A weird issue ive come across relating to "restricted apps"... not sure if this is expected behaviour? (normally id expect any (non microsoft signed) application that needs internet access gets prompted for) (im in the allow MS mode) Ive figured out the issue, but not sure if its expected? (appears that using restricted mode is actually less secure?) if i use MSEDGE in "restricted mode" should any applications EDGE launches then get full internet access without creating additional rules? (seems a security hole when thinking restricted mode is more secure!) on my work machine we use a MSP remote management platform called Solarwinds N-able, its a website i access using MSEDGE and I had previously had MSEDGE in restricted mode thinking it was more secure, but i found a odd issue, that using the platform, when MSEDGE calls up the software to remote connect to servers, i found it never prompted for anything, the remote software below just launched and worked fine, no rules got created, no pop ups or prompts, nothing in spyshelter, it had just allowed it to run & access the internet. the path to the executables that EDGE launches is C:\Users\username\AppData\Local\Take Control Viewer\TakeControlRDViewer.exe So in restricted mode, yes im more secure in that edge can only write to the specified folders, but its a huge problem if ANY .exe that MSEDGE launches is just granted full access to do what it wants to do Once i removed MSEDGE from restricted mode, when i click on the remote button, I then correctly got plenty of pop ups asking for rules to be created to TakeControlRDViewer.exe Is this by design or is this not normal?
I can't tell you much about it, but I do think the ''restricted apps'' feature is one of the weaker points of SS. I wouldn't rely on it for exploit protection, in my view this feature needs to be redesigned.
I assume this has something to do with the location of the exe-file: ...AppData\Local\... This location is excluded from the restriction mode. See the tab Folders with write access in the SS program.
@kC_ Here you have how trusted cretificates and protection levels are working together https://www.wilderssecurity.com/threads/spyshelter-11.402823/page-5#post-2802181 I don't think its the matter of restricted apps and in my opinion it's not reasonable to run Edge as restricted. It's because of a lot of diferetnt processes that are working at the same time and some of them are strictly connected to the system https://www.askvg.com/windows-10-wh...ning-in-task-manager-and-how-to-disable-them/
Thanks very useful! in my (basic) understanding, running web browsers in restricted mode should have tighter security, in my thinking, edge would run.... not be able to leak info, and not be able to save files into any folder thats not in the restricted allow list folders... but I found it had quite the opposite effect... it weakened security, for example if i launched egde i restricted mode, potentially any malware or virus under localsystem would of had full access to do whatever it liked, and I would not of been prompted... I dont see any single reason anyone would use restricted apps feature? surely that is not by design is it?
support confirmed its by design..... if you run an app in restricted mode, then any child process it spawns will have full access without prompts to everything/internet
Another weird random bug found, lost my faith in this thing now! my settings are set to "trust microsoft signed" & I have NO custom trusted signers, yet I was wondering when i spotted wiztree (https://diskanalyzer.com/) ran and just created rules itself... (as if it was added as a "trusted signer") so looking in the component details.... how did this become auto accepted? i would expect ANYTHING signed & non microsoft to show as below where you have to click to make it trusted" now totally lost faith and trust in this thing, its so good and so powerful, but so buggy! I then went through all of my rules for non signed Microsoft applications component details & found the following software signers were just "Auto--Accepted" so they now reside in my untrusted list so they cant just create rules.. (its not that i dont trust them... its just that I want to be prompted for what rules for anything non Microsoft
had tried that, and for example with wiztree, deleted the rules for it, run it, click check for updates, and it just creates whatever rules it wants without prompt. in the component details it still says
clear all rules before ask user mode also try this clear all rules set allow microsoft go to list of monitored action select action 53 then untick Auto-allow the action for a component signed by a trusted signer just for action 53 then it should work as auto allow Microsoft and ask rest of exe please tell if it work
Hi, yes if i untiick "Auto-allow the action for a component signed by a trusted signer" then it does prompt (as expected) but i do want that feature (for example for microsoft) to not prompt at evey store app update or windows update etc.. the problem is why are certain applications "auto trusted signers" why is antibody software "auto accepted signer" it was actually my IDS/threat protection in my firewall that prompted me to investigate why it was even accessing the internet when i hadnt manually allowed it
its have builtin trusted signer therefore shows auto accepted signer.i don't know why some software auto accepted signer maybe because trusted certificate? and i tested trick, and its work as i write above allow Microsoft and prompt for other exit from spyshelter and delete SpyShelter folder from AppData so to be clean if you have prompted for Microsoft file maybe because they are not signed or not from Microsoft you can try medium level too
OK, so it's because of the ''Auto Allow'' feature right? So then this isn't a bug? But I agree, if you set it to ''allow Microsoft'', it should only allow processes related to MS and Windows.