I am wondering if there is a function or a combination of functions in CIS whereby I could limit the access to my mail storage folder to to Windows Live Mail only ?
I have thousands of emails in various folders and under multiple email accounts, all of these emails and accounts mysteriously get deleted every few weeks or so (it happens randomly), it takes me hours and hours of time to restore the folder structure and their content from back up, some emails do get corrupted and lost each time. I cannot figure out what is it that deletes my email accounts/folders/emails database. It has to be some application/process, no person has access to my machine. Whatever does this also deletes the Fire Fox and Explorer Cache and even my selection of the the desktop image.
I am thinking if some way I could close the access to Live Mail data folder to all applications except Live Mail executable, may be I could stop this pain that is being inflicted on me.
I am using Windows XP Pro Sp3.
Though you cannot give exceptions to any program, you can try ‘my blocked files’ under CIS-Defense±Common Taks’ and add the folder to the block list.
This will block other programs from accessing that folder. However, whenever you want to download something, you will have to ‘remove’ it from ‘my blocked files’ (never click delete file) and that folder will be accessible for download. For your convenience, you can also download the files in another folder and move it to the blocked folder at intermittent periods.
Hope this helps.
(Another option is my protected files option, you can learn that through help section of CIS but is a bit complicated).
I have added the mail storage folder to Protected List of CIS and allowed access to the Mail Client executable.
Can another application still access the Protected Files/Folders through Explorer.exe which of course is a system component and needs to access anything and everything on the machine ?
I also noted that GoodSync that I use to backup my mail database and I have not specifically permitted it (GoodSync) to access Protected Files/Folders is able to access the Mail folder that I have added to the Protected list ?
That raises the question, in what way is the Folders on Protected list protected by CIS ?
I will not recommend ‘protected files’ feature, as, AFAIK, these protected files can still be accessed, changed, saved with modification and even deleted by safe applications. For e.g. even if you protect say matt.doc in the protected files by adding it directly from protected files feature and from computer security policy give permission to say MS excel (not MS word).
You can still open matt.doc using MS Word or Notepad, add things to it and save it without any alert or blocking from CIS. Not just that, you can even delete the entire matt.doc. So, I suppose your purpose of completely protecting the folder from modification will not be as effective as you want with this feature. As far as I understand all the programs which are available in Computer Security Policy will be able to do whatever it want with that protected file. Of course with *.executable permission, I would say that all executable will be able to access it.
As far as I understand, the protected files feature to be effective, you will need to create group first and then add it to protected files (in which case it will grey out) and then follow the procedures.
I would suggest my blocked files feature, which will restrict everything from accessing that folder / file. At the same time CIS antivirus will be able to scan that folder for virus while other programs cannot touch it.
The email client needs to constantly update the files inside the mail database folder by downloading new emails and deleting the deleted email entries. Blocking does NOT allow any exception for any application , it would effectively shut down all of my email communication. That certainly is not what I am looking for.
The documentation of “Protected” is NOT clear, it says the files inside the protected folder cannot be modified, but can they be deleted ? That is the real question.
Anyone please advise.
Here’s what I would do in your situation. Put in a file with a unique
name into the one of the locations that you find get deleted often and
randomly. Then configure sysinternals filemon or procmon to launch
when windows starts, with the filter set to that unique name. I.e.,
you’re constantly running filemon/procmon. If it happens within a few
days, you’ll have you culprit within that time.
It will show what process did it and what time it happened. If you
have a less specific filter more information will be captured but the file
might be huge and the overhead couldl slow everything down.
I downloaded ProcMon, but it is a complicated affair to configure it. Can you direct me what options I choose for this application to monitor and log if a folder “XYZ” is accessed by any application other than an application called ‘Abc.exe’ I will then extrapolate the filter for my use ?
Thnaks in advance.