HxDen is not caught by Defense+ ...anyone can confirm ?

HxDen is a tiny hex editor and can be downloaded here (portable version).

When i launch HxD.exe i expect to see alert “explorer.exe tries to execute hxd.exe”, but there is none and HxDen launches successfully without any D+ prompt.

I run D+ v5.3 at safe mode, “Automatically scan unrecognized files in the cloud” option disabled, sandbox disabled, AV not installed, explorer.exe is definetely not allowed to run hxd.exe under “allow exceptions”.

Guess i found the reason – it is whitelisted file. I’m puzzled: this file either checked out in the cloud despite cloud is disabled here OR this file is in the local whitelist db, but white.n does not contain any relevant entries for hxd.exe. Hence CIS has some other local whitelist besides white.n ? :-\

Did you check to see if it’s in the Trusted Software Vendors List?

Nope, no need to b’cause it’s not signed by digital signature. Anyway, i have in TVL only Microsoft and Comodo.

In Safe Mode CIS will automatically start all white listed programs. In older versions you would be alerted in Safe Mode for all programs. To have these alerts these days you have to set D+ to Paranoid Mode.

Problem is that all white listed programs are not recognized here because cloud look-up is turned off and local whitelist is empty (Trusted files section). EXCEPT hxden.exe which is considered “safe” somehow.
2 variants to my understanding – some another local but hidden whitelist OR Defense+ performs cloud look-up secretly despite it is explicitly prohibited under D+ settings.

Did you also disable Perform cloud based behavior analysis of unrecognized files?