Change in an executable not noticed

I’m testing CFP v3.0.14.276 on WinXP Pro SP2.

If I have an executable (e.g., c:\test\TestApp.exe), and Explorer it is allowed to run it, all is well. However, if TestApp.exe is changed (hex edit, new version, replace with another program, etc.), there is no alert that TestApp.exe has changed.

I thought a fingerprint was taken of executables and compared to the version previously allowed.

I hope I’m just missing something :slight_smile:


I don’t think you are missing something.
There have been similar discussions posted.
Can’t put my hands on them right now.
I believe that something is amiss.


in the same direction: I recently replaced a program config file (so not an exe) by a new one. The old one was in my protected files, and I had alerts from def+ when modifying it, but no alert at all when replacing it with a totally different file. The new file became automatically protected, as if nothing had changed, against modifications, and again, not against replacement.
I know that Def+ protected files section is not supposed to protect against deletion of files, but when a file is replaced, and just because the new one has got the same name and extension, it keeps the protection of the old one (only against modif) is a bit difficult to accept. A trojan could do that.
It becomes more and more obvious that Def+ does not compare file fingerprints, which deprecates its HIPS functionalities.
here is a thread where the topic has been already related:;msg121761#msg121761


It may be than the executable you used to modify your protected config file and the executable you used to replace it with a new one (which is probably explorer.exe) have different access rights to Protected Files. Check the application rules in Computer Security Policy to see that.

you’re absolutely right. I just cheched it. “notepad” that I used to modify the file has got “ask” for modifying protected files/folders, and explorer used to replace it has its setting on “allowed”. I didn’t think about that thanks for the tip. Funny that now that I’ve changed it for explorer, many files (not all) that are not in the protected section of CFP lead to alerts when I try to replace them. I think that was the default behavior in former versions of CFP, and they just changed the default for explorer access rights to “allowed” to avoid too many alerts from DEF+.

Thank you for resolving this seeming incongruity.


This makes sense now, but I still think that a program being executed (or DLL, SCR, etc.) should be checked to see if it was modified before allowing it to run.