CIS - Defense+: use the name only of the files to create the rules ?

May be someone already wondered it: Defense+ recognize the ruled applications by their name only ? I uninstalled FastStone Image Viewer 4,6, alone delete the rules for it in Defense+. Then I launched the installer of FastStone 4,7: Defense+ alerted me only for the exe and for the installation process; finished it, I lauched FastStone - installed - and I had no alert from Defense+. Note that In CIS I had deleted the Trusted Vendors list.

 

and how did you do that my friend?i want to give the new D+ a try

 

Funny, the exact opposite happened to me with Faststone. Trusted it and HIPS kept asking access questions in safe mode. Great program BTW.

So, the D+ initially activated and alerted you of a first time execute of an unknown app via the behavior blocker (run as isolated). Then you trusted it--and it didn't act again? I'm losing you on the logic: Wouldn't that indicate HIPS is not asking because you are in safe mode with ASK rules for apps considering you erased the old rule. I don't understand how NOT being asked HIPS questions demonstrates Comodo is using file name for rules.

A few reasons main HIPS questions won't fire after trusting isolating in BB or installing via installer:

~Safe mode will prevent buzzing on trusted apps (de-isolated) and so will preconfigured rules for isolated or restricted apps because you've already answered and applied HIPS rules. If you want questions on TRUSTED apps, you must use paranoid mode with "ask" rules (default for "all applications")

~"Detect installers and show privileged escalation alerts" switch in BB will trim down reports from the main HIPS because it's redundant in sorts. Two alerts. One from BB stating program has been isolated and one from the main HIPS "prog wants global rights to you computer" allow/deny alert.

~Modifying the "all applications" app* "ask" rule

Edit: Okay, I see they have nonportable versions--part of my confusion. The kicker though--the executable has a different file name from the set up. Do you have cloud look up on? If Comodo says it is safe, I think the TVL is not necessary for vetting. Do you have trust files from trusted installers on? If Comodo sees the setup as an installer and you trust that...

 

Supposing you mean this: " In CIS I had deleted the Trusted Vendors list " : go in c:\ < program < cis folder < database, and delete vendor.n file.

 

Sorry, I didn't specify : Defense+ was in Paranoid Mode, the Sandbox is disabled; anyway you're right: trust files from trusted installers is on.