New unexpected rule in Computer Security Policy (X32 XPSP2 v 3.0.16.295)

In my Computer Security Policy options, there are many rules created by Defense+, including a rule for Mozilla Firefox. Now recently an additional rule was created for FF, even though the old one is left. I cannot understand why, I haven’t updated Firefox or so. The only thing I’ve updated is CFP. Besides, unlike all other rules in the Computer Security Policy window, the path contains ~ signs. See attached screen shot.

If I delete the rule, it comes back.

Win XP, D+ in Clean PC Mode.

Thanks for any suggestions,

LA

EDIT the 19th of February: This bug was fixed with version 3.0.18.309.

[attachment deleted by admin]

Hi LA

Just tested this out for myself. FF did not make additional rule but Foxit reader did. If I remove it it will come back with the ~ . Also for me the new rules that CFP D+ is making seem to be in this format. See my screenshot. This for me as well is since the update to 16.295. I also tried to remove both entries for Foxit and both were put back.

John

[attachment deleted by admin]

Hello!

D+ doesn’t remember anymore the settings for Foxit Reader.
When I try to open a PDF file D+ always tells me that Foxit wants to access the screen directly, even if I set Foxit as a trusted application.
Removing Foxit from the rules and setting them again doesn’t work.
This problem doesn’t occur in Clean mode and only with Foxit.

I attached a screenshot.

Regards

[attachment deleted by admin]

Thanks for your reply & testing.

I’m also quite sure that this is due to 16.295. I also tried to reinstall CFP (for other reasons too), which didn’t change anything.

It’s not that I’m concerned, it shouldn’t be anything malicious. I just wonder why it happens.

I’ll go ahead and submit this as a bug (unless I found a report for it).
I did that by moving my topic from the Help section. (:m*)

LA

Hey, JJasper also has a Foxit problem. See my thread here. (though it won’t help you at this moment :-). Personally I have a Firefox problem.

LA

Thanks for the info.
I’ll follow the other thread.

regards

I have a similar problem with Foxit as described here.
D+ doesn’t remember the rules for Foxit Reader and a parts of the path are substitute with ~.
I also have another entry with ~ in the path, see screenshot.

Regards.

[attachment deleted by admin]

IIRC there is a chance that Firefox was run under a different username or different fakeusername security profile (system, local service, network service and alike).
Is “terminal services” service enabled?
Please backup your V3 config for reference purposes and delete all FF rules to test if after this duplicate rules are created again.
BTW is only one duplicate is created?

I merged these topics.
BTW I notice that foxit uses 8.3 paths. Does this happens for FF too?

Any additional security software to report (AV, antispyware…)?

I don’t think this is just a single app problem I think it has more to do with what gibran mentions - an 8.3 problem. If I try to change the 8.3 (the~) to a full path I get the note that I already have this rule, which I do, but I also have the 8.3 rule and it is generated everytime it is removed and the app re started.

John

I also found this little problem with 8.3.
In my case because I try to edit an .htm-file with Word(!), then Defense popped up and want to create a rule with just 8.3-phenomena. It never happend before 16.295.

I try to track it down and as a result of that I found out that when I unchecked Computer Monitor in Defense’s Monitor Settings then everything went fine. Good.
And as I also found out, it has nothing to do with Terminal Services whether it’s set to Automatic, Manual or Inactivated, running or not.
Of course I reboot computer between changes so everything is clean as I test it out.

So maybe this is’nt a (direct) Terminal Service problem after all? At least not in my case because my TS is inactivated by me since long ago.

This issue can have different causes. That’s why each bugreports need any useful information the user can give.

For a complete list of bugreporing guidelines please refer to CFP BUGREPORT BOARD NOTICE

In addition to my first post, here’s some info:

  • No other security application is present
  • Terminal Services is disabled.

I’ve deleted the Firefox rule (with the ~ signs) multiple times, but it keeps coming back. Also after reinstalling CFP 3.0.16.295 (I also cleaned the registry but I suppose that doesn’t matter) the rule comes back, although the Firefox rule with a “real” path (no ~ signs) is there all the time.

LA

[at] LeoniA

Try to test my little “Computer Monitor”-trick above. I’ve now test it on Firefox and Opera, also in connection with Foxit Reader and Defense don’t say a word when “Computer Monitor” is unchecked (yet).
But what that trick will do with security is probably written in the stars…

Hm, not sure I want to disable a part of Defense+… :-\

LA

Hej!

A good point, but what shall we do to get rid of it at the moment?

Since this thread has become quite active, I will hope for the developers to pick it up and fix the bug. :a0 Of course I don’t know if this bug is serious or not, but I’m hoping for it to be more of a simple GUI problem than a serious Defense+ flaw.

LA

Let’s hope it is a simple GUI problem :slight_smile:
I’ve spend a couple of hours and test this with other programs too, and nothing happens when the trick is done but 8.3-things happen if it is’nt. Mysterious.

Update:

I deleted the Firefox rule (only the “~” one, not the one with the full path), enabled Terminal Services and rebooted. Then I launched Firefox. Enabling the service did not make any difference, the Firefox rule was created anyway.

Maybe it doesn’t matter but here’s a list of all my running services:

COM+ Event System
COMODO Firewall Pro Helper Service
DCOM Server Process Launcher
DHCP Client
Event Log
Network Connections
Plug and Play
Remote Procedure Call (RPC)
System Event Notification
Task Scheduler
Themes
Windows Audio
Windows Management Instrumentation


LA

Hoooraaay! It seems the 8.3 bug returned >:(
At least for some…
Some of the betas had the same…with firefox, boclean nvidia ect…
Anyway I think I may know a fix. If you don’t use very old applications you can disable the 8.3 naming format. You may also gain some speed ;D
Got to start/run type cmd, and type ‘fsutil.exe behavior set disable8dot3 1’ without quotes. If you have any compatibility issues in the future just type the same string except with a ‘0’ at the and instead of the ‘1’
Hope it helps…

ps: here is the source: Error 0x19 when NTFS file system creates name in 8.3 format - Windows Server | Microsoft Learn