Hash File Limit in Trusted File

Hi everyone,

I would like to ask if there is a Hash File Limit in the Trusted Files because when a chm file is greater that 20mb even though it was listed in the Trusted Files it won’t recognized however chm files goes below this limit is recognized. So, It means that whenever I run the chm greater than 20mb, I will always have an alert asking for unlimited access although it is in the trusted file list.

The workaround was either to disable the sandbox or add installer/updater policy.

Screenshot Attached.

note: I tested 2 chm files that are greater that 20mb, cause I have only 2 files greater than 20mb and a lot of chm file less than 20mb. I havn’t tested application file greater than 20mb, cause I don’t have.

[attachment deleted by admin]


Is e:\ a usb device? or a ‘real’ harddrive?
CIS handles ‘usb/mapped’ drives different then ‘local’ disks, that might cause some strange behavior…

A Partitioned Hard Drive. One thing I find out is that when I run this file, It will always add to Unrecognized Files list no matter how many times I remove it after running and to know that it is in the Trusted Files List
It might be that there is no Hash Match in the Trusted Files List that result to unrecognized file.

I guess the problem goes to Autosandbox Policy cause when CSP Policy installer/updater is applied then it takes the precedence that result to no alerts of this file as well as disabling the sandbox.

So if I understand correctly, if you run this sandboxed multiple times you have multiple entries of it on the trusted files list? This might be caused by the .chm construction as it’s more of a container that ‘zips’ the help files together. Maybe dev’s gave it special treatment as it has been abused in the past to infect systems.

As it’s requesting ‘unlimited access’ adding it to CSP installer/updater is the only solution atm.

If you checked the “Always trust this file or packaged”, it will only create one entry in the trusted files and if you don’t it will only create one entry list in the Unrecognized Files. No matter how many times you’ve done this it will only create one entry in both Trusted and Unrecognized File list.

If I’m not mistaken this will only happen when chm file is greater than 20mb.