Scenario:
Auto sandboxig (Treat unrecognized files as): OFF
Unsigned application which uses Print Spooler Service, in X:\dir\app.exe where network drive X: mapped to \server\share
On first run alert appears about the spooler access. Selected: Treat this application as: Trusted Application, Remember my answer, OK. Application added to Defense+ Rules correctly with Trusted Application policy, but despite that alert appears again and again on every run.
Have you tried trusting the application with the option, Use file names instead of file hashes (not recommended) enabled?
Unfortunately this is a known limitation of CIS please see the Known issues list, Other issues, number (ii).
Not sure that what HeffeD suggests will work, therefore, but worth trying :).
Best wishes
Mouse
As I wrote, I want to use the Defense+ Rules (with auto sandboxing turned off) and the “Trusted Application” predefined policy, not trusted files.
But after manually adding it to trusted files (just with file name), the alert remains. Note: on adding to trusted files the file browsed was: X:\dir\app.exe, but added to the list with the full UNC path: \server\share\dir\app.exe, which Purge incorrectly founds invalid. (The whole network path handling issue of D+ even worse through remote desktop.)
Looks like you’re running up against the limitation built in to CIS that all external media is untrusted. This security feature was in place before CIS started using file hash for recognizing applications. Now that file hash is used, this feature is unnecessary. I had hopes that maybe the new option to trust files by their path could override this functionality, but it appears that this isn’t the case.
I’m sure the upcoming version 6 will allow networked files/applications to be trusted within CIS.
I hope so too, because these incorrect path behaviors are major annoyances in heavily networked corporate environment.
External media is intrusted for a reason.
As far as I know the database does not contain hash lookups. And not everyone uses the cloud which will btw affect performance.
I for one am happy external drives no matter their nature is untrusted until told otherwise and then only as long as it is connected.
Yes, AFAIK D+ rules database, and thus rules which create trusted applications is/are not hash based, but it could be. Trusted files list of course is.
If it was hash based I see little drawback in trusting network files, personally.
Best wishes
Mouse
Yes, exactly the same issues.