Defense+ doesn't detect a software installer running in my pc

Hi, Defense+ doesn’t detect this software installer running in my pc: http://lab.stefanoperna.it/projects/imagetools/

  • my system: XP SP3 (x32 bit ) updated, running CIS 3.13.120417.573 and also GesWall. Defense + is setted in Paranoid Mode, Image Execution Control in aggressive. Before posting here I uninstalled CIS, cleaned the system and the registry with two cleaners and then manually the registry, then I reinstalled the CIS. But it detects all other exe, application, service starting to run in my system except Image ToolSetup. I can’t understand why, and what is happening…

p.s.: just to be …paranoid, I scanned my system with GMER and Rootkit Repeal, but all seems to be clean and safe.

Tha is not an executable. It’s a MicroSoft Installer. This is not listed in image execution control, so CIS doesn’t warn about it.
If you want this be added, you can to this on the other TAB where you changed Image execution Control to aggressive.

Ciao bluevik :slight_smile:

I have not tried, but maybe you must add this extension (I attach screenshot).

P.S. [at-bypass] adioz86

Sorry.

[attachment deleted by admin]

Thanks, :wink: But I forget to tell that in the Image execution Control I already had added " all applications " ( and " all executables " ) to the default settings: I thought that it was enough, and all i needed…what miss to stop the installers ?

Second: anyway, Defense should not to alert about every new activity or application running in the system ?

Hi Sirio, thanks… :slight_smile: : but I have again the question: anyway, Defense should not to alert about every new activity or application running in the system ? Or you say that msi is anyway an allowed process in Defense and that ImageTools is " only " a msi installer ?

No if it is not contemplated, in Image Execution Control - as you can see - *.msi there is not to default.

I think because it is safe but I am not sure…

Problem no solved :cry: :

  • Defense+ sees all the other files msi installer that I try to run, but not ImageToolSEtup.
  • adding in Image Execution Control the msi extension, nothing changes: D+ sees every possible file, also other msi installer files, but NOT ImageToolSEtup.

???

It,s detected. I have XP SP2, paranoid mode, all custom rules and image execution only for exe and dll with normal mode. Digitially signed applications NOT trusted.

By default CFP allows explorer.exe to execute any thing. Also msi files are allowed to execute by default.

[attachment deleted by admin]

It’s true :slight_smile:

For this motive (I Attach screen) :wink:

[attachment deleted by admin]

Thanks, msiexec.exe now is in Custom Policy and the sw is detected.

Glad to know that CIS is powerful and sure. :slight_smile:

You may now get more pop-ups running windows update if it uses msi.

Ya, I already observed it, but it’s not a problem :slight_smile: : Defense+ does the HIPS work, that is to check all in the system. My priority was to be sure that my issue with ImageToolSetup was not a bug. ;D

OT: many people in the security Forums complain for the HIPS’s pop ups, that they find boring. But this means that the HIPS is assuring the system security until the user don’t create a rule, so all right !