Hi guys!
I did some test and D+ does not intercept file creation/modification in non-OS partitions…
I executed a file that had to cript all the files in the OS. Well, CIS alerted me about all the files modification, and i clicked Block, but all the files in Z:\ partition changed their extension to .gz, even if D+ alerted me about that action and i denied it…
the only way is to create a new group, with new rules, in My Protected File referred to other partitions…
In this case i had to create a rule Z:*
Proactive security config get D+ to monitor file creation for executables regardless of the partition, specific paths on the system partition regardless of the extension and some files in the root of every partition (eg. ?:\boot.ini, ?:\ntldr, etc.) accordingly to the entries listed in My protected files
Since the file created had the .gz extension nor it was created in one of the monitored path of the system partition there was no alert for it.
I think that an hips software should protect against worst malwares with default ruleset (as other softwares do, I tested MalwareDefender for example)…
I don’t believe that all D+ users have the consciousness of all most dangerous malwares and customize their rulesets based on that…
Don’t you think so?
BTW these are considerations made by a whatever user, so I don’t expect any ruleset improvement…
the attached image is the MD log.
As you can see, with default ruleset (the rules in action is the generic file rule [b]?:[/b]), it alerts me about .zip and .gz creation and modification, even in nonOS partitions.
If D+ alerted you about modification of executable files on z:\ (*.exe , *.sys , *.dll etc) or any other files which were in the list of protected files and you chose “block”, but these files were renamed despite of this, then it is a bug.
