Limit read access to particular files to only certain programs (using Defense+)

Note: problem solved (sort-of) by adding another program along-side CIS - see bottom.
Still would like for the feature to appear in CIS though.


I am using Defense+ features to try to achieve the following. Other applications may do the job but are either discontinued (e.g. CoreForce, Secure4u) but frankly I like CIS.
I have OpenPGP keyfiles and other such important files that I want to prevent all but a couple of programs having any ability to access (i.e. block read/write/execute to these files to all but explicitly listed files).

Edit: I have concluded what I want to do is not presently possible in CIS/D+. I have added a wishlist item to have the feature added to CIS, so if you’re trying to work out how to do it - well, go vote here:;msg416098#msg416098

I have tried a couple of things:
I have created a ‘group’ containing the files I want to prevent access to, and:

  • I have added the files to ‘My Protected Files’. This successfully prevents applications modifying the files but (as expected) doesn’t prevent read access to the files.
  • I have added the files to ‘My Blocked Files’ which successfully prevents all applications from accessing the files at all (as expected) but doesn’t allow the desired programs to access the files.
  • In the computer security policy, I have configured it so that all entries except the specific programs I want to access the files include the file group in the Access Rights->Protected Files/Folders->Blocked Files/Folders. However the applications still seem to be able to access the folders/files (e.g. I can still browse to them in Windows Explorer and open them in a text editor).

Is there a way of preventing all applications accessing the files except the desired few?


(Edit: Added the line about me using Defense+ because it was previously a bit unclear)

(Edit: added the following)

You can achieve this goal using PCTools ThreatFile, which runs happily in alongside CIS.

Under Advanced Tools->Advanced Rule Settings->Custom Rule Settings it is possible to add rules that limit read, write, create, and execute to particular files or directories for all files except explicitly listed ones
e.g. rule settings:
When any process
tries to write or delete or create or execute a file
in C:\Users\xxxx\my keys[\u]

The only problem is that when you are prompted when a non-approved program attempts to access the file, you only have the choice to ‘allow’ or ‘terminate the application’

From the Help file about My Blocked Files:

Unlike files that are placed in ‘My Protected Files’, users cannot selectively allow any process access to a blocked file.
. That sounds like something for the wish board.

When editing Access Rights of policies of program you will be only protecting against modification. They can still be read them but you should not be able to modify the protected files.

It’s on the wish board =)