CIS - Defense+: use the name only of the files to create the rules ?

Discussion in 'other anti-malware software' started by blacknight, Jan 30, 2013.

Thread Status:
Not open for further replies.
  1. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    May be someone already wondered it: Defense+ recognize the ruled applications by their name only ? I uninstalled FastStone Image Viewer 4,6, alone delete the rules for it in Defense+. Then I launched the installer of FastStone 4,7: Defense+ alerted me only for the exe and for the installation process; finished it, I lauched FastStone - installed - and I had no alert from Defense+. Note that In CIS I had deleted the Trusted Vendors list.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    and how did you do that my friend?i want to give the new D+ a try:)
     
  3. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    Funny, the exact opposite happened to me with Faststone. Trusted it and HIPS kept asking access questions in safe mode. Great program BTW.

    So, the D+ initially activated and alerted you of a first time execute of an unknown app via the behavior blocker (run as isolated). Then you trusted it--and it didn't act again? I'm losing you on the logic: Wouldn't that indicate HIPS is not asking because you are in safe mode with ASK rules for apps considering you erased the old rule. I don't understand how NOT being asked HIPS questions demonstrates Comodo is using file name for rules.

    A few reasons main HIPS questions won't fire after trusting isolating in BB or installing via installer:

    ~Safe mode will prevent buzzing on trusted apps (de-isolated) and so will preconfigured rules for isolated or restricted apps because you've already answered and applied HIPS rules. If you want questions on TRUSTED apps, you must use paranoid mode with "ask" rules (default for "all applications")

    ~"Detect installers and show privileged escalation alerts" switch in BB will trim down reports from the main HIPS because it's redundant in sorts. Two alerts. One from BB stating program has been isolated and one from the main HIPS "prog wants global rights to you computer" allow/deny alert.

    ~Modifying the "all applications" app* "ask" rule

    Edit: Okay, I see they have nonportable versions--part of my confusion. The kicker though--the executable has a different file name from the set up. Do you have cloud look up on? If Comodo says it is safe, I think the TVL is not necessary for vetting. Do you have trust files from trusted installers on? If Comodo sees the setup as an installer and you trust that...
     
    Last edited: Jan 30, 2013
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Supposing you mean this: " In CIS I had deleted the Trusted Vendors list " : go in c:\ < program < cis folder < database, and delete vendor.n file.
     
  5. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Sorry, I didn't specify :doubt: : Defense+ was in Paranoid Mode, the Sandbox is disabled; anyway you're right: trust files from trusted installers is on.
     
Loading...
Thread Status:
Not open for further replies.