Can this be done in CFPv3?


I came up with this trivial idea of how I can “lock down” some PC with the help of Defense+. Assuming that all the applications already installed are safe (not infected, not malware, etc), I can now allow only those executables that reside in C:\Windows\ and C:\Program Files\ to be executed:

  • Create a “Safe Zone” file group in My Protected Files - Groups…, add two entries to it: “C:\Windows*” and “C:\Program Files*”

  • In Computer Security Policy - Executables - Use a Custom Policy - Access Rights - set “Run an executable” to Block by default then Modify… and add the “Safe Zone” group to Allowed Applications.

To keep the “Safe Zone” safe, I can add the “Safe Zone” group to My Protected Files and set the Executables’ default action for Protected Files/Folders to Block.

After I put the password protection on and disable the Defense+ alerts, only those executables that were already in the “Safe Zone” can be executed, and no new executable (or any other files/folders) can be brought into the “Safe Zone”. Now the user won’t ■■■■■ the system by installing non-safe stuff from the internet or his flash-drive (he may be able to install it somewhere else, but won’t be able to run it from there). Looks good.

But then… what about temporary files? Many applications use %temp% (or C:\Windows\Temp directly) to store some temporary files, so they need access rights to that folder (and now they don’t have those rights, since C:\Windows\Temp is in the “Safe Zone” which is in Protected Files). No problem, I can override the Executables’ default action for Protected Files/Folders by specifying C:\Windows\Temp in the Allowed Files\Folders list. Which makes the folder writeable again. Which allows to create any files there, including the executable files, including the came-from-the-internet malware infected executable files, that can then be easily executed, since C:\Windows\Temp is still in the “Safe Zone”. And that breaks the whole concept.

I can’t make that work because I can’t create a “Safe Zone” that would include files in C:\Windows and C:\Program Files, but would exclude files in C:\Windows\Temp. At least, I don’t see any way to do that. I’ve tried putting “C:\Windows\Temp” in the Blocked Applications list of Executables - Access Rights - Run an executable policy. But having “C:\Windows” in the Allowed Applications list there seems to have a higher priority.

It would be so much easier if I could just create a file group like this:

C:\Program Files*
NOT C:\Windows\Temp*

… and then use it in my “Run an executable” and “Protected Files/Folders” policies.

Does anyone have an idea how that can be done (or emulated any other way) in CFPv3?

There are already a number of protected file sets including parts of C:\windows. Have a look at Defense+>Common Tasks>My Protected Files. I am not sure that it is necessary to protect other folders and it may cause problems if there are .log or .tmp files that get written there.