Limit *read* access to particular files in D+ to specific programs

This wish relates to a few wishes of others also (but will hopefully be a bit more complete)
Add ‘my privacy file’ in D+
The function of the control of reading files
My own comment on Wishlist v6 on Dec 07 2007
And of course my other comments when I was seeking help to try to do this with existing features here and here

Anyway, the wish roughly goes like this:
I have private files. PGP keys. A keepass file. My thunderbird email.
The only program which ever needs to read my PGP keys is PGP.
The only program which ever needs to read my keepass file is keepass
The only program which ever needs to read my thunderbird email files is thunderbird.

I’d like to be able to limit my PGP keys to only being able to be read by PGP.
and so forth with keepass.
and thunderbird.

I can currently block all access to a file using My Blocked Files. Now if only I could create exceptions to this (like one can with protected files) for particular programs then the problem would be entirely solved.
Maybe it is important to have a ‘my blocked files’ which can not be overridden for super-protection of those files. Great! I agree! Alternatives are then to be able to set the level of protection on ‘My protected files’ (e.g. read/write/execute) or create an equivalent to ‘my protected files’ which is for reading of files, not just writing them.

D+ is so, so very close to doing this now. So close I can smell it. It smells good.

Yes, why not?
But you guarantee that CIS is always running. If it is disabled, the access will be released.

True, but doesn’t the same apply to protected files and ‘My Blocked Files’?
If CIS ceases running, all is lost anyway.

I’m actually currently testing other firewall packages to see if they have the feature (mind you, most of them are not free either)
So far…
Output Pro: no (Can prevent any access to files same as ‘My Blocked Files’ and prevent write like ‘My Protected Files’)
eEye Blink Personal: no (Can prevent execution of certain files, but seemingly not read or write)
InJoy Firewall: couldn’t get it going under Win7
OnlineArmor: no (doesn’t appear to be any way to protect particular files at all, even in the ++ version)
CA Threat Manager Total Defense (with HIPS): had to install server, couldn’t get client to function (too complex a solution in terms of software)
PCTools ThreatFile: yes - Under Advanced ToolsAdvanced Rule SettingsCustom Rule Settings it is possible to add rules that limit read, write, create, and execute to particular files or directories for all files except explicitly listed ones
e.g. rule settings:
When any process
tries to write or delete or create or execute a file
in [u]C:\Users\xxxx\my keys[\u]

The only problem is that when you are prompted when a non-approved program attempts to access the file, you only have the choice to ‘allow’ or ‘terminate the application’

DefenseWall: in a sense - you can prevent listed ‘Untrusted Application’ from accessing protected resources (listed in ‘Resource Protection’); but this requires applications to be set to ‘untrusted’ which is problematic.
DriveSentry: No (looks like you can prevent write access but not read - and ‘trusted’ applications, which can be automatically added to the list, bypass these settings)
Private Firewall: No
Tiny Personal Firewall 6.5: didn’t run under Windows 7 (bluescreen)

Yet to test:


Unfortunately Comodo cant prevent from reading in way you want, it can however everything else, prevent from: write, modify, delete, create, execute etc.
maybe in v5 Comodo crew add feature you want, until then you can try Kaspersky IS which have ability to prevent from reading but it cost money, I am not sure about Malware Defender, EQ secure and other HIPS systems but you should definitely first look at HIPS systems alone rather than FW + HIPS

[attachment deleted by admin]

EQ,MD,OSSS all can prevent from reading


Sounds like a useful addition to the already flexible configuration of CIS.

MD and EQ lasted about 2 minutes post-installation (mainly because the interfaces made me want to cry).
OSSS is looking good, but actually not able to completely prevent access to the file except by whitelisted apps. The only thing that is stopping it doing what I want is that I seem to be able to browse the folders and (more importantly) copy the files I am trying to protect (need to allow admin rights to do so, but still lets me copy them which defeats the purpose of protecting from reading).

Otherwise, OSSS is looking fairly good.

Edit: worked out the reason OSSS was not blocking copying the file.
The file was not protected from ‘dllhost.exe’ which executes administrator-privileged functions on behalf of another program (in this case, explorer.exe when I try to copy the file)


I too would like to see this feature added.


This already can be implemented but the wish should be to make an easier way to do so


+1 !!!

Paid version of Emsisoft Online Armor 5.0 “protects your sensitive files from being read, deleted or modified by malicious programs.” Emsisoft Help

…and which is “the harder way” or may be “ways”:

And so does the free version of Comodo Internet Security ;). The question is: “how to make exclusions for specific processes to let them read/write specific BLOCKED files/folders etc.”

First of all, Online Armor have to be less buggy. They have really big major problems :wink:

Good idea…
Then we need to do is to check the hash file with the original, which makes a request to blocked file.

Then we need to do is to check the hash file with the original, which makes a request to blocked file.

Why? Really, we must be sure that malware is not replaced the the program file… But what about the self-update programs? Indeed, the hashes will change? I think the problem can be solved if the right to read and write to the folder with the program will only have the program itself. Then:

  1. the program will normally be updated because it will have access to his folder
  2. malware does not replace the program because it does not have write permissions to the folder
  3. malware will not steal private data, because it does not have permission to read directory
  4. do not need to check the hashes

For example, for the Thunderbird. Only programs that are in

  • %PROGRAMFILES%\Mozilla Thunderbird*
  • %USERPROFILE%\Local Settings\Application Data\Thunderbird*

have access to read and write in

  • %PROGRAMFILES%\Mozilla Thunderbird*
  • %USERPROFILE%\Local Settings\Application Data\Thunderbird*
  • %USERPROFILE%\Application Data\Thunderbird*
  • HKLM\SOFTWARE\Mozilla\Mozilla Thunderbird*

(In my case it was C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
C:\Documents and Settings\IE User\Local Settings\Application Data\Thunderbird\Mozilla Thunderbird\updates\0\updater.exe)

I think it’s necessary, and is also necessary to make firewall to check hashes of the programs allowed to connect to the Internet.

Yes, in some cases it will be necessary.