I like CIS the way it is now, Sandbox enabled by default and HIPS disabled. But what about having the same configuration as now, but with optional “Selective” mode for HIPS where it protects ONLY the stuff user designates it to protect and should do that in Paranoid mode way.
Currently, if you enable HIPS in Paranoid mode, it will be triggered on EVERYTHING and that defeats the purpose of keeping it quiet, yet protecting what matters the most to you.
For example if i want to configure HIPS in a way that it would show popups only when program other than Paint.NET tries to access my images (even just reading them!). Or a program other than winword.exe tries to access my .doc files.
I mean, yes, you can set this currently as well, but not just for this, because HIPS will also monitor EVERYTHING happening on your system and as a result, it will spawn bunch of popups on stuff i don’t really care. But in this “Selective” mode, it would ONLY show popups for stuff user set to monitor and protect and nothing else.
So, if i set CIS to protect Firefox password storage files only to be allowed read by Firefox.exe, this way i can effectively make it leak proof. HIPS won’t trigger itself at all for other stuff going on with my system, but if something other than Firefox.exe will try to access that very specific file even only for reading, CIS would display a popup. Just for that and nothing else.
In a nutshell, it’s how new Panda Cloud’s Data Shield works and i really like the idea. It could easily be used in CIS, because everything is basically already there (HIPS), you just can’t configure it in such a way.
Only way i can think of at the moment is to run HIPS in Training Mode for a very long time and then set your own rules for that stuff, but in Training Mode, you don’t really have a proper control what gets added so you could be adding risky stuff to allowed “list”. So that’s just not an option, it has to be a controled selective (thats why i picked such name) list of stuff that you allow and nothing else (that nothing else will display a HIPS popup).
I hope you people understand what i mean, give us ability to set HIPS in a similar way as Panda is using Data Shield function, so we can use HIPS as an extended protection for the Autosandbox, effectively giving us ability to run it in “Partially Limited” and still be protected against ransomware cryptors and data stealers with additional selective HIPS layer, because we can selectively define what files we want to protect and then CIS would warn if anything other than what we allowed tries to access them (but not popup on anything else). The rest would be generally protected by the Autosandbox as it is now.