When a zero-day untrusted application (a test batch file in my case) is executed for the first time then:
- A “Containment - Application Contained” alert pops up telling that the application has been run virtually.
- The application is added to BLOCKED APPLICATIONS.
- The application is added to UNRECOGNIZED FILES.
now when
- The application is removed (not unblocked) from BLOCKED APPLICATIONS.
- The application is removed from UNRECOGNIZED FILES.
- The application is executed again.
- “Containment - Application Contained” alert pops up again telling that the application has been run virtually.
8 ) In the “Containment - Application Contained” alert selecting “Don’t Isolate It Again”. - The application is added to BLOCKED APPLICATIONS.
- The application now is NOT added to UNRECOGNIZED FILES
- The Untrusted application has become rated Trusted.
Now, successive executions of this untrusted application will not be intercepted by auto-containment anymore and not by HIPS either because of the auto created auto-containment application rule and the auto created HIPS custom application rule.
As such HIPS won’t show any alerts for this untrusted application anymore.
I would not expect that an untrusted application all of a sudden becomes rated trusted after selecting “Don’t Isolate It Again” per step 8.
I mean after selecting this “Don’t Isolate It Again” option the application should still be rated untrusted so that HIPS would still show Alerts for this untrusted application.
When an user accidentally selects “Don’t Isolate It Again” on malware what would happen next when HIPS doesn’t inform you anymore?
Is this correct behavior of this “Don’t Isolate It Again” option?