I often wanted to have stricter control over a few trusted programs.
Here is the issue:
one example:
I want to be alerted when my web-browser start a program (any program) so I made a custom rule in computer security policy for my web browser with run an executable set to ask. But this did not trigger.
Explanation:
My web browser was detected by CIS as a “Trusted File” it is in the Trusted Files list.
Trusted Files take precedence over allow and ask settings of computer security policy. Only deny settings will be effective. Strange decision by the devs but that’s how it is.
Note that the Sandbox must be off for this to work.
Solutions/Workarounds:
- If I am using D+ in Paranoid Mode then it will alert me, because it ignores all trusted files.
This would give a whole lot of new alerts I don’t really want. - Disable Online Lookup for files and add programs to trusted files manually except for the programs I want more control over. Much work, and defeats the purpose of the cloud scanner.
Suggestion:
Add a new section in addition to Unrecognized Files and Trusted Files.
This section could be called Monitored Files.
Files in this section would be treated like Unrecognized Files but no further attempts to look them up online or classify them (except by malware and virus scanning modules) will be made.
For these files only the rules in computer security policy will be applied.
It’s like a Paranoid Lite Mode where only some files are treated paranoid.
What do you think?
The wish for higher priority of computer security policy rules was there since v4 but apparently is not going to happen, maybe this is a better solution.
