Help manual says (translated from localized version):
“CIS calculates hash sum of file during its attempt to load itself into memory. If hash sum matches hash sum of safe file, then file is considered safe. If match is not found file is considered unrecognized and alert is triggered”.
“Recommended setting is *.exe. That means every file with *.exe extension will be analyzed by Defense+ before its execution. If D+ won’t recognize some exe file alert will be triggered asking user to allow or block this exe file.”
For exe files it works like expected (D+ is in Safe mode, “Normal” Image execution control, Files to check: *.exe):
If i launch some exe from Windows Explorer i got an alert if file is not safe:
“explorer.exe tries to execute unrecognized.exe”.
But for bat files this feature seems to be broken (D+ is in Safe mode, “Normal” Image execution control, Files to check: *.exe, *.bat):
If i launch some bat file created by me (with some random commands…and it is definitely not in the whitelist for obvious reasons) i observe autolearning activity of D+:
“explorer.exe executes cmd.exe”.
Why? What about alert “explorer.exe tries to execute my.bat”?