New unexpected rule in Computer Security Policy (X32 XPSP2 v 3.0.16.295)

[Guest]

[LeoniAquila]

In my Computer Security Policy options, there are many rules created by Defense+, including a rule for Mozilla Firefox. Now recently an additional rule was created for FF, even though the old one is left. I cannot understand why, I haven't updated Firefox or so. The only thing I've updated is CFP. Besides, unlike all other rules in the Computer Security Policy window, the path contains ~ signs. See attached screen shot.

If I delete the rule, it comes back.

Win XP, D+ in Clean PC Mode.

Thanks for any suggestions,

LA

EDIT the 19th of February: This bug was fixed with version 3.0.18.309.

[JJasper]

Hi LA

Just tested this out for myself.  FF did not make additional rule but Foxit reader did.  If I remove it it will come back with the ~ .  Also for me the new rules that CFP D+ is making seem to be in this format.  See my screenshot.  This for me as well is since the update to 16.295.  I also tried to remove both entries for Foxit and both were put back.

John

[Philee]

Hello!

D+ doesn't remember anymore the settings for Foxit Reader.
When I try to open a PDF file D+ always tells me that Foxit wants to access the screen directly, even if I set Foxit as a trusted application.
Removing Foxit from the rules and setting them again doesn't work.
This problem doesn't occur in Clean mode and only with Foxit.

I attached a screenshot.

Regards

[LeoniAquila]

Thanks for your reply & testing.

I'm also quite sure that this is due to 16.295. I also tried to reinstall CFP (for other reasons too), which didn't change anything.

It's not that I'm concerned, it shouldn't be anything malicious. I just wonder why it happens.

I'll go ahead and submit this as a bug (unless I found a report for it).
I did that by moving my topic from the Help section.

LA

[LeoniAquila]

Hey, JJasper also has a Foxit problem. See my thread here. (though it won't help you at this moment ). Personally I have a Firefox problem.

LA

[Philee]

Thanks for the info.
I'll follow the other thread.

regards

[Philee]

I have a similar problem with Foxit as described here.
D+ doesn't remember the rules for Foxit Reader and a parts of the path are substitute with ~.
I also have another entry with ~ in the path, see screenshot.

Regards.

[gibran]

IIRC there is a chance that Firefox was run under a different username or different fakeusername security profile (system, local service, network service and alike).
Is "terminal services" service enabled?
Please backup your V3 config for reference purposes and delete all FF rules to test if after this duplicate rules are created again.
BTW is only one duplicate is created?

[gibran]

I merged these topics.
BTW I notice that foxit uses 8.3 paths. Does this happens for FF too?

Any additional security software to report (AV, antispyware...)?

[JJasper]

I'm also quite sure that this is due to 16.295.



LA

I don't think this is just a single app problem I think it has more to do with what gibran mentions - an 8.3 problem.  If I try to change the 8.3 (the~) to a full path I get the note that I already have this rule, which I do, but I also have the 8.3 rule and it is generated everytime it is removed and the app re started.

John

[Thunderbear]

I also found this little problem with 8.3.
In my case because I try to edit an .htm-file with Word(!), then Defense popped up and want to create a rule with just 8.3-phenomena. It never happend before 16.295.

I try to track it down and as a result of that I found out that when I unchecked Computer Monitor in Defense's Monitor Settings then everything went fine. Good.
And as I also found out, it has nothing to do with Terminal Services whether it's set to Automatic, Manual or Inactivated, running or not.
Of course I reboot computer between changes so everything is clean as I test it out.

So maybe this is'nt a (direct) Terminal Service problem after all? At least not in my case because my TS is inactivated by me since long ago.

[gibran]

This issue can have different causes. That's why each bugreports need any useful information the user can give.

For a complete list of bugreporing guidelines please refer to CFP BUGREPORT BOARD NOTICE

[LeoniAquila]

In addition to my first post, here's some info:

- No other security application is present
- Terminal Services is disabled.

I've deleted the Firefox rule (with the ~ signs) multiple times, but it keeps coming back. Also after reinstalling CFP 3.0.16.295 (I also cleaned the registry but I suppose that doesn't matter) the rule comes back, although the Firefox rule with a "real" path (no ~ signs) is there all the time.

LA

[Thunderbear]

[at] LeoniA

Try to test my little "Computer Monitor"-trick above. I've now test it on Firefox and Opera, also in connection with Foxit Reader and Defense don't say a word when "Computer Monitor" is unchecked (yet).
But what that trick will do with security is probably written in the stars...

[LeoniAquila]

[at] LeoniA

Try to test my little "Computer Monitor"-trick above. I've now test it on Firefox and Opera, also in connection with Foxit Reader and Defense don't say a word when "Computer Monitor" is unchecked (yet).
But what that trick will do with security is probably written in the stars...

Hm, not sure I want to disable a part of Defense+...

LA

[Tags:]