Certain applications are given unlimited trusted status even in Paranoid mode

  1. What you did:
    switched Defense+ to proactive config at its defaults, then turned off sandbox, then switched Defense+ to Paranoid mode, then logged off from system, then logged on.

  2. What actually happened or you actually saw:
    alert appeared for imapi.exe (“1.png” attached), answered “allow+remember”, then alert appeared for userinit.exe (“2.png” attached), answered “allow+remember”, too;
    then i navigated to computer security policy and checked policies for imapi.exe and userinit.exe – they were same and following: “3.png” attached.

  3. What you expected to happen or see:
    Policies for imapi.exe and userinit.exe should allow only action i allowed answering definite alert because i use Paranoid mode.

  4. How you tried to fix it & what happened: irrelevant;

  5. If its an application compatibility problem have you tried the application fixes here?: irrelevant;

  6. Details (exact version) of any application involved with download link:
    CIS v5.3. .1216;

  7. Whether you can make the problem happen again, and if so exact steps to make it happen:
    read #1 & #2 – these contain step-by-step instructions how it happens on this system;

  8. Any other information (eg your guess regarding the cause, with reasons): my guess… well, developers worked out Paranoid mode in such manner that it is kind of defective – Defense+ behaves in similar manner as in Safe mode when it processes certain apps like imapi.exe and userinit.exe.

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: attached;
  2. Screenshots of related CIS event logs and the Defense+ Active Processes List: irrelevant;
  3. A CIS config report or file: said all about config;
  4. Crash or freeze dump file: irrelevant;

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS v5.3. .1216, AV not insttalled, Proactive, slightly modified (already mentioned how).

  2. a) Have you updated (without uninstall) from CIS 3 or 4: no
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:n/a

  3. a) Have you imported a config from a previous version of CIS: no
    b) if so, have U tried a standard config (without losing settings - if not please do)?:n/a

  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):already said;

  5. Defense+, Sandbox, Firewall & AV security levels: D+=paranoid, Sandbox=not active, Firewall =safe , AV = not installed

  6. OS version, service pack, number of bits, UAC setting, & account type: Windows XP SP3 x86, admin user account;

  7. Other security and utility software installed: only Comodo firewall

  8. Virtual machine used (Please do NOT use Virtual box):n/a

[attachment deleted by admin]

Sorry this is default action if the alert is set to fewer options the application is given trusted rights.

Thanks to JoWa, I did test this fewer options on alert all settings are as trusted application even though it shows custom application, and you have Defense+ set at Paranoid Mode.

You have to set the alert to more options to get what you wish.

Dennis

Thanks, will try next time. What logic does developer follow is unclear really :-\

I presume the logic is if you want fewer options you want fewer alerts.

My thoughts only.

Thanks for posting I had never seen this before as always opened to full options on first alert :slight_smile:

Dennis

Help really should explain that Fewer Options also means fewer alerts.
Egemen mentioned it long ago:

To my understanding the logic is/should be following:

  • if u use paranoid mode then u don’t want any steps HIPS to do automatically;

  • if i answered on a specific alert “allow+remember” i expect only that action is allowed and remembered by Def+, this is why i use paranoid mode;

  • “fewer options” and “more options” is there for a user to select more convinient gui, it should not have anything to do with HIPS operation – for this reason there are different modes of D+, including paranoid;

Sorry your only choice is to make a Topic on the Wishlist board if you wish this to change.

Thank you

Dennis

I have a feeling that Wishlist is mostly ignored by developer. Hence i refrain from posting there this not-so-serious issue just take a note of it.

How about actions for other non-microsoft executables are remembered one at a time. IIRC this is the case and that’s why i was surprised. Alerts were configured on “few options” always, alerts were cast for some number of executables, including imapi.exe and userinit.exe.
But only imapi.exe and userinit.exe were given such priviliges, other executables had only priviliges i explicitly allowed on alerts.

Moved to Resolved board as it is a default action.

Dennis