D+ Rules with groups not working for me in 5.3.174622.1216

Hello everyone - I used CIS 4, stopped using it for a while then when 5.3 came out I decided to try it out again.

Unfortunately I’m having trouble using file groups with D+ rules. They worked fine for me with CIS 4, but not now. D+ flags them as unrecognized even though I have configured them as trusted as shown below in a D+ rule.

I want to make cygwin executables trusted.

D+ is in safe mode.

This is with Windows7 64bit.

I’d appreciate any advise. Thx!

[attachment deleted by admin]

Did you import a v4 configuration?

Move the application rule for Cygwin to a place somewhere above the All Applications rule. When the rule for Cygwin, or any other application, is underneath the All Application rule it will follow the default rule set by the All Applications rule. As a consequence even though Cygwin is set to be trusted CIS will not follow that; it will give Cygwin the default rule.

Thanks for your help.

This is a fresh install, not an upgrade.

I’ve moved the rule to the top, but D+ still says the files are unrecognized, then isolates them.

[attachment deleted by admin]

Please try the workarounds as described in App. is not working correctly, but does not seem to be s/boxed. What to do? [v5] and see if that brings a solution.

Thanks for your suggestion.

First I made sure they were not sandboxed. I moved them to trusted, added all cygwin programs to the Trusted Files list, then rebooted.

I started a cygwin cli and it ran fine. Then I removed the long list of items from the Trusted Files lists to confirm that the D+ ruleset would function properly. Then things got weird. The only thing D+ flagged was cygwin.bat, everything else worked fine. But running a second session after that, a long list of cygwin executables got sandboxed and became flagged as unrecognized.

BTW, it appears that the problem i’m seeing is not related to the group feature at all. A simple"Treat as Trusted" rule for a single executable also fails to work. For example, if I create a “treat as trusted” rule for /usr/bin/chmod.exe, that does not work either.

If I change the D+ rule to Treat as installer/updater, then D+ does automatically add the individual commands to the Trusted Files list and they work fine with that level of access.

I would really like to see “Treat as Trusted” work to avoid having a long list of programs appear in the “Trusted Files” list.

Are you running the cygwin related executables from a removable or network drive? Then CIS will forget the rules you made after a reboot. That is done because those type of devices are not continuously monitored and therefor unsafe.

No, cygwin installed in c:\cygwin.

I would be interested in knowing if anyone can successfully get “Treat as Trusted” to work in a D+ rule.

What happens when you add the complete cygwin folder to Trusted Files? What happens when you give Cygwin the Windows System Application policy?

Thanks for following up.

If I add everything under c:\cygwin to “Trusted Files” then I have a huge list of files under “Trusted Files” and everything works.

If I make a D+ rule for cygwin with “Windows System Application” then programs get sandboxed and flagged as untrusted.

If I make a D+ rule for cygwin with “Installer or Updater” then programs get added to “Trusted Files” and everything works.


Just thinking out loud here.

If one program in a tree of programs gets sandboxed then all its sibling will get sandboxed as well. I see that cygwin.bat got sandboxed in one of your scenarios. If that gets sandboxed all other executables it will start will get sandboxed as well.

The problem with cygwin seems like it is the same as people have who test programs being ran from a compiler. The only workaround I know is to use the Installation or Updater policy.

Yep. I find it slightly alarming that D+ rules don’t do what I think they should do. Even if I make a custom policy, executables get sandboxed, marked as unrecognized, and fail to work.

[attachment deleted by admin]

May this topic is of help because of similarities: How to use Visual Studio debugger with CIS [v5].

Thanks for your help. I think we can close out this thread.

Now that I better understand how sandboxing works in CIS I am okay. It is confusing to have D+ policies that are called “Trusted” that have nothing to do with how the new trust system behaves with sandboxing enabled.

When sandboxing is enabled it seems that D+ rule base permissions don’t apply, with exception for the “installer or updater” setting. With sandboxing enabled, executables must either fall in the trusted list ( can do almost anything category ) or unrecognized/sandboxed list. Corrections to this observation are most welcome.

D+ has a nice feature to “always sandbox” something. I can imagine a use case for “never sandbox” and “never trust” so that D+ rules can be used if desired without completely turning off the sandbox, but those options might over-complicate things.

CIS 5 looks very nice.

It would be awesome if there were a way to add file groups to the Trusted Files list.

Kind Regards.