Every HIPS program that I’ve used before - ProcessGuard, System Safety Monitor, AntiHook, and AppDefend - lets me control whether or not a program is allowed to load (i.e., execute). As such, I can control whether even known good applications are allowed to run. For example, for AntiVir, I would block avnotify.exe from loading to get rid of Avira’s nag window. I would block wgatray.exe from loading on Windows startup since the only time that I ever want to authenticate to Microsoft is when I get a choice to do so when downloading something from them, not whenever they feel like it when I boot Windows.
I cannot stop avnotify.exe from loading. I cannot stop wgatray.exe from loading. That is, I can’t stop any program from loading when using CFP3. The programs still loads. Yeah, I can change its access rights but that doesn’t stop it from loading. This is ridiculous. The point of an HIPS is to regulate what can load into memory (and, in addition, control what it can do once loaded).
If I know a file does “bad” things on my computer (but there are reasons to leave it there, like for avnotify.exe), CFP3’s HIPS will still let it run. There is no option in the Defense+ config to block a program’s file from getting loaded. All I can do is define that program’s access rights but obvious there can only be access rights AFTER a process has started. CFP3 is worthless for regulating what can run on my computer. With CFP3, everything is allowed to load.
Uffda. So I cannot do anything for policy on the file that is already displayed in the list, like just right-clicking on it and choosing Block, and instead I have to delete that app-specific policy and then go back to some global “All applications” node to manually add the file under there as a blocked program under an access option.
Also, once you block a program, you again have to wade through all this navigation to see them. If something fails to work later, sometimes it is the result of a block on an application’s file and not showing me those blocks (without having to drill down to find them) means it is likely that I will forget that I enabled those blocks.
That is supposed to be intuitive? Or easy? Well, at least, it is there.
Guess I’ll have to do lots more reading and lots more trial and [lots of] error before figuring out how HIPS works in CFP3. It bucks against the methods commonly provided in other HIPS products. I didn’t even have to read the help to figure out ProcessGuard, System Safety Monitor, Antihook, and AppDefend.
Please keep anaylsing and telling us how you would like to see it improved…
we are, have been and will always be open and guided by our users.
you can make your suggestions in the wish list and you can even (would be great if you did actually) give us screenshots of how you would like to see things modified.