It seems, that clicking the appropriate “remember” doesn´t stick after changing the file (saving). Can´t be the whole action of opening documents via Notepad whitelisted somehow? I don´t think, there is possibly any risk in opening simple RTF files & it´s ridiculous to have that warning all the time. >:(
Any tips?
If you would be kind enough to make an issue report using the standard format, and filling in all relevant fields, I’ll consider forwarding to bugs/issues. The format is here. Active process list, alert and and log screenshots will help.
Thanks in anticipation for your help
Mouse
Does by any instance Notepad get sandboxed? See if it is in Unrecognized Files.
Notepad is not the default editor for rtf: if word is not installed, wordpad is.
In order to open rtf with notepad, you have to make “open with” and remember the action ( “always”) if you don’t want to be asked each time.
The question arises for what your rtf files were written with (wordpad, word or notepad “save as”) and lead to different results.
e.g., if i write something with notepad, the defaut police is lucida console.
If i save the same as rtf, opening it with wordpad or word reads the same text in courier new: there’s has been some kind of “coding translation”, maybe responsible of the observed behavior.
Worst if i write the rtf with word (doc) and later save it as rtf; my insane text (“ggggg”) really becomes insane when opened with notepad:
{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1036\deflangfe1036{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f28\froman\fcharset238\fprq2 Times New Roman CE;}{\f29\froman\fcharset204\fprq2 Times New Roman Cyr;} {\f31\froman\fcharset161\fprq2 Times New Roman Greek;}{\f32\froman\fcharset162\fprq2 Times New Roman Tur;}{\f33\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f34\froman\fcharset178\fprq2 Times New Roman (Arabic);} {\f35\froman\fcharset186\fprq2 Times New Roman Baltic;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255; \red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{ \ql \li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \fs24\lang1036\langfe1036\cgrid\langnp1036\langfenp1036 \snext0 Normal;}{\*\cs10 \additive Default Paragraph Font;}}{\info{\title ggggggggggggggggggggggg}{\author marc willard} {\operator marc willard}{\creatim\yr2010\mo9\dy19\hr8\min53}{\revtim\yr2010\mo9\dy19\hr8\min53}{\version2}{\edmins0}{\nofpages1}{\nofwords0}{\nofchars0}{\nofcharsws0}{\vern8249}}\paperw11906\paperh16838\margl567\margr567\margt567\margb851 \deftab708\widowctrl\ftnbj\aenddoc\hyphhotz425\noxlattoyen\expshrtn\noultrlspc\dntblnsbdb\nospaceforul\formshade\horzdoc\dgmargin\dghspace180\dgvspace180\dghorigin567\dgvorigin567\dghshow1\dgvshow1 \jexpand\viewkind1\viewscale117\viewzk2\pgbrdrhead\pgbrdrfoot\splytwnine\ftnlytwnine\htmautsp\nolnhtadjtbl\useltbaln\alntblind\lytcalctblwd\lyttblrtgr\lnbrkrule \fet0\sectd \psz9\linex0\headery0\footery0\colsx708\endnhere\sectlinegrid360\sectdefaultcl {\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang{\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta )}}{\*\pnseclvl5 \pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}\pard\plain \ql \li0\ri0\widctlpar\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \fs24\lang1036\langfe1036\cgrid\langnp1036\langfenp1036 { ggggggggggggggggggggggg \par }}
In each instance, defense+ asks permissions for:
-explorer->application (notepad, wordpad…)
-svchost
-ntvdm
-rpc control spools
-spools drivers
Assuming that cis doesn’t react to “police coding”, wouldn’t allow and remember the said defense+ rules (my configuration is proactive, highest defense+ degree, no trusted editor, no sandbox) be enough?
No. A new document will be opened in an unbothered Notepad. Also reading RTFs isn´t a problem, after having instructed CIS to not sandbox that specific RTF. The sandbox thing is only coming back after having changed the RTF. Only doing a save without any real changes doesn´t affect the state, so in that case no sandboxing occur.
It almost looks like some “finger print” or checksum is generated for each document, so any change will trigger the sandbox.
Also, i have to apologize; it´s indeed Wordpad & not Notepad i´m using. :-\
Does Wordpad get sandboxed? What version of CIS are you using?
Just a thought here. A screenshot of the active process list (when the alert occurs), plus the defense plus logs (after it occurs, with all info showing) would probably show what is going on.
I have had something similar in previous versions of CIS with the CIS config report (a highly structured .txt file) getting sandboxed when invoked from the reporting tool. I think it is sometimes due to text files being opened with execution privs - or could be a script issue - the config reporter is a script.
Think its maybe the RTF not the programs file that is getting sandboxed?
Best wishes
Mouse