No execution alert in Paranoide Mode

Hi,

With D+ set to Paranoid Mode, I get no alert for eac-1.0beta1.exe (download). :-\

No D+ rules for eac-1.0beta1.exe.

Same result on two computers.

Thanks. :slight_smile:

What is this “tool” supposed to do?

It’s supposed to install Exact Audio Copy. :wink: It’s white-listed, but CIS should alert in Paranoid Mode, shouldn’t it?

Can confirm on install you only get the explorer running eac-1.0beta1.exe alert but on execusion you get a raft of alerts.

I would of thought you would get a eac-1.beta1.exe is about to create a new folder xxx

Possibly because it doesn`t interfere with any protected areas during install, not really tried much in Paranoid, will try a few more :slight_smile:

[attachment deleted by admin]

Depends if it hits something that should be alerted for…
Is there any input field where you can type text in? try to type fast and see if Keyboard access alerts…

I expect to get an execution alert, like CIS 4 gave. Attached screenshot is for the installed EAC.exe. With CIS 5, the first alert is for direct disc access. I also get an alert for EAC trying to modify a protected registry key.
Where is the execution alert? ??? My configuration is Internet Security (and so it was in CIS 4).

[attachment deleted by admin]

How did Matty get an execution alert? ???

Can you verify your explorer.exe policy setting to see if it should alert for “Run an executable” and if you have some form of exception for it that could allow this?

Is this a clean profile or an previous version upgrade profile?

Policy for explorer.exe is Windows system application.

Clean install and clean profile on both computers.

That’s the reason you don’t get an alert on explorer.exe executing.
I suspect Matty has “Custom” + Ask on run as executable.

Fråga (Ask) is selected…

[attachment deleted by admin]

Look at modify, it contains a * to allow all…

Thanks, I removed it. :slight_smile:

Why does it allow all with the predefined policy!? :o ???

Did you remove that from the predefined setting?
If so that will cause all to alert… It would be better to set explorer.exe to custom and run exe to ask.

I think it had something to do with the sandbox having to catch all and lowering the number of alerts.
Normally using explorer to execute something isn’t dangerous, and as the sandbox should catch the unknown baddie in case you started malware it should have catched it.

Do you have sandbox enabled or disabled on paranoid?

OK. Maybe it’s better to leave Windows system application as it was, and use Trusted application for explorer.exe?

If execution control is enabled in D+ settings, and it doesn’t block anything, because there is a new (Isn’t it new in CIS 5?) allow all rule for Windows Explorer, CIS doesn’t work as users (at least I) expect it to work… :-\

I tested with sandbox enabled and disabled.

(Normally I use Safe Mode and sandbox enabled.)

Just a fyi :wink: If you do use Trusted Application then answer an explorer alert and tick “remember my answer” the policy reverts to Custom.

Suppose that`s because it is Custom, sort of ;D

On CIS 4 explorer.exe was also a “Windows System Application”


<PolicyItem UID="{3EA8B540-77FB-426B-9E9B-30BB1A78723B}" Flags="2" Filename="%windir%\explorer.exe" DeviceName="C:\WINDOWS\explorer.exe" TreatAs="Windows System Application">

I never changed that in CIS 4, and I got execution alerts. ???

Maybe used ProActive profile?


<PolicyItem UID="{4875AD97-A05B-498F-9148-49B7F95EDF6B}" Flags="2" Filename="%windir%\explorer.exe" DeviceName="C:\WINDOWS\explorer.exe" TreatAs="Trusted Application">

Don’t think I did, since I considered Internet Security good enough in 4.0 and later versions. I used Proactive in 3.x, though. :wink:

Help says Image Execution Control is disabled in Internet Security configuration. 88)