Pre-Defined policies implementation is poor and needs a change

Just take one example. Suppose I assign a self made policy( Trusted) to an application abc.exe. According to this policy all actions of abc.exe are set to Allow but execution of childs by abc.exe is set to Ask.

Now suppose abc.exe tries to execute another application abc.child.exe. I get a pop ups alert. I allow it with remember this option, means abc.exe is allowed to execute abc.child.exe next time without pop up alert.

Look at the situition now. Just after this Defence plus puts abc.exe from trusted policy to custom policy with all actions of abc.exe giving rise to pop up alerts. I never wanted this. Defence plus must keep abc.exe still in Trusted policy, keeping all of its actions still in Allow list with pop up alerts only when it tries to execute another child. May be it can change policy from Trusted to Custom-Trusted policy but not altogether to a custom policy otherwise there is no fun in putting any application in a pre-defined policy.

Hope I was able to make my point clear.

Any comments by other users? Thanks

While I can see your point, I can also see the other side.

If “Trusted” is defined as having parameters A, B and C, and you add another parameter, D, then it no longer conforms to the original definition of Trusted (A, B and C). Therefore it can’t be classed as trusted any more.

Going by your example, we would need to have as many “Trusted Custom” definitions as there are possible combinations of parameters. i.e. Is a trusted-custom parameter set of A, B, C and E to be treated the same another trusted-custom parameter set of A, B, C and F?? What about A, B, C, D, E and F?? Are they all equal. How many custom-trusted definition would we end up with???

Ewen :slight_smile:

Hi guys,
The problem seems in the different pop-up layouts for D+ alerts:

There are two layouts (more details and less details)
if you answer alert in less details layout(which are supposed for basic users) you have the describes situation - everything is allowed/disallowed. This is made for one alert per application behavior for basic users

The second layout (more details) behave as you are expecting - it just put every new action to white\black list without allowing\blocking all the application.

So using “more details” layout will solve your problem

Also note that black\white lists are prior the allow\block\ask radio-buttons which are default actions.

All will be same in their general rules, only exceptions will differ. IMO in current state it,s almost useless to use these policies as it,s hard to find an application that one will like to Allaow/ Block in general without exceptions.

Moreover, to me putting an application in a policy means I am just decreasing the no of pop up alerts while I am making custom rules for this application.