1. What actually happened or you saw:
The ‘Downloads’ folder is included by default as an exception at “Do not virtualize access to the specified files/folders” option under Containment settings.
In this video test you can notice the tester extracted all Malware files to Downloads folder and executed them from there. At at end of the test, HitmanPro detected some malicious files (most of them located at the VTRoot Folder - tester forgot to reset/erase the Container before scanning with 3rd party tools) but there was an active process among the detected files called “CO9F.exe” set to auto-execute on System startup.
2. What you wanted to happen or see:
I wanted this folder to not be included by default as an exception.
3. Why you think it is desirable:
This can cause misleading test results and users that don’t know how CIS works will think that CIS allowed an infection, when in reality the tester executed the Malicious files from the worst possible location. This exception rule being included by default is to blame here. This does no good to your product’s reputation.
4. Any other information:
While watching the video I noticed there were some HIPS alerts for unknown process trying to access a certain COM interface, this should not happen with Containment enabled since HIPS does not monitor apps running inside Container, thus confirming that those Processes running from Downloads folder had real read/write/modify access to the System (HIPS alerts were answered with Allow option) which caused this misleading test result.