Block Intrusions?

Hello,

Sometimes I become so frustrated with trying to understand this “sandbox” thing that I just permanently disable it. For example… In my “Block Intrusions” section on my GUI states that I have between 7 – 10+ notifications for two or three files that are constantly being used by myself (and known to be safe). But there is no way that I have found to “trust” them. How may I ask do I perform this to make them trusted?

Roger

Add them to the trusted files list? ??? Alternatively, if that doesn’t work then add them to the exclusion list for Sandboxing? (I’m not sure I understand the question, I might be missing something)

Last part of the last sentence. “How may I ask do I perform this to make them trusted?”

i.e. How do I make the inquiries in the “blocked intrusions” notification box trusted?

Roger

I’m not sure I understand what you mean.

Do you want to:

  • Trust an application?
    Trust a file/Exclude a file from BB in CIS - YouTube
  • Trust a certain action for all applications or certain applications that are sandboxed?
    I don’t think this is possible.
  • Make a certain action blocked however not logged?
    I don’t think this is possible, however you can use the filter to temporarily exclude such actions from showing in the logs.
  • Other?
    Explain and perhaps screenshots?

Edit: If you want to trust something directly from the logs window, I don’t think that is possible.

Thank You for your assistance. But, I do believe it is somewhat ludicrous being that you can “edit and/or trust” files that are placed into the “unrecognized files” box but, you are unable to edit and/or modify the file notifications that are in the block intrusions notifications box.

What is the use of even having this sandbox thing if you cannot even fix the files that are not supposed to be blocked?

Roger

What does “Don’t isolate it again…” distinctly mean?

I ask because, every time I try to run my “Diskmax” it continually pops up that message when running it, and even though I click on the option; “Don’t isolate it again”, it once again pops up that message saying that it was blocked.

Roger

I’m not entirely sure what that button does technically however it is supposed to stop the application from being sandboxed again BUT I’ve seen several people say that files are still being sandboxed even after clicking the button, in which case adding them to the Exclusion list manually often solves their problems.

Thank You for your reply.

Now, I just need to try to figure out how to exclude it.

Rog

I go through that in the video link in Reply #3

Clicking “Don’t isolate it again” tells the behavior blocker/auto sandbox that you trust that software and it should be added to the trusted files list. However some program modify themselves internally, which changes their hash value, which will not longer match the hash added to trusted files and the next instance of the program to be sandboxed again.

You can:

If using HIPS, create a rule for the program, and BB/SB should defer to the rule.

If using BB, enabled behavior blocking exclusions and add the program to the exclusion list.

The second option is probably the easiest.

I apologize for my lack of response. But after further inspection of this incident, I have included as well that this file is just a file that occurs for only a brief second for the program (Diskmax) to function properly. And it does seem as “aim4it” suggested, it does more than likely update itself quite frequently to avoid being “trusted” altogether.

Thank You for all of your interactions. :slight_smile:

Roger