I’m having rules in Computer Security Policy to allow explorer.exe to start e.g. virtualbox. So I may click on the desktop the icon and everything runs fine.
When I now delete these entries and click on the icon again I would have expected to get asked again. But that just doesn’t happen. Instead the entries are included again automagically.
Could someone shed some light on this?
Did you use the Apply button when exiting Computer Security Policy?
Yes, I do.
The Defense+ ist running in safe mode.
It seems that following happens:
rundll32.exe is a safe application.
This starts the explorer.exe, which starts the virtualbox.exe by itself.
Safe mode says, that the action of every safe application is learnt. Thereby accepting the other applications.
Am I right? Should it work like that?
In safe mode you will always get a pop up when one program executes another program. Allowing and setting to remember is usually remembered; so I can start Power Archiever from Opera browser without having to consent each time.
May be run32dll.exe is an exception. Try letting other programs start other applications and flag to remember the permissions. Does the same thing happen?
If I e.g. allow to start texniccenter out of totalcommander. Everything works as expected.
After deleting this particular entry I get asked again.
The difference to run32dll.exe is, that it allows to start all programs out of the windows folder. Therefore allows explorer.exe.
What I don’t understand is, even there is no execution of virtualbox allowed by means of explorer.exe - no question occures. virtualbox just starts and the entry to allow to start virtualbox is part of the policy again.
Seems that you’v been running CIS for a time, main rules are already created, so why don’t you try running in Paranoid Mode? This way you will have pop-ups for every action (with all “Defense+ Settings”/“Monitor Settings” ticked in) and no one rule will be created or re-created (?) without your permission and your knowledge.
And, as a second choice, only if you are running one of the Beta’s, try it with no TC at all (if you want “static” rules - this is a Beta yet!).
in paranoid mode it works as I would expect. It obviously just works like that in safe mode.
I just wanted to understand.
Thanks for your time,