the "execute permission" selectbox" }-Apologies for the bad info, George. I had intended to type "create new processes" selectbox.

xiaolin, for explorer.exe (because it resides in "Application Rules - System" group) is it correct to disregarded rule priorities as the potential parent/child problem in this case? Unless the child happens to be another "System" application, the application rule for explorer.exe will always have higher priority, yes?

-{ Quote: "
xiaolin, for explorer.exe (because it resides in "Application Rules - System" group) is it correct to disregarded rule priorities as the potential parent/child problem in this case? Unless the child happens to be another "System" application, the application rule for explorer.exe will always have higher priority, yes?" }-
yes :)