Testing "Whitelist Mode"

I have saved a configuration file of all my desired settings that I believe will grant me the most reliable, confident security. These settings included all heuristics on high, since the help file states that is OK for advanced users.

Now, I'm having some fun. I saved a second configuration file with everything on maximum. Then, I saved a third one leaving everything on maximum but turning all components of heuristics to the "whitelist mode," or "Warn when new programs execute that are not trusted."

I have learned much about this setting but one thing I still do not know for sure is this: Is there a difference in the prompt that appears for something being generally blocked solely because it is not known trusted, versus when something installs that is most certainly actual malware? This is important.

So for instance Sandboxie 3.62's control executable was blocked simply for being not yet known trusted in the database. Due to me trusting the file and the non-alarming nature of the prompt, it was concluded that allowing it was fine. But let's say I downloaded a virus right now, would it give me the same, non-alarming prompt, or would it give the traditional prompt that users receive when a suspicious/known bad file executes?

I must say this whitelist mode definitely is a great feature inclusion and I could see myself making use of this!

Thanks!

 

After a day or two of use, I have to revert to the default heuristic mode, "apply before." Here's why...

The whitelist mode starting blocking Windows Update, more specifically, the Malicious Software Removal Tool that Microsoft pushes out every month.

In detection configuration...

mrtstub.exe in c:\(randomized)
mrt.exe in c:\windows\system32

I was also surprised that an ancient, very unpopular game called Hardwar from 1998 did not get blocked, while Sandboxie 3.62 did...

start.exe in c:\program files\sandboxie
sbiectrl.exe in c:\program files\sandboxie

...oh well, I wanted to try it and I did it at my own risk. Not a lot of people probably use the whitelist mode at this time, at least not yet. I understand it is for advanced users who want a very restricted environment, so blocking applications even if they are fairly popular is understandable.

I do not understand why the Malicious Software Removal Tool got blocked though. That should be a signed executable from Microsoft. Is it because they just released it today?

Just keeping Joe & everyone else informed in case any of that was not working as intended. I will close in saying I am very impressed with the level of security and granularity Webroot SecureAnywhere provides!

This isn't a complaint post. I turned everything up on purpose to test it.

 

I have everything Maxed out even Identity Shield for HTTP with no issues but it doesn't mean others will not have problems with the Max settings! If I wanted Paranoid mode I would set Heuristics Warn when new programs Execute that are not trusted!

TH

 

Are you saying your everyday, normal configuration is currently set to all heuristics on "Warn when new programs execute that are not trusted" (aka "whitelist mode")?

That is what I was testing, and I had to stop when it flagged Windows Update stuff. That's kinda a line to draw for me personally.

 

No, I said if I wanted Paranoid mode I would do that! But I do have all heuristics on Maximum even Identity Shield for HTTP with no issues!

TH

 

Oh OK. Then it sounds like you and me have about the same configuration now.

In addition to maxing out all the heuristics though, I have also changed a few of the default settings that I felt I should in order to ensure automatic removal and blocking of malware without introducing the error-prone human element.

I also told WSA to lock down my HOSTS file. Not sure why that setting is off by default.

 

Maybe because some users use a Host File like MVP Hosts then WSA would block it when updating it!

TH

 

Oh, of course.

I do not however, so it is a good setting for me to check!

 

It's off by default because it would prevent any change to the hosts file by any program without warning the user. You can enable it without negative side effects if you know what manages your hosts file, though