CIS should distinguish between actual file change and file being merely opened in modify/write state
CIS does not distinguish between actual file change and file being merely opened in modify/write state.
CIS should look deeper into a file (not just the “modify date”) whether the file has changed or not.
There are files that are opened in modify/write state, and this leads to modify date change even when the file is not actually changed at all.
An example of such a file is a Firefox add-on/extension called FlashGot.exe.
Please see full pathname, user names and profile names are obfuscated (below):
G:\Documents and Settings\User_Name1\Application Data\Mozilla\Firefox\Profiles\ixbwyok1.default\FlashGot.exe
G:\Documents and Settings\User_Name2\Application Data\Mozilla\Firefox\Profiles\5u1hnnok.default\FlashGot.exe
G:\Documents and Settings\User_Name3\Application Data\Mozilla\Firefox\Profiles\tl32tfm1.default\FlashGot.exe
More info about this FF extension/add-on can be found at https://addons.mozilla.org/en-US/firefox/addon/220
It is a very popular FF extension, 62,136,343 total downloads (by Monday April, 20 2009), so would expect other users have the same combination of SW (CIS, Firefox with FlashGot extension).
The Option of having this type of specific file(s) stay in My Own Safe Files (even after nominal “modification” of file) would of course have to be implemented automatically for this type of file(s) only.
Please note that the file is not actually altered, it would appear it is merely opened in modify state. The MD-5 and SHA-1 hashes for the file are constantly the same. The file is also actually modified sometimes of course, but that happens seldom and only then should the file be moved to Pending Files.
CIS could look deeper into the file(s), so that it would distinguish between real modification and the files merely being opened in modification mode?
As CIS functions now, it leaves the unnecessary and redundant research of the nominal “modification” to the weakest link, the user.
Even with programs calculating MD-5 and SHA-1 hashes, it takes time for the user to review whether the file has actually changed or not. In addition the user would have to take notes of the file size or at least the hash values. Memorising the hash values would in my opinion fit a lot better to a security application, such as CIS, instead of a human being (the user).
Implemented automatically by CIS, it would in my opinion increase security, since the user would only be alerted for review of file, when the file has actually changed.
That would best be implemented as an automatic calculation whether the file has changed or not by CIS using, e.g. MD-5 or SHA-1 algorithms.
Peter