CFP- Poor Pop up alerts by compared with other HIPS?

the pop up opens with OP default recommendation-allow/block...so if its allow and you press ok you would not be asked again for that particular action...then there is smart advisor which when pressed connects to OP server and provides additional info...based on that you can use the allow or deny buttons to either allow the action once or block the action once and see if say blocking it has any effect on the execution/running or functioning of the said programme.....

 

and what about my second question?

 

If you click just Allow, OP uses the default, which is 'allow once' and no rules will be created for this action.

Cheers

 

ok thx

 

Tried the install with Free SSM.

No alerts during install specified drivers were being installed.

You could see in the modules log ( attached ) but this was only updated after the drivers were in there.

V Disappointing...

Will try with the new Threatfire soon.

 

Ok so I tried the install with SandboxIE.

Did very nicely.

If you switch to File & Folders view you can find the Drivers.
You get a pop-up saying that the service has been started under sandboxIE's control.

So nicely done.



I think this is a very good way to check for drivers in an install file , and hence for rootkits.

The cavets are :
a) Some POC malware can check if its running in a virtual environment, and so alter its installation
b) It might be possible for this file and folder view to be tricked some other way than b)
c) It might be possible for driver file to be named something other than *.SYS , and be located in an other location than the drivers folder.
b) & c) are just my personal theories , make of them what you will.

I would use sandboxie to check if a program/file I intended to install/use & trusted say 90% , had a driver file I did not expect.
Personally I think in this role , it would cover me against say 80% of these cases , given a), b), and c).

(Please note I am not saying sandboxie is only 80% effective in general !)