when is it appropriate to apply this rule set?
what about for cmd.exe – is this the right rule set for it? If not, what rules to apply to vulnerable processes like this?
If you take a look at the that rule-set you’ll will see it is the same as the “Allowed Application” rule-set with the only difference being that windows system applications are able to execute any executable, which means if for example you choose to set cmd.exe as an windows system application, and you try to execute an unrecognized application through cmd, then you won’t get a HIPS alert asking to allow the execution. Even if an unrecognized application is automatically allowed to execute without an alert, you’ll still get HIPS alerts for any action that is attempted by the unknown application. So its a matter of choice to determine when to use the windows system application rule-set as it just prevents one less alert for execution of an unrecognized application.
thanks
so it sounds like it is better not to mark vulnerable processes as windows system applications – because it is a good warning when you see a prompt that a vulnerable process wants to execute an unknown.