Default file groups - possible security holes?

**torrent.exe
That would fit both “C:\Program Files\uTorrent\uTorrent.exe” and “D:\Some hidden dir with nasty viruses\derptorrent.exe”.

You sure default settings like that are OK for Internet Security software?

Idea behind is to track source of files downloaded with ‘uTorrent.exe’ program. That way, downloaded apps trough mentioned program get auto-contained if unknown. Reason why there’s an asterisk behind the name is because there are many variants of torrent downloaders with ‘torrent.exe’ suffix (eg ‘qbittorrent.exe’).

Hope it helps.

I meant the human factor here. Masks like *\file.exe are a bad idea to use in firewall settings. And some people might do just that.

Not a problem if user is aware. Big problem if user isn’t and trojan maker is.

Well… users can do pretty much anything. Considering that FW rules are based on process name, it’s equivalent in terms of risk. That’s why you shouldn’t rely on FW only. Else, malicious apps could replace your variant for example.

I remember some firewall/antivirus countered that by remembering file hashes and asking the user if firewall should keep the old rules when that hash changes. Maybe CIS should do the same?

Hi again,
Sorry for the late reply.

Maybe there’s no point to implement such check. I’m imagining that malicious apps could tamper with the product directly anyway.

By “product” you mean the CIS itself? If it is vulnerable against such attacks, then thinking about file groups as security holes is the last thing CIS devs should be busy with.

Yes. If you take away HIPS and Auto-Sandbox, it’s pretty much packet filtering. If you add a hash check, it doesn’t mean that apps would be unable to tamper with product directly. (and if HIPS is enabled as per default settings then hash check is not needed)
Thus, my reasoning. Do you agree?

That’s one way to look at it.