Defence+ would be more flexible if you could have a third list of applications under “process access rights”. This would be a “force pop-up” group. Defence+ would look no further down the computer security policy if it found something here.
Anything listed here would be blocked with parental control on but allowed with no pop-up for an “installer or updater” application and any application listed above it in computer security policy (if that application is allowed it). Without parental control there would be a pop-up.
Users could then control what was automatically learned. If used with file groups you would not be able to do “remember my answer”.
It would make it much easier to lock down “safe” (or not so safe) applications but not painful like paranoid mode.
Examples of use:
Set up a group for all applications and place it below all the windows system applications etc. but above explorer and rundll. Two rules might be required to get the desired precedence.
Run an executable:
Allow: c:\windows* and c:\program files*
Force prompt: * (this is not stricly required I think)
Protected files folders:
Force prompt: c:\windows*.exe and c:\program files*.exe etc.
Allow: *.exe *.dll
Device driver installation:
Force prompt: *
Memory access and direct disk access:
Make force prompt the default action. (this would require an extra tick box)
This would allow saving downloaded exes without a pop-up, Force a pop-up if overwriting an important exe and force a pop-up running of any exe downloaded without a pop-up. Only installers or updates or selected programs could overwrite important programs, do direct disk access, do direct memory access or do driver installations without a pop-up.
I think this would increase security with no additional pop-ups in normal use.
Setting groups for allow is good as it reduces overall rule size.
I like to run in clean PC mode with with parental control on. This means other users of my PC do not have to answer alerts that they do not understand. This would make it easy to increase security in this configuration.
Setting up a detailed policy in paranoid mode is too much work. I like to start from scratch each upgrade and using clean PC mode and a few group rules it is easy to do this.
When I started using defence+ it was not so good and I got loads of pop-ups and went through running all the common applications to get rid of the pop-ups. I am glad I no longer have to do this.
I cannot clearly understand what you are trying to say, but, I guess what you want is an “ask” rule on a per- application basis. Which would add a new “ask” (or something similar) section next to “allowed applications” and “blocked applications” sections.
If that is what you are wishing for, then it gets my vote.
This and an option that allows the user to define an access as either a “read” or a “modify/write”, and CIS is almost perfect.
At the moment there ask, allow or block. Ask does not really mean ask. It means ask if there is no rule below and if the application is not on the safe list. I want something than means always ask. This would be along side allowed and blocked applications. I was also thinking of this under default action for things like direct disk access…
To work out what to do defence + looks at the computer security policy starting at the top and working down. If it find the application or a group containing the application it looks to see if the action is blocked or allowed. If it says ask it carries on down the list. If it never finds a block or allow it allows for safe applications and asks for others. In paranoid mode it always asks.
If you have ask in a group and something gets allowed for an application in the group it needs to save that this is allowed. It cannot save it in the group for an individual application (your with list) so it saves it in a separate entry for that individual application further down the list.
My wish is to have the choice of “Ask if not safe” and “Always ask”.
One way to make this work for always ask would be to save the result of the always ask for a group in the individual application rule below. This would mean it does not have to remember your decision for individual applications in the group. It would have to remember “always ask” from the group but carry on looking down for the individual application rule and then ask if the individual rule says ask and block or allow if the individual rule says this.
If there was an advanced mode with “always ask” option and without the blanket allowing for safe applications then it would be possible to set up your own rules easily without too much effort and without having to resort to paranoid mode which is totally unusable for me.
In the “all applications” group set “direct disk access” and “writing to HKLM” to “always prompt”. If an application then writes to a protected registry key under HKLM then the user is prompted and if the user says yes defence+ would write allowed for this particular registry area in the entry for that application below the all applications group. It the application wrote to a protected key under HKCU then the user would not be prompted if the application was safe. All applications would get prompted before being allowed direct disk access and the application replies saved in the individual application settings.
You would then always get a prompt for particularly dangerous things and the results saved for each application.
You could then have some registry keys and some actions more protected than others.
This idea could be a more flexible replacement for paranoid mode. If you had a group for all applications and set everything monitored to “force alert” and placed this at the top of computer security policy you would have paranoid mode. If you placed the same rule at the bottom of computer security policy you would have clean pc or safe mode for all you existing applications and any new application would be in paranoid mode.
You could then be paranoid about what really matters and not have to answer a prompt just to, as an example, access the print spooler.
In parental mode it would allow blocking of installation of all software, safe or otherwise. Like a software restriction policy but without having to spend a fortune of Vista Ultimate.
In the “all applications” group set “direct disk access” and “writing to HKLM” to “always prompt”. If an application then writes to a protected registry key under HKLM then the user is prompted and if the user says yes defence+ would write allowed for this particular registry area in the entry for that application below the all applications group. It the application wrote to a protected key under HKCU then the user would not be prompted if the application was safe. All applications would get prompted before being allowed direct disk access and the application replies saved in the individual application settings.
You would then always get a prompt for particularly dangerous things and the results saved for each application.
You could then have some registry keys and some actions more protected than others.
What would an “ask if not safe” option do? Will it prompt of an acess to an unsafe file? What difference does it make if the file is safe or unsafe? What matters is if the activity is malicious or not.
“Ask if not safe” should actually be a part of “Image Execution Settings”. That is, you should be alerted everytime a safe file - that has been tampered with - tries to do something.
It is impossible to have a “force prompt” rule for “all applications” at the bottom. To do that, you’ll have to to let D+ learn a few application rules and then add a rule for all applications. Even then, for every new application that is introduced to the system, it will be considered as part of “all applications”.